DTSK-9153 SAR decision tree

Do you want to cover what your services are like at this point in time, or over a period of time in which the controls are set?

These reports, also called Type 2 reports, would help evaluate the design and operating effectiveness of an organisation's controls for a specified period of time (ususally a minimum of six months).

Would the report need to cover a specified period of time?

Do you want to cover what your services are like at this point in time, or over a period of time in which the controls are set?

Are you seeking an independent assessment over the environment that supports your application or service?

Do you offer services that have the potential to affect your customers' financial statements?

What's the driver behind your requirement for a service attestation, or SOC, report?

Please select one or more options

Testing the technology environment

An existing or potential customer wants to understand the technology environment that supports my services, eg, storing, holding, or processing data.

Business benefit

To demonstrate the standard of services provided to either show the quality standard or to support in a pitch where it’s required.

Customers or auditors have asked for it

My customer or auditor requires a report to support their financial controls due to the services I provide, or because a potential contract has specified this requirement.

You may be looking for a SOC 2 Type 1 report.

Typically, this requirement comes under a SOC 2 report focussed on a set of IT controls that are grouped into the following Trust Services Criteria*:

• Security

• Availability

• Processing integrity

• Confidentiality

• Privacy

These type 1 reports would help evaluate the design of an organisation's controls at a specific point in time, eg a report produced for the organisation as of xx-xx-xxxx would provide comfort over controls as at that date. This date is pre-agreed and of the service organisation's choosing.

Download the brochure to learn how to approach a point in time report.

*The exact mix of Trusted Criteria that you require is tailored to each report and Grant Thornton can support you through that process.

You may be looking for a SOC 2 Type 2 report.

Typically, this requirement comes under a SOC 2 report focussed on a set of IT controls that are grouped into the following Trust Services Criteria*:

• Security

• Availability

• Processing integrity

• Confidentiality

• Privacy

These Type 2 reports, would help evaluate the design and operating effectiveness of an organisation's controls for a specified period of time (usually a minimum of six months).

Download the brochure to learn how to approach a period of time report.

*The exact mix of Trusted Criteria that you require is tailored to each report and Grant Thornton can support you through that process.

You may be looking for a SOC 1 and/or an ISAE 3402 Type 1 report.

These Type 1 reports would help evaluate the design of an organisation's controls at a specific point in time, eg a report produced for the organisation as of xx-xx-xxxx would provide comfort over controls as at that date. This date is pre-agreed and of the service organisation's choosing.

Download our brochure and speak to our experts at Grant Thornton to learn more.

You may be looking for a SOC 1 and/or an ISAE 3402 Type 2 report.

These Type 2 reports would help evaluate the design and operating effectiveness of an organisation's controls for a specified period of time (usually a minimum of six months).

Download our brochure and speak to our experts at Grant Thornton to learn more.

It looks like you'll benefit from talking to us about your requirements further.

Tim Foster-Key

Director, Business Risk Services

Or download the brochure to learn more about the different types of reports.