Due to increased international competition, pressure on cost savings and technological development, more and more companies are outsourcing their IT services to service organizations.

Assurance for IT-service organizations

There are several reasons why an IT service organization wants to provide assurance about its services. It may be the management of the service organization itself that wants to know if their service processes are in order. Or they want to use an assurance report to position themselves and pursue a competitive advantage. In reality, it usually turns out that it are the (potential) customers who ask for an insurance report. Parties such as boards of directors and accountants are also increasingly requiring outsourcing organizations to demonstrate the quality of their services. An auditor can do this on the basis of an SOC 2 assurance report.

SOC 2 report with the help of 2-Control

SOC stands for Service Organization Control (report). An SOC 2 report is an assurance report on internal control measures at an IT service organization. This report is intended for the customers of the service organization and their supervisors.

SOC 2 reporting is available in 2 types: 

1. A SOC 2 type 1 Assurance is a report carried out on a specified date and focusses on the way an organization designs their processes and internal controls.
2. A SOC 2 Type 2 Assurance is  a yearly repeated audit, testing the operating effectiveness of these processes and internal controls and relates to a certain period.

A SOC 2-rapport contains the following elements: 

• Management statement
• Independent service auditors' assurance report
• A detailed description of the system or service
• The principles, criteria and performed tests, including the results of testing (optional for a type 1 assurance)
• Optional additional information provided by the service organization which has not been audited by the auditor

Difference with ISAE 3402

In terms of its form, an SOC 2 report is very similar to the well-known ISAE 3402 report, but in terms of content it is more in line with the services provided by IT service organizations. The starting point for an SOC 2 report are not the financial statements, but the Trust Service Principles (TSP).  These are regulations from the United States in the areas of security, availability, process integrity, confidentiality and privacy. An SOC 2 report is much more useful, because it's directly linked to these control objectives that really matter to customers of an IT service organization. 

In the end, the client's demand is decisive for which report is chosen. What does the client ask for and where does the client want certainty about? And for what purpose? An assurance report is never an obligation, but it can lead to more effective cooperation and more trust between supplier and customer.

What can the IT auditors of 2-Control do for you?

2-Control offers IT audit experts who can carry out professional, reliable and affordable audits at short notice. Our IT auditors are members of NOREA, the Dutch organization of Register EDP auditors.

Would you like to have an SOC 2 audit carried out or do you want more information about this statement? Please contact us!