Hold tight Hi there!

Assurance

SOC 1 / SOC 2 / SOC 3

Understanding the SOC Framework

In today's connected service landscape, clients and regulators expect more than promises. They expect independent assurance. 

For organisations operating internationally, this assurance is often formalised through System and Organization Controls (SOC) reports, developed by the AICPA (American Institute of Certified Public Accountants). 

The difference explained.

While SOC and ISAE share the same foundation in assurance principles, SOC reports are primarily used for U.S.-based or globally oriented clients and align closely with the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. 

SOC 1:

  • Focused on internal controls over financial reporting (similar in scope to ISAE 3402);
  • Typical audience: External auditors and financial statement users.

SOC 2:

  • Focused on non-financial controls related to security, availability, processing integrity, confidentiality, and privacy;
  • Typical audience: Clients, regulators, and internal stakeholders.

SOC 3:

  • A general-use, public summary of a SOC 2 engagement;
  • Typical audience: Marketing and public disclosure.

Together, they form a family of standards that communicate the reliability of your control environment to stakeholders across jurisdictions.

Our approach.

At Risk Boutique, we guide organisations through the full SOC lifecycle - from readiness to attestation - always aligning our work with the professional standards of NOREA and the AICPA framework.

01
Readiness & Gap Analysis

We start by assessing whether your control environment is ready for a SOC engagement. 

This includes mapping existing policies and controls to the relevant Trust Services Criteria and identifying documentation or evidence gaps.

02
Framework Definition

We help define the system boundaries, control objectives, and scope. 

For SOC 1 engagements, we ensure alignment with your clients’ audit requirements; for SOC 2, we focus on information security and governance controls. Our documentation approach guarantees that controls are testable, evidence-based, and proportionate.

03
Testing & Validation

Our independent auditors perform design and operating-effectiveness testing using a structured, risk-based methodology. 

We apply the same rigor used in ISAE engagements, ensuring consistency and reliability across frameworks.

04
Reporting

We prepare the final SOC 1, SOC 2 or SOC 3 report in the format accepted by international auditors and clients. 

Reports include management’s description of the system, our independent opinion, and clear improvement recommendations - written in a tone your stakeholders can understand.

Our SOC engagements follow a transparent model composed of:

01
A standard component for project management, communication, and formal reporting.
02
A variable component determined by the number of control areas in scope and the chosen report type (SOC 1, 2 or 3) and duration (Type I or Type II).

This ensures that pricing reflects real complexity and effort - never arbitrary size or volume.  We provide a tailored proposal following an initial scoping discussion.

Why clients choose Risk Boutique.

NOREA-compliant quality - all assurance work adheres to Dutch professional standards for IT auditors

International credibility. SOC reports which are accepted globally by auditing firms and regulators. 

Pragmatic execution. Clear communication, minimal disruption, maximum assurance value.

Experience across sectors. Financial services, fintech, cloud platforms, and crypto brokers. 

Seamless integration. Alignment with ISAE 3000 / 3402 and your broader risk-management framework.