Data and digital transformation is squarely on the agenda for many businesses. The use of cloud resources, data storage, processing integrity, and ‘everything as a service’ has increased.

Outsourcing data management and processing is now the norm for many industries. Along with this is the need to address risk and controls when it comes to data privacy and handling.  

If you are a third party supplier of handling and processing sensitive customer information, then the onus is on you to test your security controls to ensure you are compliant with data privacy provisions across jurisdictions.

With the influx of data privacy requirements, we are seeing the business landscape increasingly trending toward SOC reports for service suppliers now accepted as just being a part of the cost of doing business – so now is the perfect time to get prepared with a SOC report.  

So what kind of SOC compliance report do I need?

Essentially a third party assurance report, a System and Organisation Controls report is a multi-jurisdictional framework for assessing the design and effectiveness of controls relevant to sensitive customer information and processes – providing your clients with peace of mind and assurance that as suppliers, you will handle their confidential and sensitive data appropriately.

Our SOC reporting capabilities provide you an understanding of the risks associated with your internal controls so you can confidently address these risks. A Grant Thornton SOC report provides you with an efficient way of responding to security audit requests and demonstrates your commitment to security and privacy for current and prospective customers.

SOC reports can take the form of SOC 1 or 2, or alternatively a tailored attestation report:


SOC 1 (sometimes referred to or GS007 report or ASAE3402 report) is an audit report specifically addressing the security of financial statements, suited to those operating a financial reporting service.


SOC 2 is a broader audit report for those dealing with sensitive information, providing assurance relevant to security, availability, processing integrity of systems used to process data, and confidentiality and privacy of the information processed and/or held. Grant Thornton are the only firm in Australia that are able to issue a SOC 2 report without oversight from a US audit firm.

Tailored attestation report

If your organisation needs to address subject matter that does not appear to be satisfied by a SOC report, a customised attestation report using another attestation standard may be the answer. Our dedicated team can discuss with you the alternative standards to find the one that will best address your unique needs.

Risk management is a company-wide concern, with most stakeholders now requesting an SOC report as part of supplier due diligence prior to an engagement, or ongoing monitoring processes. SOC reports provide a transparent assurance of internal control accountability and for addressing multiple stakeholder assurance demands. Grant Thornton can help you decide which SOC report is applicable to your business or client requirements, and conduct and certify the chosen SOC report. 

With a range of reporting options available, it’s never been easier for businesses to be prepared, apply the right set of risk controls and satisfy stakeholder assurance requirements with a tailored report.

Matthew Green
Matthew Green
Daniel Farthing
Daniel Farthing

Get in touch

Grant Thornton Australia collects your personal information so we can send you communications including invitations to future events, industry insights and other relevant communications. You can opt-out of receiving these communications at any time via our preference centre. Privacy Policy.

Subscribe to receive our publications

Subscribe now to be kept up-to-date with timely and relevant insights, unique to the nature of your business, your areas of interest and the industry in which you operate.