Skip to main content

IT Outsourcing


Organizations (user organizations) engage service providers (service organizations) to perform IT service, such as managed services, SaaS/IaaS/PaaS-providers or datacentres. These services include the collection, processing, organizing, transmitting and storage user organization information. The user organizations expose themselves to additional risks associated with IT systems utilized by the service organization to deliver these services. A SOC 2 | ISAE 3000 report provides assurance and information on risk management and control over additional risks associated with IT systems.

SOC 2 or SOC 1 reporting?

An SOC 1 | ISAE 3402 reports focusses on controls at a service organization that relate to processes and functions that impact financial reporting. A SOC 1 | ISAE 3402 is not likely to provide sufficient assurance to management of a service organization on the operating effectiveness of risk management and control over the full spectrum of risks related to outsourced services. Outsourced services generally have a significant broader scope than financial processes only.

The content of a SOC 2 report

A SOC 2 report has the flexibility to cover one, some or all of the five Trust Service Principles - security, availability, processing integrity, confidentiality and privacy. The service organization generally agrees with the user organization which principles are relevant for the services provided and should be in scope of the SOC 2 report. These principles form the basis of the service organizations’ risk management framework. A SOC 2 report contains at least four sections; Section I is the independent auditor's assurance report, Section II is the management’s assertion, Section III is thedescription of the service organization’s system, and Section IV includes the controls and detailed description of tests performed by the service auditor of the operating effectiveness of the service organization’s controls, and results of tests performed. The results enable the user entity’s management to assess, mitigate and report on risks associated with outsourced services.

Risk framework

The management description contains a general description of the risk control framework, this includes the control environment, a description of risk assessment procedures, the control framework (generally in the form of a control matrix), the communication procedures and systems and the monitoring of the control framework. In practice the COSO Internal Control - Integrated Framework (2013) is applied for the management description.

SOC 2 implementation

The implementation of the SOC 2 Trust Services Criteria requires a structured approach to determine the applicable list of risks and controls that are required to achieve SOC 2 attestation. Implementation of the Trust Services Criteria requires at two to three months for a smaller organization. The project planning includes the determination of the control objectives, a Gap analysis, control design and documentation, a readiness assessment and remediation of controls not performing effectively or risks not covered.

SOC 2 costs

User organizations generally require as a baseline position that the service organization should provide an unqualified SOC 2 report, annually. The SOC 2 report should cover all applicable Trust Services Criteria. The reports are generally at the sole expense of the service organization. If the user organization does not accept the general SOC 2 report and requires an leveraged (customer specific), (a part of) the costs are often passed on to the user organization.