System and Organisation Controls (SOC) reporting
Building stakeholder confidence through independent assurance
If a stakeholder has asked you to provide an internal controls report or a SOC report, our team has the expertise and experience to guide you through the process. We deliver high‑quality reporting services across the financial services, technology and real estate sectors, helping organisations meet their controls assurance obligations.
Our reports are issued under UK and global standards and we also collaborate with our US Prime Global member firms who can issue SOC reports under US standards if required. We deliver a pragmatic, efficient assurance process that is designed to satisfy stakeholder expectations, while providing meaningful insights that add value.
Who might need an internal controls or SOC report?
Organisations are often asked by clients or investors to provide a controls report if they deliver outsourced services, handle client assets, or operate critical systems - particularly for institutional, regulated or international clients. A SOC report can help demonstrate an effective control environment and build stakeholder confidence. This is typically required by organisations providing services such as:
Financial services and outsourced operations
Custody
Fund accounting and transfer agency
Investment, asset and fiduciary management
Pension administration
Private equity and real assets
Property investment management and administration
Mortgage, loan and credit processing and servicing
Payroll and payment processing
Third-party administration (TPA) and outsourced back-office functions
Technology and other platform providers
Fintech and digital platforms
SaaS, cloud and IT infrastructure solutions
Data, cybersecurity and hosting services
Our SOC reporting services
Operational controls assurance
We provide independent assurance over the controls that support accurate financial reporting and transaction processing. Through a structured assessment of your key business processes and internal controls, we can help you to demonstrate reliability, transparency, and accountability to your clients, investors and stakeholders. These reports are designed to be shared with third-parties and are delivered in accordance with recognised standards, including ISAE 3402 (international) and AAF 01/20 (UK), as well as SOC 1 reporting (US).
Trust and security controls assurance
We provide independent validation of the controls that support information security and data protection. Our reports provide assurance over the controls relating to security, availability, confidentiality, processing integrity, and privacy, helping you demonstrate strong governance and build confidence with customers and partners. We deliver these reports in accordance with recognised standards, including ISAE 3000 (international e.g. ‘SOC 2-aligned ISAE 3000 report’), as well as SOC 2 reporting (US). We can also provide a reduced disclosure SOC 3 report, a public-facing summary report derived from a SOC 2 type 2 engagement.
The reporting process
Our assurance reporting service follows a rigorous process. We work through the process with you collaboratively, providing ongoing support and guidance to help you reach the end goal of obtaining an independent assurance report which can then be shared with third-parties.
Readiness assessment
We begin with a readiness assessment which evaluates how prepared you are for a controls assurance report. This involves a review of your services, control environment maturity, and supporting systems and processes. By assessing your controls against the required criteria and reporting standards, we help identify any gaps that need remediation before formal reporting.
Remediation support
Following the readiness assessment, we help address gaps and enhance your control environment. Working collaboratively with your management team, we provide practical recommendations to ensure controls are properly designed and capable of operating effectively ahead of the reporting period.
Type 1 reporting
Once ready we can provide you with a type 1 report; providing assurance over the design and implementation of controls as at a specified point in time. Type 1 reporting is often used as an initial assurance step for first time reporters or where immediate point-in-time assurance is required.
Type 2 reporting
Once a type 1 report has been completed, we can then provide a type 2 report; extending assurance to include the operating effectiveness of controls over a defined period (typically six to twelve months). Type 2 reporting provides a higher level of assurance to stakeholders and is typically performed annually.
Ongoing support
We will provide you with ongoing support and recommendations throughout the reporting process, helping to promote a system of continuous improvement. This includes ongoing alignment with evolving standards, stakeholder expectations and industry best practice to maintain readiness and reduce risk for future reporting periods.
Why work with us?
A pragmatic approach
Our specialists combine expertise and experience to help you achieve your long-term business objectives.
Effective communication
Through building long-term relationships, we learn about your business and tailor our services to meet all your ongoing needs.
Cross sector expertise
Your goals drive our approach. With insights from diverse sectors, we deliver targeted, high-quality support that helps your business move forward.
Hear from our clients
When looking for an alternative AAF auditor, we were introduced to Buzzacott and have been highly impressed with their ability to work with us, understand our processes quickly and offer proper diligence and challenge throughout their audit. Communication and service throughout has been excellent and our experience has been extremely positive.
Martin Armstrong, Quality Assurance Manager, Gallagher Benefit Services
Buzzacott’s audit team are highly professional and very well organised. As a new client, Buzzacott spent time understanding our business, governance and operating environment, and agreed with us an audit timetable that took account of resource availability and consideration of our clients’ expectations on delivery of the final independent assurance report. The audit included onsite testing at our Edinburgh office, and we were also able to upload testing data to Buzzacott’s secure portal which was very user-friendly. Regular meetings took place throughout the period to ensure progress and to provide thoughtful insight. The independent assurance report delivered was in digital format and the presentation was of a very high standard, meeting the expectations of our sophisticated institutional investor client base. We are very pleased to have engaged with Buzzacott and look forward to retaining their independent assurance services going forward.
Karen Lumsden, Chief Operating Officer, Skerryvore Asset Management Ltd
“We engaged Catherine and the Buzzacott team for our first audited controls report covering Operations and IT. Their in-depth knowledge and vast experience made the whole process seamless from start to finish. The team worked diligently through testing, working with our various outsourced service providers. We are very pleased with the end product – a comprehensive review of our systems and controls.”
Christopher Hart, Chief Operating Officer, Harwood Capital Management
When looking for an alternative AAF auditor, we were introduced to Buzzacott and have been highly impressed with their ability to work with us, understand our processes quickly and offer proper diligence and challenge throughout their audit. Communication and service throughout has been excellent and our experience has been extremely positive.
Martin Armstrong, Quality Assurance Manager, Gallagher Benefit Services
Buzzacott’s audit team are highly professional and very well organised. As a new client, Buzzacott spent time understanding our business, governance and operating environment, and agreed with us an audit timetable that took account of resource availability and consideration of our clients’ expectations on delivery of the final independent assurance report. The audit included onsite testing at our Edinburgh office, and we were also able to upload testing data to Buzzacott’s secure portal which was very user-friendly. Regular meetings took place throughout the period to ensure progress and to provide thoughtful insight. The independent assurance report delivered was in digital format and the presentation was of a very high standard, meeting the expectations of our sophisticated institutional investor client base. We are very pleased to have engaged with Buzzacott and look forward to retaining their independent assurance services going forward.
Karen Lumsden, Chief Operating Officer, Skerryvore Asset Management Ltd
“We engaged Catherine and the Buzzacott team for our first audited controls report covering Operations and IT. Their in-depth knowledge and vast experience made the whole process seamless from start to finish. The team worked diligently through testing, working with our various outsourced service providers. We are very pleased with the end product – a comprehensive review of our systems and controls.”
Christopher Hart, Chief Operating Officer, Harwood Capital Management
Contact us
We are always ready to help you and answer your questions.