Third-party assurance

Independent third-party assurance services

At Moore Kingston Smith, our dedicated team offers a full range of independent assurance services, helping organisations demonstrate robust internal controls and a clear commitment to accountability.

A controls report offers a structured, standardised method for service organisations to communicate how their controls address key service objectives and align with their clients’ most significant risks.

These control reports are independently tested by an external auditor, providing a level of assurance and credibility far beyond what self-attestation can offer.

As a result, it serves as a powerful tool to demonstrate your organisation’s commitment to a robust internal control environment, and the report can be shared with third parties.

A sample of third-party assurance services we provide are:

SOC 1 – assurance over internal controls concerning financial reporting (ICFR), in line with the SSAE 18 standard.
SOC 2 – reporting on controls concerning security, availability, confidentiality, processing integrity and privacy.
SOC for cyber security – independent assessment of your organisation’s cyber risk management framework.
ISAE 3000 – evaluation of non-financial controls, including security and privacy.
ISAE 3402 – reporting on controls that impact financial reporting, often used by external auditors and stakeholders.

These reports are designed to meet increasing expectations around governance, data protection and risk management, while reducing the compliance burden for your clients and partners.

If you’d like to explore how we can support your assurance needs, contact us today and our third-party assurance team will be in touch.

SOC 1

SOC 1 is an independent assessment that evaluates the design and operational effectiveness of a service organisation’s internal controls over financial reporting (ICFR). This examination provides assurance that the organisation has implemented appropriate processes and control activities to support the integrity, accuracy and reliability of financial data relevant to user entities’ financial statements.

The SOC 1 report focuses specifically on controls that may impact a client’s accounting or financial reporting systems, making it essential for such service providers as payroll processors, data centres and third-party administrators. It is a critical tool for auditors and stakeholders, supporting transparency, reducing the audit burden for clients and demonstrating a commitment to financial control and accountability.

SOC 2

SOC 2 is an independent assessment that evaluates the design and operational effectiveness of a service organisation’s controls as they relate to one or more of the AICPA’s Trust Services Criteria: security, availability, confidentiality, processing integrity and privacy. This examination provides assurance that the organisation has implemented appropriate policies, procedures and practices to manage risks and protect customer data in line with its service commitments and system requirements.

The SOC 2 report offers detailed insight into how the organisation safeguards information, ensures system uptime, maintains data confidentiality, processes information accurately and upholds privacy obligations. It is particularly relevant for technology and cloud-based service providers, serving as a critical benchmark for customer trust, risk management and regulatory compliance.

SOC cyber security

The SOC for cyber security framework provides an independent evaluation of an organisation’s cyber risk management programme, assessing both its design and operational effectiveness. The examination includes cyber security governance, policies, controls and processes, aligned with recognised frameworks such as NIST Cybersecurity Framework, ISO 27001, AICPA Trust Services Criteria, the UK’s NCSC CAF and the CSA Cloud Controls Matrix.

The objective is to give stakeholders assurance that the organisation identifies, protects against, detects, responds to and recovers from cyber threats effectively. This reporting framework supports transparency, accountability and continuous improvement of cyber security posture across diverse industries.

ISAE 3000

An ISAE 3000 report partially follows the Trust Service Criteria, which include security, availability, process integrity, confidentially and privacy. The ISAE 3000 report focuses on the reliability and security of systems.

There are two types of ISAE 3000 report: type I report evaluates the suitability of the design and existence of internal controls as at a specific moment in time; a type II report covers a predefined period and not only considers the suitability of the design and existence of internal controls but also tests the controls’ operating effectiveness.

Both reports include an opinion from the external auditor. The end users of these reports are the customers who the organisation is providing services to, who have an interest in the privacy and security of their data.

ISAE 3402

An ISAE 3402 report is similar to an ISAE 3000 report but focuses on internal controls relating to financial reporting. This report can also either be a type I report evaluating the suitability of the design and existence of internal controls at a specific point in time, or a type II report covering a predetermined period and not only considering the suitability of the design and existence of internal controls but all assessing the controls’ operating effectiveness.

Both reports include an opinion from the external auditor. The end users of these reports are stakeholders, such as clients’ external auditors, concerned about internal controls that could impact financial reporting.