Third Party Assurance
Organisations increasingly rely on outsourced service providers to operate certain processes and activities on their behalf. As businesses seek assurance that their risks are being mitigated effectively for their own governance purposes, service providers are facing increasing demands from existing and potential customers, for assurance that they can rely upon too. This type of assurance can be provided through a Third Party Assurance (TPA) report. A common example of this is a System and Organisation Controls (SOC) report, which provides an independent and objective assessment of an organisation’s controls to users of its services.
Download our brochure
BDO's Risk and Advisory Services (RAS) team offers independent assurance and advice over the design and operation of internal control frameworks. We have been carrying out control assurance assessments for many years for a wide range of service providers.
We can provide the following reports:
This report provides independent assurance over the key internal controls at a service organisation which are relevant to the client company’s financials.
An independent assurance report on a service organisation’s controls, based on the American Institute of Certified Public Accountants (AICPA) standards, to cover areas outside of financial reporting.
These reports are based on the Trust Services Criteria, including the five categories of Security, Availability, Processing Integrity, Confidentiality and Privacy.
This is a high level report that covers similar areas to a SOC 2 report, but is intended to be less technical and more user-friendly.
A SOC 3 report can be shared widely and is suitable for marketing purposes.
This is an independent assurance report which utilises a standard method for reporting enterprise-wide cybersecurity risk management.
Agreed Upon Procedures (AUP)
This is report of findings based on carrying out a specific test or reviewing a particular business process.
It lays out the facts but does not provide an overall opinion.
Benefits of TPA for existing and prospective customers
This overview represents some of the many benefits our customers experience when engaging BDO to provide a TPA report. This enables them to provide attestation to their existing and prospective customers.
Which SOC is Right for You?
SOC reporting allows you to develop trust with your stakeholders by proactively assessing the controls in place to mitigate risk and being transparent about the effectiveness of these efforts.
With all of the SOC reports available, it can be challenging to determine which report best addresses your needs. The key is to consider the risks that your clients are most focused on.
The following summary will help you to choose the right SOC report for your needs
| |
SOC1 |
SOC2 |
SOC3 |
SOC for
cybersecurity |
| WHO IS THIS SOC FOR? |
| A Service Organisation (One that provides services to user entities) |
|
|
|
|
| Any Type of Organisation |
|
|
|
|
| REPORTS ON AN ORGANISATION’S... |
| Financial Reporting |
|
|
|
|
| Security |
|
|
|
|
| Availability |
|
|
|
|
| Process Integrity |
|
|
|
|
| Confidentiality |
|
|
|
|
| Privacy |
|
|
|
|
| DISTRIBUTION |
| Restricted (Users) |
1 |
2 |
|
|
| Unrestricted (General Use) |
|
|
|
|
1Auditors, Management.
2Management, User entities, Regulators, Specified parties.
If you’d like to know more about BDO’s SOC reporting services please contact us for more information.