Third Party Assurance

Third parties — whether traditional vendors, business partners or inter-affiliates — often reduce time to market, lower service delivery costs and improve customer experiences. An extended enterprise can allow a company to access specialised talent not available in-house, driving product or service innovation. The use of third parties can also help an institution to better focus on its core capabilities.

But along with the benefits come additional risks. It is important for companies to be aware of all of the risks that may be typically associated with outsourcing, including, but not limited to reputational, control, compliance, privacy, financial, operational and information security risks. Outsourcing any component of a company’s business to a service organisation can introduce any or all of these risks — either directly or indirectly. Direct risks are typically associated with the actual processing or hosting of data. Indirect risks, which can be equally as critical, are normally associated with how the data is managed (or mismanaged) and the clients’ perception of the relationship between the provider and users of outsourced services. To effectively manage these risks, executives rely on specific reports (see Service Auditor Reporting Options) from their service organisations.

One of the most effective ways a service organisation can communicate information about its risk management and controls is through a Service Auditor Report (e.g. ISAE3402, SSAE 16 (SOC 1), ISAE3000, SOC 2, SOC 3). The purpose of such a Service Auditor Report is to provide clients and/or their auditors with an objective report that expresses an opinion about the control environment of a service organisation (i.e. provider of services). The result is an independent and objective opinion about a standardised set of service objectives that are tested only once to minimise business disruption.

User organisations that obtain a Service Auditor Report from their service organisation(s) receive valuable information regarding the service organisation’s controls and the effectiveness of those controls. The user organisation receives a detailed description of the service organisation’s controls as well as an independent assessment of whether the controls were placed in operation, suitably designed and/or operating effectively.

Third-party attestation reporting provides a range of benefits for users and providers of outsourced services.
 

User benefits include
 

• Ensuring that the expectations of the third-party vendor relationship are met
• Ensuring that the company’s multi-purpose reporting requirements - including operational and financial - are met
• Valuable information - independent assessment of whether the controls of the service organisation were in place, suitably designed and operating effectively.
• Cost savings - avoiding additional costs in sending the auditors of the user entity to the service organisation to perform their procedures.
• Maintaining compliance with industry, governmental and other relevant regulatory requirements.
   

Provider benefits include
 

• Commercial advantage - a method to differentiate a service organisation from its peers/competitors.
• Cost savings - providing reports issued by the service auditor rather than customer audits - Savings on answering questionnaires. This frees up service organisation resources to complete more value added activities.
• Broad assurance - provides reasonable assurance to a broad range of clients with a single report.
• Compliance requirements - demonstrates to regulatory bodies that controls are in place and operating effectively.
• Improve overall control awareness - generates increased awareness within the organisation of the importance of controls and embeds a strong control culture.

Deloitte understands the challenges that integrated, outsourcing relationships can present. Deloitte can help clients effectively and efficiently meet existing and growing demands for third-party assurance reporting by incorporating multiple views — global, risk, compliance, industry and customer views — into their approach.

Deloitte offers a range of third-party assurance reporting services:
 

Assurance related reporting
 

Assurance engagements undertaken by an auditor to provide an independent report on the user entities internal control environment for use by management of the service organisations, user entities and/or their auditors. Distinction is made between:
 

• Assurance over financial reporting - SOC 1 - reports over controls that impacts the financial reporting of user entities. Typically performed under SSAE16 (issued by AICPA) and ISAE3402 (issued by IAASB) standard.
• Assurance over non-financial information - ISAE 3000, SOC 2 and SOC 3 - reports on non-financial processing.
   

Factual reporting
 

Engagements undertaken by an auditor to report on factual observations as part ofan assessment. Distinction is made between:
 

• Agreed-upon procedures (AUP) reporting - report of factual findings, based on specific and upfront agreed procedures performed on a “subject matter” or an “assertion”. AUP engagements are typically performed by using the ISRS 4400 standard.
• Readiness assessment - readiness assessments explore how ready companies are to address risks or needs associated with their outsourced service provider programs. The readiness assessment reports can be transferrable across all third-party assurance report types (like the ones mentioned above).

Deloitte assists clients when it comes to selecting the most relevant solution for third party reporting.