Loading…
Menu icon Search icon
Contact us
Mobile filter icon Mobile contact icon
Close iconClose icon DarkLight mode
Services
Employee benefits and pensionsFamily office servicesHelp me with taxHelp with pensions and benefitsHow can I raise funds?How do I start a business from scratch?How should I invest?I have HR or people issuesI need an auditI need corporate finance adviceI need expat tax adviceI need help sharing tipsI want to keep my data safeI'm being investigated by HMRCI'm getting divorcedInternal audit and third party assuranceInternational private clientsProbate and estate administrationRegulatory reporting and advisory servicesValuationsWhat can I outsource?What do I need to do when someone dies?
Sectors
Academies and schoolsArts & culture charitiesFCA regulated businessesHospitality and leisure businessesI need help sharing tipsInternational non-governmental organisations (INGOs)Professional PracticesReal estate and constructionRegulatory reporting and advisory servicesReligious InstitutesSocial businessesTechnology and media businesses
News and insightsOur eventsAbout usMeet our peopleJoin our teamSign up to our mailing list

News – 10.04.24

Form PF: Are you up to speed with the latest developments?

Through this insight we will bring to your attention the main changes in a bitesize manner so that you can stay abreast of the requirements as they may apply to your firm. … Read more

Insight

Tax relief on heritage assets: Am I eligible?

For assets considered to be of national heritage, relief from Capital Gains Tax and Inheritance Tax is available. … Read more

Upcoming event – 29.04.24

Governance code updates and advice for Further Education colleges from Buzzacott and the ESFA

Join Buzzacott and the ESFA for a governance update for further education colleges … Read more

Find us quickly

130 Wood Street, London, EC2V 6DL
enquiries@buzzacott.co.uk    T +44 (0)20 7556 1200

Google map screengrab
On this page
Go to
Top of page
News & insights
Stay in touch
Sign up to our mailing list
LinkedIn
Contact us
Print this page

What is a SOC report and should my company have one?

SOC reports are a core part of internal governance and risk management – but what are they and who are they for? Read on to find out. 

A System and Organisation Controls (‘SOC’) report is an independent assessment of the risks associated with using a service organisation (and other third parties). SOC reports are a core part of internal governance and risk management and can be used to enhance customer relationships by building confidence and trust.

There are different types of SOC reports (SOC 1, SOC 2 etc). SOC 1 reports focus on outsourced services that could impact a company's financial reporting and this is the type of report we’re focusing on in this article.

About the author

Catherine Edwards

+44 (0)207 556 1246
edwardsc@buzzacott.co.uk
LinkedIn

A System and Organisation Controls (‘SOC’) report is an independent assessment of the risks associated with using a service organisation (and other third parties). SOC reports are a core part of internal governance and risk management and can be used to enhance customer relationships by building confidence and trust.

There are different types of SOC reports (SOC 1, SOC 2 etc). SOC 1 reports focus on outsourced services that could impact a company's financial reporting and this is the type of report we’re focusing on in this article.

'SOC' is the most commonly used terminology when referring to internal control's assurance, however there are a number of different reporting frameworks in place: 

  • ISAE3402: The international framework issued by the IAASB
  • SOC 1: The US framework issued by the AICPA
  • AAF 01/20: The UK framework issued by the ICAEW

As part of the engagement, business process and IT controls will be defined and tested. The report itself is signed off by a Service Auditor and can be either a type 1 or type 2 report: 

  • Type 1: Point in time (assurance is provided on the design of controls)
  • Type 2: Over a specified time period (assurance is provided on the design and operating effectiveness of controls)
Who needs a SOC report?

Who needs an internal controls assurance report?

There is currently no statutory requirement, however, they’re commonly performed for the following activities:

  1. Custody;
  2. Fiduciary management;
  3. Fund accounting;
  4. Investment management;
  5. Investment administration;
  6. Pension administration;
  7. Private equity;
  8. Property investment management;
  9. Property investment administration;
  10. Transfer agency; and
  11. Information Technology.

These types of report are often requested by organisations (user entities) that receive significant services from a service organisation. User entities need transparency and assurance that relevant risks are effectively mitigated through appropriate controls.

This is of increasing importance for organisations operating within the financial services sector where there is increased pressure to demonstrate effective and robust control environments due to the rigorous compliance regimes in place.

What are the benefits of obtaining a SOC report?

What are the benefits of obtaining an internal controls assurance report?

Obtaining a SOC/ AAF report differentiates the service organisation from its peers by demonstrating effectively designed control objectives and control activities. In many cases, the report will also satisfy the user auditors’ requirements as well as specific requests from investors or customers.

Who are the users of SOC reports?

Who are the users of these reports?

The users can be both internal and external e.g.

  • Internal management at the service organisation 
  • External parties such as customers (or potential customers), investors or the external auditors of customers.
Get in touch

Get in touch

If you would like to find out more about our controls assurance reporting services, complete the form below. 

Related links
Internal audit and third party risk assurance 1 Audit and assurance services Audit and assurance 2 10 March 2023
Buzzacott named 'Best Audit Firm - Middle Market'
Buzzacott is delighted to have won 'Best Audit Firm - Middle Market' at this year's Hedgeweek European awards… Read more Buzzacott_payroll_services Payroll 4 Buzzacott_Catherine_Edwards Catherine Edwards
Associate Director 5 Gradient_ambient_ Buzzacott _top_20_ accountancy _firm _for _charities _corporates _individuals Contact us 6
© 2018 - 2024 Buzzacott LLP All rights reserved   |   
Sign up to our mailing list    |    Anti-slavery statement
Sitemap   |   Privacy policy   |   ICAEW Diversity Report 2023   |    Accessibility   |   Transparency report   |   Gender Pay Gap Report   |   Diversity and inclusion   |   Cookies   |   Legal
Close iconClose icon backback
Your search for "..."
did not yield any results.
... results for "..."
Search Tags
We use cookies for the best experience on our website and also to analyse web traffic. For more information see our Cookie notice. By clicking accept all you agree to our use of cookies. To alter the types of cookies we use click “Cookie settings”.
Accept all Cookie settings
Our use of cookies

We use necessary cookies to make our site work. We’d also like to set optional analytics and marketing cookies. We won't set these cookies unless you choose to turn these cookies on. Using this tool will also set a cookie on your device to remember your preferences.

For more information about the cookies we use, see our Cookies page.

Please be aware:

— If you delete all your cookies you will have to update your preferences with us again.
— If you use a different device or browser you will have to tell us your preferences again.

Necessary cookies
Always active

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

bscookie
1 year
This cookie is used to identify the visitor through an application. This allows the visitor to login to a website through their LinkedIn application for example.
CONSENT
2 years
Used to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website.
cookietest
Session
This cookie is used to determine if the visitor has accepted the cookie consent box.
li_gc
179 days
Stores the user's cookie consent state for the current domain.
PHPSESSID
Expires: Session
Preserves user session state across page requests.
rc::a
Expires: Persistent
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
rc::c
Expires: Session
This cookie is used to distinguish between humans and bots.
test_cookie
Expires: 1 Day
Used by Google Ads to check if the user's browser supports cookies.
wow.schedule
Expires: 1 Day
This cookie is used in context with load balancing - This optimises the response rate between the visitor and the site, by distributing the traffic load on multiple network links or disk drivers.
_GRECAPTCHA
Expires: 179 Days
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
Analytics cookies
Inactive

Analytics cookies help us to understand how visitors interact with our website by collecting and reporting information anonymously.

_clck
Expires: 1 year
Collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heat maps for the website owner.
_clsk
Expires: 1 day
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
_cltk
Expires: Session
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
_ga
Expires: 399 days
Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_ga_#
Expires: 399 days
Used by Google Analytics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.
_gid
Expires: 1 day
Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_hjAbsoluteSessionInProgress
Expires: 1 day
This cookie is used to count how many times a website has been visited by different visitors - this is done by assigning the visitor an ID, so the visitor does not get registered twice.
_hjFirstSeen
Expires: 1 day
This cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the website.
_hjIncludedInPageviewSample
Expires: 1 day
Used to detect whether the user navigation and interactions are included in the website’s data analytics.
_hjIncludedInSessionSample
Expires: 1 day
Registers data on visitors' website-behaviour. This is used for internal analysis and website optimisation.
_hjRecordingLastActivity
Expires: Session
Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
_hjSession_#
Expires: 1 day
Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
_hjSessionUser_#
Expires: 1 year
Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.
_hjTLDTest
Expires: Session
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
AnalyticsSyncHistory
Expires: 29 days
Used in connection with data-synchronisation with third-party analysis service.
c.gif
Expires: Session
Collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heat maps for the website owner.
CLID
Expires: 1 year
Collects data on the user’s navigation and behaviour on the website. This is used to compile statistical reports and heat maps for the website owner.
hjViewportId
Expires: Session
Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
ln_or
Expires: Session
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
wow.anonymousId
Expires: 399 days
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
wow.session
Expires: 1 day
Registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
Marketing cookies
Inactive

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

#,#
Expires: Persistent
Collects data on user behaviour and interaction in order to optimise the website and make advertisement on the website more relevant.
#,#_expiresAt
Expires: Persistent
Collects data on user behaviour and interaction in order to optimise the website and make advertisement on the website more relevant.
_fbp
Expires: 3 months
Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
_gcl_au
Expires: 3 months
Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
_hjRecordingEnabled
Expires: Session
This cookie is used to identify the visitor and optimise ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-centre or ad-exchange.
_uetsid
Expires: Persistent
Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
_uetsid_exp
Expires: Persistent
Contains the expiry-date for the cookie with corresponding name.
_uetvid
Expires: Persistent
Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
_uetvid_exp
Expires: Persistent
Contains the expiry-date for the cookie with corresponding name.
ads/ga-audiences
Expires: Session
Used by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.
ANONCHK
Expires: 1 day
Registers data on visitors from multiple visits and on multiple websites. This information is used to measure the efficiency of advertisement on websites.
bcookie
Expires: 1 year
Used by the social networking service, LinkedIn, for tracking the use of embedded services.
IDE
Expires: 1 year
Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
MUID
Expires: 1 year
Used widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains.
pagead/1p-user-list/#
Expires: Session
Tracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.
SM
Expires: Session
Registers a unique ID that identifies the user's device during return visits across websites that use the sam e ad network. The ID is used to allow targeted ads.
SRM_B
Expires: 1 year
Tracks the user’s interaction with the website’s search-bar-function. This data can be used to present the user with relevant products or services.
UserMatchHistory
Expires: 29 days
Ensures visitor browsing-security by preventing cross-site request forgery. This cookie is essential for the security of the website and visitor.
wow.utmvalues
Expires: 1 day
Used to measure the efficiency of the website’s advertisement efforts, by collecting data on the conversion rate of the website’s ads across multiple websites.
_gl.p.p_#
Expires: Persistent
Used by Spotler, our email platform provider, as part of its Gator Leads programme. Provided by t.wowanalytics.co.uk. Currently in the process of being classified.
Cookie management
Use of cookies Necessary cookies Analytics cookies Marketing cookies Allow all Save settings
Use of cookies Necessary cookies Analytics cookies Marketing cookies
Accept all Save settings