There's a new data governor in town and it's reshaping how organisations manage personal data. Alfie Duffen, Charley Wright and Lovelee May Ramel explain how businesses can use the UK’s Data Use and Access Act (DUAA) 2025 to gain a competitive edge.
Cyber security threats are constantly evolving. We’ll work with you to develop and test robust people, process and technology defences to protect your data and information assets.
Working with borrowers and private equity financial sponsors on raising and refinancing debt. We can help you find the right lender and type of debt products.
Our asset recovery fund eliminates downside risk and retains upside potential. The fund can also buy NPLs, distressed debt, judgments, and other awards.
Global non-performing loan enforcement with non-recourse funding – delivering maximum recovery, including hidden assets, and participation in the upside.
As independent private client advisers, we’re experienced in assisting with complex and sensitive matters effectively, from dispute through to recovery.
Regulatory change, pressure on cost management and growth, and increased investment in technology and data are dominating the financial services industry.
Looking for a more fulfilling role in professional services? One where fresh thinking, collaboration and diversity are valued? At Grant Thornton we do things...
At Grant Thornton, we have a culture where talented people thrive – where high performance is not just expected, but enabled. It’s a culture built on clarity, curiosity, and care. One that challenges us to aim higher, where we’re encouraged to make the most of an abundance of resources to fuel our own development, and where we support each other to grow, learn, and succeed.
Included and valued for your difference is how everyone should feel at work. Not just because it’s right, but because we’re all at our best when we’re able to be ourselves.
Our ESG framework enables responsible, sustainable, and ethical operations. We prioritise the environment, our broader societal impact, and our firm's governance to protect the planet, foster inclusivity and wellbeing, support our communities, and bolster our firm's resilience.
Our employability hub is designed to help you feel prepared for the application process, and guide you through the decisions you will need to make throughout.
Whether you are looking to join us straight from school or with a degree, or even looking for some work experience, we have a programme that is right for you.
We've created this hub to provide you with the information you'll need to help inform career discussions with your young people. From whether an apprenticeship is the right route and the application process, to the support they'll receive and future career opportunities, this page will help you guide informed decisions.
We hope you can find all the information you need on our website, but to help we've collated a few of the questions we hear quite frequently when speaking to candidates.
Looking for a more fulfilling role in professional services? One where fresh thinking, collaboration and diversity are valued? At Grant Thornton we do things...
Our advisory practice provides organisations with the advice and solutions they need to unlock sustainable growth and navigate complex risks and challenges.
The tax landscape is evolving, and our clients need us more than ever to navigate the complexities with them. Our firm has seen remarkable growth in recent years and we have set ambitious plans for the future. To achieve them, we're dedicated to developing our internal talent and excited to welcome new team members who want to grow with us.
We strive to ensure our interview process is barrier free and sets you up for success, as well as being wholly inclusive and robust. Learn about our process here.
As an Armed Forces Friendly organisation we are proud to support members of the Armed Forces Community as they develop their career outside of the Armed Forces.
Are you a partner or director, or on track to one of these positions? Are you looking for a more exciting role where you can drive change and help shape the...
The Agile Talent Community is a network of contract professionals given the opportunity to work with valued clients on a project-by-project basis and provided...
While service auditor reports are a powerful tool to build trust and demonstrate controls effectiveness, many organisations run into pitfalls in the process of obtaining one. Tim Foster-Key and Pooja Behl explain where things can go wrong and how to avoid the most common missteps.
Contents
A service auditor report (SAR), or SOC report, not only strengthens customer relationships but also improves internal efficiency by eliminating the need to respond to multiple audits. However, pitfalls such as misaligned expectations, unclear scoping and underestimating the documentation burden, are just a few of the challenges that lead to inefficiencies, delays and audit fatigue.
Ourseven stepswill help you understand and overcome these challenges,to ensure a smooth and successful SAR engagement that delivers real value to both service providers and their customers.
1 Choose the right report
SARsare not a one-size-fits-all solution. Each organisation has unique requirements and faces distinct challenges from its customers. Selecting the most appropriate report to meet both your and your customers' needs can be daunting and challenging.
A good place to start is to understand who your report is for, ie, what's the driver behind your requirement for aservice attestation, or SOC, report,why do you need the report, what period of time does it need to cover? The answers to this will then guide which direction you need to go in.
Defining the scope of SAR engagements and assessments can be complex. Organisations frequently struggle with identifying the relevant systems and processes that need to be in scope to satisfy customer requirements and to establish or retain their trust.
A common misstep is over-scoping. Bringing too many elements into the assessment can dilute focus, increase complexity and strain resources. A more targeted, risk-based approach ensures the scope remains relevant, manageable and aligned with the report’s objectives.
What to consider to define scope and coverage:
Know the purpose: Is the SAR for customer assurance, compliance or internal risk? Shape the scope to meet those needs
Focus on what matters: Prioritise key systems, data, and processes that affect business operations and customer trust
Engage with end users of the report (user entities): Consider the connection with end users and their input. Feedback from user entities can help identify areas where they seek additional assurance, guiding decisions on whether to expand or refine the scope
Keep it focused: Include only what’s essential, such as systems handling sensitive data or supporting core functions
Start small, refine as needed: Begin with a draft and adjust based on feedback, new risks or shifting priorities
3 Check compliance and control testing
Ensuring that controls are properly designed, implemented and operating effectively to meet the objectives or criteria of the attestation can be challenging and a cause for inefficiencies.
To avoid this, it's important to:
align controls with specific standards
maintain consistency by applying controls and documentation uniformly across systems, teams, and time periods to help ensure reliability and audit readiness
address any foreseeable gaps or weaknesses that may arise during the process.
4 Take time to gather documentation and evidence
Gathering and maintaining the necessary documentation and evidence to support the audit can be time-consuming and resource-intensive.
A common challenge arises from an expectation gap. For instance, many organisations assume the process is comparable to an ISO or Cyber Essentials certification. In reality, SAR audits often demand a deeper level of scrutiny and more extensive evidence gathering. Allow yourself time and resources to gather this information.
5 Be prepared for continuous monitoring
For Type 2 reports, which assess control effectiveness over a period of time, organisations must demonstrate consistent operation of their controls throughout the defined period.
A common misconception is that the effort required is limited to a short-term engagement, typically a week or so. In reality, it demands sustained commitment and ongoing monitoring across the entire reporting period. This is more a mindset shift or culture challenge.
Considerations to help you prepare effectively:
Plan ahead: Allow at least one to two months before the end of the reporting period to prepare for the assessment and address any gaps
Establish control ownership: Assign clear accountability for controls to ensure they are maintained and monitored regularly
Automate where possible: Use tools to track control performance, log activities,,and generate audit trails to reduce manual effort
Maintain documentation continuously: Keep records updated throughout the period, not just at the end, to demonstrate consistency
6 Don't underestimate the cost and resource allocation
The process of obtaining and maintaining a SAR can be costly and require significant resources, including hiring a professional services firm to perform these assessments, dedicating internal staff for coordination, provision of evidence, etc.
A common pitfall is assuming it’s a one-off, 'quick win' task and therefore underestimating the level of effort needed when planning to obtain a SAR. . For high-quality SARs, especially Type 2 reports that assess control effectiveness over time, sustained commitment is essential. These reports require controls to operate consistently, with regular monitoring and well-maintained documentation throughout the reporting period, typically spanning six to 12 months.
In contrast, Type 1 reports, which provide a snapshot of control design at a single point in time, generally involve a more contained effort. However, they still demand careful planning, coordination, and readiness to present accurate and complete evidence.
7 Engaging with third-party service providers
Identifying which third-party service providers are relevant to the scope of the SAR can be complex, requiring a thorough understanding of how they impact the organisation's control environment.
Determining whether to include or exclude the third party’s controls in the report is also crucial but needs extensive coordination and communication between the organisation and the third-party providers. This may also require either ensuring alignment between the respective parties’ control environments, or identifying and relying on other third-party reporting mechanisms for comfort over the third-party providers’ services.
Additionally, procurement teams may have contractual arrangements in place that further complicate the inclusion or evaluation of third-party services.
Early and thorough stakeholder engagement is key to navigating and overcoming the challenges here.
SAR success results in a powerful asset
Successfully navigating the SAR attestation process requires more than just technical compliance. It demands strategic planning, cross-functional coordination, and a clear understanding of the report’s purpose and audience.
By proactively addressing common pitfalls – such as unclear scoping, underestimating documentation needs, andoverlookingthird-party dependencies – organisations can transform SAR engagements from a compliance exercise into a meaningful trust-building initiative.
And with the right preparation, stakeholder alignment and ongoing commitment, service auditor reports can become a powerful asset. Done right, they'll enhance transparency, reinforce customer confidence and position your organisation as a mature and reliable service provider in an increasingly risk-conscious market.
For more insight and guidance on SARs, get in touch with Pooja Behl orTim Foster-Key.
