IT Attestation Services 

Organizations increasingly outsource technology and business processes to service organizations. However, although the technology and processes are outsourced, the risk is not. As the trend in outsourcing and off shoring continues to expand, user organizations will be seeking an increased level of assurance over the integrity of the service organization’s control environment. In addition, with the recent introduction of new regulatory and compliance requirements, many organizations are struggling to understand, react, and respond to the implications of these standards.

KPMG's IT Attestation practice helps organizations satisfy third-party risk and compliance assurance requirements and demonstrate the integrity of their control environment. Our globally accredited team provides reports on controls that are likely to be relevant to user organizations’ internal control over financial reporting; reports over security, availability, processing integrity, confidentiality and privacy using Trust Service Principles; and agreed-upon procedures reports. We provide actionable insights to help organizations enhance their internal controls environment, reduce business operation interruptions resulting from multiple audits, and help companies provide transparent controls-related information to customers and other stakeholders.


Potential Benefits

  • Reduction in interruption to business operations by multiple user organization audits
  • Strengthening and refinement of internal control environment resulting from independent assurance examinations
  • Gaining efficiency in audit and compliance activities by combining assurance and audit suppliers
  • Confidence in the market due to transparency of control environment


Featured Success Story

A leading provider of ERP software added a cloud-based ERP offering. The client chose KPMG due to our leadership in cloud computing and our vast experience in offering IT attestation services. The client was new to the IT attestation process, and KPMG helped the client choose the appropriate IT attestation product (SOC 1 in this case), conducted a readiness assessment, and provided recommendations for improving the service organization’s controls processes before beginning a SOC examination.

Share this

Share this


            Sandy Torchia

Sandy Torchia
Lead Partner
New York
+1 (212) 954-3530

Submit an RFP


Questions to Consider

  • Does your organization understand the implications of the new SOC 1 standard?
  • Does your organization understand the difference between Service Organization Control Reporting options (i.e., SOC 1, SOC 2, and SOC 3)?
  • Does your organization have user organizations that will require an independent audit report over the controls of the service organization to be incorporated into their financial statement audit?
  • Does your organization have a complex technology environment over which its customers will require some form of assurance over aspects of its control environment (e.g., security, disaster recovery, transaction processing)?
  • Is a transparent and strong internal control environment required to secure new business for your organization?