Outsource service providers are increasingly managing core business and IT processes for clients, which entails gaining unprecedented access to sensitive data and connectivity to critical systems. But when outsource service providers are more tightly integrated with day-to-day operations, they also have an impact on their clients’ internal control environments. Companies, therefore, are holding outsource service providers to the same level of risk monitoring and regulatory compliance that they hold themselves. As demand for third-party assurance reports increases, how can outsource service providers implement a more streamlined approach for dealing with both customer and regulatory requirements?
Increased regulation and greater reliance on outsourcing has led to a proliferation of third-party assurance (TPA) reports, from the workhorse SOC 1 reports to Attestation (AT) 101, SOC 2 and Agreed-Upon Procedures (AUP) reports. There is also a wide range of industry-specific reports. And TPA reports will likely extend to other business-critical areas such as cybersecurity.
Outsource service providers (OSPs) are also often inundated with security questionnaires from individual clients, requests for customer-specific TPA reports, and demands to arrange for burdensome on-site client auditor visits that well-designed TPA programs should address. Combine this with the need for OSPs to meet their own internal compliance requirements, and it’s easy to see why they are looking for ways to ease the burden.
Conquering the problem of TPA report proliferation calls for a comprehensive approach that can streamline efforts and make the best use of an OSP’s resources.
Here are a few practices that can give OSPs a good head start:
Take stock
Create an inventory of internal and external control requirements to identify gaps and overlaps. Having an inventory allows you to map requirements against the controls that fulfill them and determine which ones you can cover through TPA reports.
Get more bang for your buck
Once you have a catalog of requirements mapped to enterprise-wide controls, you’re in a position to capitalise on synergies and common elements to realise substantial efficiencies during control testing.
Shout it from the rooftops
Efficient TPA reporting is a valuable asset to customers, which are able to meet their own compliance requirements more quickly based on your rapid turnaround of requests. So it’s important to provide training and education for your salesforce, management, and other key personnel who can make customers aware of your TPA capabilities.
Practice spring cleaning
Regularly revisit your TPA requirements inventory, adopt a continuous improvement mindset, and be proactive about uncovering — and then meeting — customer needs.
As companies step up their use of outsourcers for the management of mission-critical operations and business processes, demand for TPA reporting is certain to increase. These reports can be complex, and every customer has different requirements. To stay on top of it all, make the best use of limited resources, and move your organisation from merely protecting value to actually creating it, you need a big-picture view of your environment.
With an enterprise-wide inventory of controls mapped to both internal and external requirements, you can be better positioned to efficiently and effectively deliver the level of comfort that your customers need from members of their extended enterprise.
Deloitte third-party assurance services
Deloitte has developed a comprehensive and structured approach for service auditor reporting. Our methodology for preparing and delivering service auditor reports follows a phased approach which is customised to meet specific business needs of our clients. Our approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying scope, testing controls and executing the tasks and activities associated with third-party assurance reporting.
Consult our Third-party assurance services page to discover Deloitte's methodology for service auditor reporting and what it can do for your company.
Third-party reporting proficiency with SOC 2+
Providing assurance with regard to the American Institute of Certified Public Accountants’ (AICPA) Trust Service Principles (TSPs) may be sufficient for some outsource service providers’ (OSPs) customers. But others may require greater detail. For this reason, the AICPA has created SOC 2+.
This extensible framework allows OSPs’ auditors (also known as service auditors) to incorporate various industry standards, such as the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO), into one SOC 2 report.