The Service Organization Control Reporting (SOCR) services enable entities to provide trusted communications focused on internal controls to customers (and their external auditors), investors, management, regulators and other stakeholders. These services efficiently address service organizations’ customer needs for trusted risk-based information.

• SOC 1 helps entities (service organizations) that operate information systems and provide business process services supporting financial reporting, build trust and confidence in their delivery processes and controls through a report they can deliver to their customers and customers’ external auditors.

• SOC 2/3 help entities meet the needs of a broad range of users that require information and assurance about the controls at the entity that affect the security, privacy, confidentiality, availability and processing integrity of entity’s systems.

• SOC for Cyber helps entities meet the needs of a broad range of users that require information and assurance about an entity's enterprise-wide cybersecurity risk management program.

• SOC for Supply Chain helps entities meet the needs of stakeholders that require information and assurance about an entity's system and controls for producing, manufacturing, or distributing goods to better understand the risks in their supply chains.

EY teams also provide pre-assessment services for a draft subject matter such as a system description prior to the performance of a limited or a reasonable assurance engagement (e.g., SOC report).

Agreed Upon Procedures (AUP) services help entities communicate independent results of controls testing or other procedures agreed upon between the entity and third-party recipients of the report. AUP engagements allow entities to communicate independent factual findings on control testing or other procedures to third-party recipients of the AUP report. EY teams present and report on a set of procedures that entities and the specified third party report users agree to, and the related findings resulting from the procedures.

ISAE 3000 reports on audit-related procedures that the auditor, entity and any appropriate third parties have agreed to (related to nonfinancial information):

• ISAE 3000 control testing – the capability to perform the procedures and control testing, leading to an assurance report (in accordance with the ISAE 3000 standard)

• ISAE 3000 implementation support and training – the capability to provide training on the execution of procedures, leading to an assurance report (in accordance with the ISAE 3000 standard)

The ISO Management System Certification, Implementation and Training services provide implementation and certification of a management system according to ISO standards and other established certification frameworks.

EY CertifyPoint B.V., an EY entity founded in 2002, is an accredited, independent, and impartial certification institute headquartered in the Netherlands. Through EY CertifyPoint, EY teams provide Lead Implementer and Lead Auditor courses, including certification of entity personnel for several ISO standards.

EY teams support entities in meeting their goals by improving the efficiency and effectiveness of their management systems. EY teams keep the business at the center, identifying areas of redundancy, bottlenecks and potential efficiency gains by means of a systematic and independent certification approach against a globally recognized standard.

The following standards are addressed:

• ISO 9001: Quality Management System

• ISO 14001: Environment Management System

• ISO/IEC 20000-1: IT Service Management System

• ISO 22301: Business Continuity Management System

• ISO/IEC 27001: Information Security Management System

• ISO/IEC 27017: Cloud Security Controls

• ISO/IEC 27018: Protection of Personally Identifiable Information in Cloud

• ISO/IEC 27701: Privacy Information Management System

• ISO 37001: Anti Bribery Management System

• ISO/IEC 42001: Artificial Intelligence Management System

• ISO 45001: Occupational Health and Safety Management System

• ISO 50001: Energy Management

• World Lottery Association (WLA) assessments

• CSA STAR certification

• NEN 7510-1: Health Information Security Management System

• Hébergeur de Données de Santé (HDS)

• Multi-Tier Cloud Security (MTCS - Singapore)

• GDPR assessment

• CISPE Code of Conduct accredited monitoring body

• Integrated approach with ISAE3402, SOC and other attestation reports, such as a combination of ISO/IEC 27001:2013 with ISAE3402

A system and process assessment includes an assessment of internal control as part of an upgrade or an implementation of an ERP (e.g., SAP S/4HANA), an application or a process. These services provide an independent assessment of an entity’s current state or a documented future state internal control to provide leading practice recommendations for management’s consideration. A system or a process upgrade or an implementation assessment helps the entity to:

• Obtain confidence that internal control considerations are adequately addressed.

• Understand complex business processes.

• Identify new risks and control gaps introduced by changes to process or technology and remediation recommendations based on leading practices.

• Enable the entity to take advantage of new capabilities that allow better leverage of investment in new process or technology, including opportunities for process automation and improvement, and GRC. integration, reporting and continuous control monitoring.

A pre-assessment of a draft subject matter such as a system description prior to the performance of a limited or a reasonable assurance engagement (e.g., SOC report), helps the entity to:

• Understand how to apply the evaluation criteria to the subject matter 

• Understand the disclosure requirements for the subject matter information (e.g., management’s description for a SOC report)

• Understand procedures performed to assess the subject matter information and/or controls

IT Compliance and Regulatory Assurance services help entities understand, prepare for, and report to address rapidly evolving laws, regulations and professional standards. These services help an entity more sustainably and efficiently address regulatory and sector-specific (e.g., Government, Healthcare, Financial Services) technology compliance requirements. Examples include helping entities comply with requirements related to:

• AI regulations (e.g., AI Act)

• Cyber security (e.g., Cyber Resilience Act, Cybersecurity Maturity Model Certification, Network and Information Security (NIS2) Directive)

• Data security (e.g., Data Act)

• Digital resilience (e.g., Digital Services Act, Digital Markets Act, Digital Operational Resilience Act)

• Sector-specific requirements (e.g., HITRUST, SWIFT, TISAX)

• Data and IT controls in ESG reporting

We offer a detailed maturity assessment of your AI governance, risk and control mechanisms. Conducted against our Responsible Framework and leading practices, we provide you with a roadmap to build confidence and trust in your AI systems across the AI lifecycle.

We offer detailed AI pre-assessment and attestation services to assess alignment with different regulatory mandates, such as the EU’s DSA and DMA, and voluntary standards such as the ISO 42001 and the NIST Risk Management Framework.

Our AI crisis management framework combines Crisis Management, Digital Forensics, Incident Response and Investigations to manage incidents of AI misconduct and to respond to regulatory requests. We can also help you prepare for such events to build trust in AI.

We use gamification for board members to stimulate thinking about AI governance and AI-related crisis preparation. This interactive session simulates a high-stakes AI crisis, fostering strategic board-level discussions and robust risk management.