Trust & Transparency Solutions

All Eyes on Trust - Traditional and modern control reporting solutions to build trust with stakeholders

We help you provide transparency and build trust

In today's complex landscape, where organizations rely on third parties and subcontractors, regulatory scrutiny, data privacy, and transparency demands are reshaping compliance. Providing transparency and building trust are key to meeting compliance requirements, staying competitive, and driving long-term growth.

Transparency fosters trust and offers a competitive advantage by helping organizations identify control weaknesses, improve efficiency, and reduce costs by avoiding redundant efforts in compliance and operations.

We understand clients want a partner to help establish a robust internal control framework that meets regulatory and stakeholder expectations. Our team independently assesses control frameworks in line with Swiss and international assurance standards.

Using proven methodologies, we minimize disruption and deliver high-quality controls reports quickly. Would you like to learn more about our approach to assessing control frameworks? 

Applied controls reporting standards

What we offer

Third-Party Assurance – Controls over Financial Reporting

ISAE 3402, SOC 1®, SSAE 18

Through the use of controls reports (i.e. US-related SOC 1® (in the past according to SAS 70 and later SSAE 16, currently SSAE 18), or internationally accepted ISAE 3402) we provide transparency into organisations’ functions, processes, technology and controls that impact clients’ financial transactions and financial reporting processes. Typically, the traditional user audience of such reports are accounting departments and internal and external audit stakeholders.

 

Third-Party Assurance – Beyond Controls over Financial Reporting

ISAE 3000, SAS 950, SOC 2®

Emerging technology and regulatory developments such as block chain, cloud, electronic patient health information, GDPR, and outsourcing regulation require organisations to look beyond the risks related to financial reporting.

Through the use of controls reports (referred to as SOC 2® or ISAE 3000 / SAS 950 using relevant and applicable industry controls standards, e.g. Trust Service Criteria or COSO/CoBiT Frameworks), we provide organisations and (internal and external) stakeholders with comfort when it comes to operational risk areas focusing on, for example, information security, (data) privacy, service availability, integrity and confidentiality. The typical (end) user audience of our reports is broad and ranges from internal / intra-group service recipients (e.g. IT shared service centres), recipients of outsourced services (e.g. data centre co-location services, cloud service providers, managed technology / IT services), regulators, customers and sometimes even the public in general.

Attestations of Other Specific Vendor Controls & Compliance Management Systems

SOC 2+, SOC 3, HITRUST

As the demand for trust and transparency in specific industry domains increases, we provide organisations with attestation solutions (e.g. SOC 2+ or SOC 3®) based on the latest control frameworks.
For example, we deliver attestation services in the health / pharma sector. Supported by PwC US, we deliver readiness, remediation and certification as a Certified HITRUST Assessor. We assist in the implementation of the HITRUST Controls Standard Framework (CSF) as the foundation of an organisation’s security and privacy controls / compliance programme for controlling risks related to patient health information (PHI).

Software Certification - SAS 870

The SAS 870 Software Certification assesses Information Technology General Controls, focusing on the software development cycle, business process controls, and other processes specific to the software’s purpose. It is evaluated against standards like CobiT, COSO, ISO 27002:2013, and other relevant criteria.

The certification provides a software certificate that can be shared with current and prospective customers, confirming the software meets predefined criteria, such as compliance with the Accounts Ordinance for electronic archiving systems.

Compliance Management Systems  - SAS 980

With the issuing of the Swiss Audit Standard 980 standards and guidelines regarding compliance management systems (CMS), we are able to assist organisations with addressing the different principles outlined in this standard. Our readiness, gap analysis and attestation activities tackle the required compliance culture, objective, risk, overall programme and organisation aspects of an organisation's legal, tax, corporate social responsibility (CSR) oversight or other compliance management systems.

Methodology

Our methodology to create transparency and generate trust between service providers and service recipients

PwC’s Trust & Transparency Solutions (TTS) team helps providers and recipients of outsourced services manage regulatory and business requirements so they can concentrate on their specific core business.

Our proven and leading controls reporting methodology provide you the following benefits:

  • A unique and independent perspective on your organisation.
  • A clear view on whether the expectations of all customers and their stakeholders are being met.
  • An effective internal control framework aligned with your customers' expectations.
  • A transparency knowledge transfer opportunity which enhances your company’s service quality.
  • A state-of-the-art high quality controls reports in line with Swiss and, where needed, international assurance standards (such as ISAE 3402, ISAE 3000, PS 950, PS 980, SOC 1®, SOC 2®).
  • An opportunity to be informed about the latest ‘niche’ control reporting standards* that might be beneficial for the industry and/or territory you are doing business in.

Which control reporting standard best suits your requirements?

An increased demand for trust is highlighting the significance of having robust and reportable governance, risk, compliance, operational and IT controls in place.

Bruno CaviezelSenior Manager, Digital Assurance & Trust

Discover our Services

PwC offers a wide range of standardised or, where needed, customised services designed to enhance your service quality. Ultimately, we work with the objective to establish trust between the provider and the recipient of outsourced services.

for service providers

We conduct a suitability assessment to evaluate the effectiveness of your existing controls through interviews and limited testing, helping you identify areas for improvement. Based on our findings, we provide recommendations where documentation or control effectiveness falls short of audit requirements. We prepare a controls report in line with applicable standards and PwC’s audit methodology, offering an independent auditor’s opinion on the design (Type 1) and operational effectiveness (Type 2) of controls. The report includes control objectives, activities, test procedures, and results. Additionally, we review master service contracts and service level agreements to ensure all critical areas are adequately addressed.

for service recipients

We help service recipients interpret control reports to clearly understand the effectiveness of their service provider’s control systems. We support provider management activities, such as defining service requirements or selecting providers, and establish third-party monitoring to ensure service quality through effective third-party risk management (TPRM). Additionally, we conduct ad hoc audits of outsourced services to ensure compliance with recipient policies and industry regulations. When service providers underperform, we identify root causes and develop action plans to address issues and improve outcomes.

Assurance of Compliance Management System or Software certification?

SAS 980 Compliance Management System

  • 1. Compliance Culture
    - Principles for an adequate and effective CMS
    - Management's attitude and behaviour
  • 2. Compliance Objectives
    - Determination of key objectives to be achieved
    - Specification of compliance domains and rules to comply with
  • 3. Compliance Risks
    - Identification of significant compliance risks
    - Systematic risk identification and evaluation process
  • 4. Compliance Program
    Implementation of core principles and measures to minimize the identified risks
  • 5. Compliance Organisation
    - Roles and responsibilities
    - Organizational structure and processes
    - Resource planning
  • 6. Compliance Communication
    Inform involved employees and third-parties about the compliance program and roles / responsibilities
  • 7. Compliance Monitoring & Improvement
    - Monitor adequacy and effectiveness
    - Key requirement is an adequate documentation
    - Responsibility resides with management
  • Competition and antitrust law
  • Anti-bribery law
  • Stock exchange law (e.g. provisions on insider trading or ad hoc reporting obligations)
  • Corporate governance requirements (e.g. Swiss Code of Best Practice for Corporate Governance, OECD Principles of Corporate Governance)
  • Anti-money laundering law
    Environmental law
  • Foreign trade law and export control
  • Legislation on external tax relations
  • Data protection and data security law
  • Labor law and personal rights (e.g., general anti-discrimination laws)
  • Industrial safety law
  • Assurance that the CMS is adequately designed, implemented and / or operated
  • Assurance that the CMS is effective and that resources are being used efficiently
  • Increases the confidence in your organization
  • Liability reduction for the board of directors and the company
  • Maturity assessment of your compliance management
  • Strengthening of the internal and external perception of your efforts in the area(s) of compliance

SAS 870 Software Certification

  • Information Technology General Controls, particularly the software development cycle
  • Business Process Controls
  • Any other processes and controls related to the specific purpose of the software
  • Control Objectives for Information and Related Technologies (CobiT)
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO)
  • ISO 27002:2013
  • Any other measurable criteria related to the specific purpose of the software
  • Software certificate, which can be distributed to prospective as well as current customers.
  • Certificate confirms that software adheres to defined criteria, e.g. in the area of electronic archiving systems to the Ordinance on the Maintenance and Retention of Accounts (Accounts Ordinance; AccO - SR 221.431)
  • Certificate only confirms that software is able to meet the defined criteria in a certain version as well as in certain configuration / customizations if adequately implemented and operated
  • Subsequent versions, in case of changes, may need to be recertified.

Contact our experts

https://pages.pwc.ch/core-contact-page?form_id=7014I0000006qRyQAI&embed=true&lang=en

Contact us

Bruno Caviezel

Senior Manager, Digital Assurance & Trust, PwC Switzerland

+41 79 713 27 59

Email

Cristian Manganiello

Partner, Digital Assurance & Trust, PwC Switzerland

+41 58 792 56 68

Email