Audit of standards SOC1 (ISAE 3402, SSAE-18, IAASB 3402)
Evaluation of the standard System and Organization Controls 1 (SOC1), which includes standards ISAE 3402, SSAE-18, is an audit of control system for data processing associated with the formation of financial statements. The result of the independent evaluation will be an audit report, which allows customers, the client company's auditors and other stakeholders to understand what controls are in place in your organization and how effectively they function.
We can prepare two versions of the SOC1 report:
- The report SOC1 type 1 – contains information on control procedures design and the results of internal control system evaluation as of the verification date. The report of this type is useful in case the internal control system in the organization was significantly changed and there is no sufficient history of its functioning to check its effectiveness.
- The report SOC1 type 2 – contains information about design and operational effectiveness of control procedures for a period of time (half a year or more). The report of this type excludes or significantly reduces the need for the client company’s auditor to conduct additional testing procedures for control mechanisms in your organization. As a result, you save time, money and resources.
Evaluation of non-financial processes and data according to SOC2 SOC3 standards
Independent evaluation of non-financial processes and data using the principle Trust Services in accordance with SOC2 and SOC3 standards (SOC – System and Organization Controls) will provide necessary level of customer assurance in the quality of services and products provided by you.
The compliance of control mechanisms with the principles of Trust Services is checked, namely the following criteria:
- Processing Integrity,
We can check compliance against certain principles, as well as their combination depending on the client’s need for an independent audit.
The reports SOC2/SOC3 could be of two types:
- The report SOC2/SOC3 type 1 contains information on control procedures design and the results of internal control system evaluation as of the verification date. The report of this type is useful in case if the internal control system in the organization was significantly changed and there is no sufficient history of its functioning to check the effectiveness.
- The report SOC2/SOC3 type 2 contains information about design and operational effectiveness of control procedures for a period of time (half a year or more).
Third Party Risk Management program (TPRM)
The Third Party Risk Management (TPRM) program allows to control the types of activities and risks associated with attracting third parties and partners. It helps to determine and hire third parties and partners who are able to comply with contractual and regulatory obligations. At the same time, TPRM contributes to the achievement of financial and operational goals of the company. This algorithm of continuous risk management associated with the most important external service providers has proved its effectiveness in practice.
At the basic level, the TPRM program allows to reduce risk vulnerability and to increase the transparency of work performed by third parties. In case it is necessary to increase the effectiveness of existing risk management program of third parties or to build such program from scratch, PwC specialists are ready to offer you a set of the following services:
- Diagnostics of the program. Evaluation of current risk management of third parties, identification of non-compliance with regulatory requirement and examples of best practices.
- Roadmap (plan) for implementation of transformations. Development of target state description and the corresponding roadmap including the expected efforts and costs.
- Building/rebuilding of the function. Design, implementation and management of new or improved TPRM program.
- Implementation of supporting technologies. Integration of the processes with new or existing technological platforms.
- Stratification of third parties. Determination of the risk connected with outsourcing services and third parties; assignment of the grade in accordance to which the organization responds appropriately.
- Evaluation of third parties. Evaluation on the field, remotely and self-assessment.
- Program management. Outsourcing or partial outsourcing of risk management program of third parties including planning, completion, correction, monitoring and reporting.