Service organization control reporting - the convergences and divergences between ISAE 3402 and SSAE 18 under the scope of SOC 1

Abstract

In an increasingly globalized world, outsourcing is a major phenomenon which has been interconnecting companies for decades. Trying to imagine a world without external service providers is thus virtually impossible nowadays. Outsourcing has enabled companies to externalize important parts of their non-core processes. But this externalization has also led to a transfer of controls (on these processes) to service organizations, while the risks related have remained part of the primary entities. This asymmetry explains the increase of third-party assurance (TPA) audits, which result in Service Organization Control (SOC) reports. Such reports aim to provide trust and confidence for service organizations over their internal control system to their clients. Among these reports, the SOC 1 report is the most requested certification for service providers. This topic is however not well known by audit professionals and service companies in general. Two major standards share the hegemony over the regulation of this type of report worldwide: the international ISAE 3402 standard and the American SSAE 18 standard. The latter has only been in application since May 2017, and has not been completely assimilated by practitioners yet. For the above-mentioned reasons, this research thesis addresses Service Organization Control Reporting in general and focuses more specifically on the convergences and divergences between the two standards cited above. The purpose of this thesis is to present the concepts surrounding SOC reporting as well as to provide a quality research work for academics and professionals eager to improve their understanding on the topic.