Skip to main content

Third Party Assurance (TPA)

A ticket to play in your ecosystem

A third party assurance report provides assurance over the design and/or operating effectiveness of a service organisation’s internal controls to achieve common business objectives of interest to customers/users of the services.

This is increasingly important as organisations are now more dependent on third parties to fulfil part or all of their critical business processes right across their value chain, including those that directly impact users of the services. 

The challenge:

Organisations are now more dependent on third parties across their value chain.

Third party incidents and customer service disruptions are increasing, often with immediate public visibility, and greater severity of customer, reputational, regulatory, and financial consequences. Regulatory scrutiny is increasing, requiring more direct oversight by Management and the Board on third party matters of risk management and ongoing due diligence.

How we can help:

To build trust and win in the marketplace, service providers are seeking ways to demonstrate strong risk management and provide assurance over their internal control environments relating to the services they provide.

A third party assurance report provides service organisations a ‘ticket to play’ in their ecosystem. It demonstrates to the market they are serious about governance and risk management, and have received independent assurance over the effectiveness of their internal controls.

Types of TPA / Controls Reports Deloitte can assist you with:

  1. Assurance report on controls at a service organisation. (ASAE/ISAE 3402, including with reference to GS 007). This assurance report is distributed and relied upon by user entities and their auditors. It covers controls at a service organisation that is likely to be relevant to user entities’ financial reporting. Note: ASAE/ISAE 3402 are Australian and the International versions of the US reporting framework SOC 1(Controls over financial reporting at a service organisation).
  2. Controls relevant to security, availability, processing integrity, confidentiality or privacy (SOC 2 & 3).  SOC 3 reports are intended to be shared with the public unlike SOC 2 reports which are intended for management of the service organisation, management of users organisations and their auditors. 
  3. Assurance report on controls at an entity (ASAE 3150). The scope of this assurance report is defined by management.  Intended users may include management, regulators and customers.