Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Ten years ago only one or two major third party services providers may have been used for a limited number of companies outsourcing core operations (e.g. payroll or pension administration) but now organisations often depend on many providers to deliver any number of services. Consequently service providers (or third party providers) are looking to provide their customers, and their customers’ auditors, with an understanding of controls in place at the service provider and, in certain instances, evidence to determine whether controls over the outsourced service at the service provider are effective.
Although the marketplace is comfortable with the SAS70 reporting format, there are alternative types of reports, and the reports that can be used going forward are changing in June 2011 under the largest change in Service Auditor Reporting in recent memory.
The International Auditing and Assurance Standards Board (IAASB) issued a new international standard for engagements to report on controls at service organisations. At the same time the American Institute of Certified Public Accountants (AICPA) have replaced the SAS 70. While the standards drafted by the IAASB and AICPA are not significantly different from each other, nor from the present standard, they do present some changes from SAS 70 that may prove challenging for some service organisations.