Service Organization Controls Reporting (SOCR)

What EY can do for you

Service Organization Controls Reporting (SOCR) brings value both to a service organization and to its customers, who want assurance that a provider’s control environment meets globally recognized standards.

EY is a global SOCR leader, issuing more than 3,000 SOC reports to more than 900 clients each year. We have been helping our clients understand the value and benefits associated with high-quality SOC examinations since 1993. We are also leaders in the technology, financial services and healthcare sectors. We audited almost half of the largest global technology companies and one third of the Russell 3000 health companies, and we worked with nearly all the top 25 global asset managers.

We bring all this experience to help companies address an ever-more complex and fast-changing environment. Customers and regulators are looking for more assurance in areas such as privacy and security, and they expect management to be able to provide answers.

In their turn, management are recognizing an increased dependence on suppliers and partners, and want assurance that these organizations are managing their risks and will continue to be reliable suppliers in the future.

All of this is creating increased demand for independent assurance from companies throughout the supply chain. SOCR helps companies build that trust with their partners by providing an independent opinion on the extent to which their controls are designed to address key risks and allow them to operate effectively.

The benefits of providing independent assurance include:

• Building trust with existing customers
• Demonstrating the quality of controls as part of bidding for new contracts – including building credibility where start-ups are looking to win contracts with larger entities
• Undergoing one audit rather than multiple customer audits
• Focusing on key controls, with the opportunity to challenge other control activities

We provide this assurance to our SOCR clients using a range of globally recognized reporting frameworks, including:

• SOC 1/ISAE3402 for processes related to financial statement reporting
• SOC 2/ISAE3000 for other processes, including privacy and GDPR processes and controls
• SOC for Cybersecurity
• SOC for Supply Chain
• ISO27001 where the need is certification of an information security management system

Sectors where we provide independent assurance, in both private and public sectors, include:

• IT outsourcers, including cloud services providers and software-as-a-service (SaaS) application providers
• Business process outsourcers (e.g., payroll processors and finance processors)
• Telecoms companies
• Asset managers
• Pension administrators
• Health care
• Real estate managers
• Distribution companies