Skip to main content

IT Outsourcing

Organizations (user organizations) engage service providers (service organizations) to perform IT service, such as managed services, SaaS/IaaS/PaaS-providers or datacentres. These services include the collection, processing, organizing, transmitting and storage user organization information. The user organizations expose themselves to additional risks associated with IT systems utilized by the service organization to deliver these services. An ISAE 3000 SOC 2 report provides assurance and information on risk management and control over additional risks associated with IT systems.

SOC 2 or SOC 1 reporting?

An ISAE 3402 | SOC 1 reports focusses on controls at a service organization that relate to processes and functions that impact financial reporting. An ISAE 3402 | SOC 1 is not likely to provide sufficient assurance to management of a service organization on the operating effectiveness of risk management and control over the full spectrum of risks related to outsourced services. Outsourced services generally have a significant broader scope than financial processes only.

Content ISAE 3000 SOC 2 report

An ISAE 3000 SOC 2 report has the flexibility to cover one, some or all of the five Trust Service Principles - security, availability, processing integrity, confidentiality and privacy. The service organization generally agrees with the user organization which principles are relevant for the services provided and should be in scope of the ISAE 3000 report. These principles form the basis of the service organizations’ risk management framework. An ISAE 3000 SOC 2 report contains at least three sections; the management’s description of the service organization’s system, detailed descriptions of tests performed by the service auditor of the operating effectiveness of the service organization’s controls, and results of tests performed. The results enable the user entity’s management to assess, mitigate and report on risks associated with outsourced services.

Risk framework

The management description contains a general description of the risk control framework, this includes the control environment, a description of risk assessment procedures, the control framework (generally in the form of a control matrix), the communication procedures and systems and the monitoring of the control framework. In practice the COSO ICIF or preferably the COSO ERM framework is applied for the management description. This is not a requirement, but professional organizations generally require this from service organizations.

ISAE 3000 implementation

The implementation of the SOC 2 Trust Service Criteria requires a structured approach to determine the applicable list of risks and controls that are required to achieve SOC 2 attestation. Implementation of the Trust Service Criteria requires at two to three months for a smaller organization. The project planning includes the determination of the control objectives, a Gap analysis, control design and documentation, a readiness assessment and remediation of controls not performing effectively or risks not covered.

Cost ISAE 3000 SOC 2

User organization generally require the baseline position that service organization should provide an unqualified ISAE 3000 | SOC 2 report, annually. The SOC 2 report should cover all applicable trust services principles. And the reports are generally at the sole expense of the service organization. If the user organization doesn’t accept the general ISAE 3000 SOC 2 report and requires an leveraged report is provided in general the cost are split among the service organization and the user organization.