System and Organization Controls (SOC) Reporting: PwC

Embrace new beginnings with controls that build confidence

Reliance on outsourcing to increase profitability and gain efficiencies continues to grow, but so, too, does the trust gap as you share critical data with third parties. More and more customers, business partners and regulators expect to see details about your practices for safeguarding data.

Attestation reporting — including, but not limited to, System and Organization Controls (SOC) reporting — helps build trust with a range of stakeholders. The right types of reporting can demonstrate that appropriate controls are in place — for both your business processes and information technology (IT) — to protect financial and sensitive client data.

Many traditional industries, such as IT infrastructure, payroll processors and loan servicers within financial services, have relied on SOC 1 reports for years to demonstrate they have proper controls in place. Increasingly, a wider set of industries like FinTech and tech-enabled logistics companies are also relying on SOC reporting processes. These processes offer a cohesive, repeatable approach so you can assess once and then report out to many stakeholders.

SOC and other attestation reporting can help:

Drive trust and transparency with internal and external stakeholders.

Increase efficiencies while reducing compliance costs and time spent on audits and vendor questionnaires.

Meet contractual obligations and market concerns through flexible, customized reporting.

Address risks across the organization proactively.

Ready to begin your attestation reporting journey?

How we can help

Our Digital Assurance and Transparency professionals can bring experience and insight to your reporting process. With our skilled, independent auditors guiding you through the complexities of SOC and other attestation reporting, you can obtain:

A SOC readiness assessment aligned with the relevant attestation framework, including gap identification and improvement recommendations before a SOC examination.

A SOC report you can share with customers and other auditors to provide transparency into your control environment.

A customized SOC report (SOC 2+) that meets specific industry or customer requirements, such as NIST, HITRUST or GDPR.

Additional attestation reporting solutions tailored to your specific needs (see below).

Which attestation report is right for your business?

Our professionals can help you determine the right reporting option and scope for your needs. To start, you may choose to focus on specific controls that matter most to customers. As your needs evolve, you can expand your reporting scope to cover a broader range of controls.

SOC reporting options include:

The cornerstone of trust in financial reporting

A SOC 1 report focuses on outsourced services that could impact a company’s financial reporting. By providing a SOC 1 report from the third-party, companies can effectively communicate information about their risk management and controls framework to multiple stakeholders. SOC 1 reports are ideally suited for businesses that handle financial or non-financial information for their clients that impact the customer financial statements or internal controls over financial reporting. IT infrastructure, payroll proceeds, plan recordkeepers, investment advisors, custodians and loan servicers SOC 1 reports are often provided to service organizations, customers and their auditors.

Helping companies report on internal controls beyond financial reporting

A SOC 2 report can play an important role in oversight of the organization, vendor management programs, internal corporate governance and risk management processes and regulatory oversight. SOC 2 builds upon the required common criteria (security) to address one or more of the AICPA trust services principles, including: availability, confidentiality, processing integrity and privacy. SOC 2 reports are often applicable for businesses with sophisticated customer relationships and those offering digital services.

An integrated option to operational attestation controls reporting

While SOC 2 reports provide a powerful tool, some companies need to provide additional transparency relating to industry-specific regulations and requirements. Examples include:

HITRUST: Born out of the regulatory imperative to secure Protected Health Information (PHI), the HITRUST Common Security Framework (CSF) offers a certifiable framework covering many different security and privacy related imperatives.

General Data Protection Regulation (GDPR): European Union law on data protection and privacy.

National Institute of Standards and Technology (NIST): Framework for mitigating cybersecurity risks required for contractors and subcontractors working with the federal government.

These are just a few examples. Contact us  to discuss the SOC 2+ alternatives relevant to your industry.

Custom attestation reporting solutions

Some circumstances may require an independent, qualified third party to attest to your company’s operational standards or system controls. You or your stakeholders may need independent assurance that their data, collateral or other entrusted assets are protected. PwC provides customized attestation reporting solutions tailored to your specific needs, including:

SWIFT attestation

Complying with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network’s Customer Security Programme (CSP) has grown increasingly complex for many financial services companies. SWIFT’s measures to detect and prevent fraud and implement mandatory security controls for electronic transfers have continued to evolve.

PwC can assist with a range of SWIFT attestation services including:

Advising on the latest SWIFT security architecture requirements, completing a readiness assessment and helping remediate any control gaps.

Assisting management with its annual self-assessment of SWIFT security control requirements.

Satisfying the annual independent assessment now required.

PwC has extensive experience with SWIFT, as we have been performing annual reviews of organizations’ SWIFT compliance under the internationally recognized ISAE 3000 standard for over 10 years. Contact us to discuss your needs and explore the range of solutions PwC offers related to SWIFT CSP compliance.

Viewership data attestations

The restructuring of compensation and bonuses paid to talent by content streaming services has led to an increased need for trust and transparency for the calculation of key metrics that drive these payouts.

PwC works with streaming services to develop custom attestation reporting solutions that can:

Provide independent assurance to talent regarding the ranking of individual series.
Eliminate the traditional industry standard of multiple audits initiated by talent.
Attest to series’ rankings.
Provide transparency for streaming service metrics and related calculations.

We have also developed viewership data project tech-enabled solutions and a field-tested methodology to help streaming services structure and gather viewership data to meet the trust and transparency needs of a range of stakeholders. Contact us to discuss your requirements.

Ongoing project management: SOC and External Certification Optimization (SECO)

Increasing demands for transparency into internal controls can create a significant burden, requiring multiple reports and certifications that demand careful coordination and oversight. Our integrated SECO program can help reduce reporting costs, reduce disruption to revenue-generating teams and strengthen stakeholder trust.

SECO helps you:

Develop formal a SOC and external certification strategy, project plans and schedules.
Track and monitor progress.
Assist in working with external auditors.
Coordinate stakeholder interaction.
Identify areas for improvement.

Contact our DAT professionals to explore PwC’s SECO solutions.