A brief introduction to ISO, ISAE and SOC for Financial Services

There are several standards, third-party certifications, and attestations available today. Within Financial Services we often come across ISAE, ISO, and SOC. However, finding easy-to-digest information is usually quite hard to find.

We decided to change that and had the opportunity to talk to Mattias Falck, who has been working with internal audit, risk management, and other assignments within the Financial Services Industry for more than 20 years. Previously at PwC and now running the advisory firm NFMK with services towards financial services companies in Sweden.

At the end of the article, you can also find a link to our more in-depth talk with Mattias on the ISAE-framework specifically.


What do they mean and what sets them apart?


What is an ISO standard or certification?

The ISO brand is probably the most well-known between ISAE and ISO. ISO standards cover many topics and industries and here in this context we are talking about its management system standards, These include working practices, standards, and principles that if followed help organizations ensure quality, safety, and efficiency of operation. These standards are developed by experts all around the world and maintained by the International Organisation for Standardisation (ISO). If a company has an ISO certification you know that they follow a certain set of working principles or guidelines designed to make sure the company meets certain quality standards.

An ISO management system standard is not tied to certain industries, processes, or products. Instead, it covers company and industry-wide topics such as information security and sustainability. An ISO certification is granted by being audited by an authorized third party and is usually valid for 3 years.

What is an ISAE or an attestation?

ISAE as a brand on the other hand is not as well-known as ISO. ISAE is not an organization similar to ISO, but a specific collection of audit standards maintained by International Auditing and Assurance Standards Board (IAASB) and does therefore not provide any actual standards or principles on how to conduct your business.

What this collection of audit standards provide is a reporting standard that assures that the content of the report is verified by an authorized third party that confirms (attest) that it reflects the state of your business. That means that if a business has an ISAE report, you can trust that what they say in the report is fairly presented– unlike a marketing brochure or webpage where a business can make broad statements and claims that may be hard or impossible to verify objectively.

What is SOC?

SOC is, in simple terms, the American version of ISAE. SOC is a brand name that is intended to make it easier to communicate attestation reports than using the audit standards names, which may change over time.

Both ISAE and SOC must be audited and signed by a public certified auditor.

Why should your business adopt ISO, ISAE, or SOC?

All these standards, whether it be the ISAE report standard or the ISO management system standards with its set principles, have the same purpose; To communicate trust to your clients, prospects, and other external parties regarding the quality of your service and/or how you conduct your business.

With certifications or adhering to standards you create trust in the market and make your business more transparent and easier to evaluate. Many times, it makes you a better business, these types of audits are something that drives quality because it forces the business to think about their operations both the current and how they envision them in the future. It is not always best to reinvent the wheel to become better or more effective, rather use current expertise and guidelines and focus on what makes your business unique and better performing than your competitors.

If we are ISAE specific, you can also avoid and/or streamline client audit visits since you do not need to facilitate individual audits for every client.

Who can adopt ISO, ISAE, and SOC?

ISO can be adopted by any business. Anyone can implement an ISO standard and the type of ISO you want is completely dependent on your type of business and the needs you need to communicate to the market. Businesses within a segment that has high demands on sustainability – implementing and getting an ISO26000-certification is a very good way to gain the trust of clients, prospects, and other external parties.

Click here for a list of some ISO standards available.

The ISAE and SOC reports are only available for Service Providers

The purpose of ISAE and SOC is to communicate the quality of service to customers of a service provider. What is worth mentioning is that when a business uses a Service Provider to carry out one or several of its processes the Service Provider becomes an integrated part of that business. Therefore for business-critical processes, the business needs to audit not only their in-house processes but also the outsourced ones in order to know that they all work as expected.

Initially, these reports were created to streamline and make customer audits at the Service Provider more efficient. Today it is common for Service Providers to provide ISAE/SOC-reports to their customers as a competitive advantage over their peers and in some industries and markets, it has de-facto become a requirement to win new contracts.

We hope that this introduction to ISAE, SOC, and ISO and what sets them apart gave you some new insights. Are you looking for more information or do you need some guidance on how to proceed with implementing ISAE in your business? Reach out to Mattias at [email protected] or visit NFMK.

Share this post

Share on facebook
Share on linkedin
Share on email