Your Compliance Guide: SOC, SOX, & ISAE 3402

In today’s regulatory environment, businesses face strict compliance requirements to ensure transparency and reliability in their operations to their shareholders and customers. SOC (System and Organisation Controls), SOX (Sarbanes-Oxley), and ISAE 3402 assurance and reporting frameworks play critical roles in achieving these goals.


SOC reports provide assurance on controls related to data security, availability, processing integrity, confidentiality, and privacy. They include:

  1. SOC 1: Focuses on controls relevant to financial reporting.
  2. SOC 2: Evaluates controls over security, availability, processing integrity, confidentiality, and privacy.
  3. SOC 3: Provides a general-use report on controls over security, availability, and confidentiality.

Businesses obtain SOC reports to assure stakeholders of their robust data handling practices, particularly service organisations managing sensitive client information or providing cloud services.


SOX compliance enhances the accuracy and reliability of corporate disclosures, particularly for publicly traded companies. Key aspects include:

  1. Internal Controls: Ensuring effective internal control over financial reporting (ICFR) to prevent fraud and misstatement.
  2. CEO and CFO Certification: Mandating certifications of financial statements and internal controls.
  3. Independent Audit: Requiring external audits of ICFR by registered public accounting firms.

UK SOX, aligned with US principles, applies to UK-listed companies and emphasises governance, transparency, and accountability to protect investors and maintain market confidence.


ISAE 3402 provides assurance on controls at service organisations. Key features include:

  1. Type 1 Report: Describes the design of controls at a specific point in time.
  2. Type 2 Report: Evaluates the effectiveness of controls over a specified period.

These reports are essential for service providers demonstrating control effectiveness to clients and stakeholders.


Selecting the right assurance offering—whether SOC, SOX, or ISAE 3402—is critical. It ensures compliance with regulatory requirements, strengthens governance, and enhances operational resilience. Partnering with experienced professionals familiar with these frameworks is essential to navigating complexities effectively and mitigating risks.


Our Internal Audit services encompass a comprehensive assurance offering tailored to enhance governance, operational resilience, and compliance with regulatory frameworks including SOC, SOX, and ISAE 3402. We provide:

  • Thorough evaluations of internal controls, ensuring alignment with SOC requirements for data security and processing integrity.
  • Robust assessments of financial reporting controls to meet stringent SOX compliance standards, safeguarding accuracy and transparency.
  • Detailed reviews and assurance on service organisation controls under ISAE 3402, validating control effectiveness and reliability for stakeholders.

By partnering with us, your organisation gains assurance that its governance structures are sound, operational risks are mitigated effectively, and compliance with regulatory mandates is upheld with confidence.

Get in touch with our Internal Audit team

David Archibald

David Archibald

Partner

I head up our public sector and internal audit team. I have over 25 years of audit and performance improvement experience, which is complimented by my experience in risk management, fraud prevention and programme management….
Steve McNaught

Steve McNaught

Senior Manager

I joined Henderson Loggie in 2004 and am a senior member of the firm’s Internal Audit Services team.  I am involved in delivering assurance and consultancy services to a diverse range of organisations across the…
Emma Tilley

Emma Tilley

Assistant Manager

I am an Assistant Manager within the Internal Audit Team. Since I joined Henderson Loggie in 2021, I have worked with a range of clients across the public, private and third sectors. My main focus…

Looking for more content?

Read more helpful articles, covering a range of Internal Audit topics.