System and Organization Controls (SOC) reports and other attestation services

More than just providing assurance, PwC’s attest reporting services can help build trust with your customers, regulators and stakeholders

Build trust. Protect your company’s most critical assets

Reliance on outsourcing to increase profitability and gain efficiencies continues to grow, but so, too, does the trust gap as you share critical data with third parties. More and more customers, business partners and regulators expect to see details about your data protection practices.

Attestation reporting — including, but not limited to SOC reporting — helps build trust with a range of stakeholders. The right types of reporting can demonstrate that appropriate controls are in place — for both your business processes and information technology (IT) — to protect financial and sensitive client data.

Many traditional industries, such as IT infrastructure, payroll processors and loan servicers within financial services, have relied on SOC 1 reports to assure they have proper controls in place for years. Increasingly, a wider set of industries like FinTech and tech-enabled logistics companies are also relying on SOC reporting processes. These processes offer a cohesive, repeatable process where companies can assess once and then report out to many stakeholders.

SOC and other attestation reporting can help:

  • drive trust and transparency with internal and external stakeholders
  • increase efficiencies while reducing compliance costs and time spent on audits and vendor questionnaires
  • meet contractual obligations and market concerns through flexible, customized reporting
  • proactively address risks across the organization

Ready to begin your attestation reporting journey?

Ways we can help

PwC Digital Assurance and Transparency professionals can bring experience and insight to your reporting process. By navigating the complexities of SOC and other attestation reporting with the help of a skilled and independent auditor, you can obtain the following:

  • A SOC readiness assessment aligned to the relevant attestation framework, including recommendations for improvement and identification of potential gaps prior to a SOC examination.
  • A SOC report you can share with customers and other auditors to provide transparency into your control environment.
  • A customized SOC report (SOC 2+) that meets specific industry or customer requirements, such as NIST, HITRUST or GDPR.
  • Additional attestation reporting solutions tailored to your specific needs (see below).

Which attestation report is right for your business?

Our professionals can help you select the reporting option and scope that fits your needs. You may want to limit the initial scope of your reporting effort to a set of specific controls, based on what is most important to customers. Over time, you can always expand the scope of your reporting to include a broader range of controls as needs evolve. 

SOC reporting options include:

The cornerstone of trust in financial reporting

A SOC 1 report focuses on outsourced services that could impact a company’s financial reporting. By providing a SOC 1 report from the third-party, companies can effectively communicate information about their risk management and controls framework to multiple stakeholders. SOC 1 reports are ideally suited for businesses that handle financial or non-financial  information for their clients that impact the customer financial statements or internal controls over financial reporting. IT infrastructure, payroll proceeds, plan recordkeepers, investment advisors, custodians and loan servicers SOC 1 reports are often provided to service organizations, customers and their auditors.

Helping companies report on internal controls beyond financial reporting

A SOC 2 report can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes and regulatory oversight. SOC 2 builds upon the required common criteria (security) to address one or more of the AICPA trust services principles, including: availability, confidentiality, processing integrity, and privacy. SOC 2 reports are often applicable for businesses with sophisticated customer relationships and those offering digital services.

An integrated option to operational attestation controls reporting

While SOC 2 reports provide a powerful tool, some companies need to provide additional transparency relating to industry-specific regulations and requirements. Examples include:

  • HITRUST: Born out of the regulatory imperative to secure Protected Health Information (PHI), the HITRUST CSF offers a certifiable framework covering many different security and privacy related imperatives.
  • General Data Protection Regulation (GDPR): European Union law on data protection and privacy.
  • National Institute of Standards and Technology (NIST): Framework: for mitigating cybersecurity risks required for contractors and subcontractors working with the federal government.

These are just a few examples. Contact us to discuss the SOC 2+ alternatives relevant to your industry.

Custom attestation reporting solutions

A range of circumstances can require having an independent and qualified third party attest to company-specific operational standards or system controls. Clients and other stakeholders may need assurances that you are protecting their data, collateral or other assets you have been entrusted with. PwC can help through customized attestation reporting solutions tailored to your specific requirements. Some examples include:

SWIFT attestation

Complying with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network’s Customer Security Programme (CSP) has grown increasingly complex for many financial services companies. SWIFT’s measures to detect and prevent fraud and implement mandatory security controls for electronic transfers have continued to evolve.

PwC can assist with a a range of SWIFT attestation services including:

  • Advising on the latest SWIFT security architecture requirements, completing a readiness assessment and helping remediate any control gaps.
  • Assisting management with its annual self-assessment of SWIFT security control requirements.
  • Satisfying the annual independent assessment now required.

PwC has extensive experience with SWIFT as we have been performing an annual review of SWIFT under the internationally recognised ISAE 3000 standard for over 10 years. Contact us to discuss your needs and explore the range of solutions PwC offers related to SWIFT CSP compliance.

Viewership data attestations

The restructuring of compensation and bonuses paid to talent by content streaming services has led to an increased need for trust and transparency for the calculation of key metrics that drive these payouts.

PwC works with streaming services to develop custom attestation reporting solutions that can:

  • Provide assurance to talent regarding the ranking of individual series.
  • Eliminate the traditional industry standard of multiple audits initiated by talent.
  • Attest to series’ rankings.
  • Provide transparency for streaming service metrics and related calculations.

We have also developed viewership data project accelerators and a field-tested methodology to help streaming services structure and gather viewership data to meet the trust and transparency needs of a range of stakeholders. Contact us to discuss your requirements.

Ongoing project management: SOC and External Certification Optimization (SECO)

Demands for increased transparency into internal controls can become a significant burden, involving multiple reports and certifications that require careful coordination and oversight. Our integrated SECO program can help you mitigate reporting costs, lessen the impact on revenue-generating personnel, and build trust with stakeholders.

SECO helps you:

  • Develop formal SOC and external certification strategy, project plans and schedules
  • Track and monitor progress
  • Assist in working with external auditors
  • Coordinate stakeholder interaction
  • Identify areas for improvement

Contact our DAT professionals to explore PwC’s SECO solutions.

{{filterContent.facetedTitle}}

Contact us

Todd Bialick

Todd Bialick

US Digital Assurance and Transparency Leader, PwC US

Jay Schaldecker

Jay Schaldecker

Digital Assurance and Transparency Partner, PwC US

Carolyn Holcomb

Carolyn Holcomb

Privacy Assurance Leader, ESG Partner, PwC US

Kevin O’Connell

Kevin O’Connell

ESG Trust Solutions Leader, PwC US

Follow us