Third Party Assurance

Take control of third-party risk with a strong third-party assurance program

Today, there is a growing awareness of organisations that outsourcing functions of their business to a third party introduces certain risks. As a consequence it is critical for user organisations to manage any potential risk and obtain proper assurance and transparency over those services outsourced to a third party. One of the most effective ways via which organisations (i.e. third parties) can communicate information about its risk management and controls is through a Service Auditor Report. Deloitte offers a range of third party assurance services such as Assurance Reporting (e.g. ISAE 3402, SSAE 16 (SOC 1), ISAE 3000, SOC 2 and SOC 3) and agreed-upon procedures (AUP) reporting.

A structured approach

Deloitte has developed a comprehensive and structured approach for service auditor reporting. Our methodology for preparing and delivering service auditor reports follows a phased approach which is customised to meet specific business needs of our clients. Our approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying scope, testing controls and executing the tasks and activities associated with third-party assurance reporting.

The enclosed brochure provides more information about Deloitte's methodology for service auditor reporting and what it can do for your company.

Managing risk from every direction

Latest articles on Third Party Assurance:

SOC 2+ reporting |Third party assurance optimisation

Third-Party benefits and risks

Third parties — whether traditional vendors, business partners or inter-affiliates — often reduce time to market, lower service delivery costs and improve customer experiences. An extended enterprise can allow a company to access specialised talent not available in-house, driving product or service innovation. The use of third parties can also help an institution to better focus on its core capabilities.

But along with the benefits come additional risks. It is important for companies to be aware of all of the risks that may be typically associated with outsourcing, including, but not limited to reputational, control, compliance, privacy, financial, operational and information security risks. Outsourcing any component of a company’s business to a service organisation can introduce any or all of these risks — either directly or indirectly. Direct risks are typically associated with the actual processing or hosting of data. Indirect risks, which can be equally as critical, are normally associated with how the data is managed (or mismanaged) and the clients’ perception of the relationship between the provider and users of outsourced services. To effectively manage these risks, executives rely on specific reports (see Service Auditor Reporting Options) from their service organisations.

A service auditor report

One of the most effective ways a service organisation can communicate information about its risk management and controls is through a Service Auditor Report (e.g. ISAE3402, SSAE 16 (SOC 1), ISAE3000, SOC 2, SOC 3). The purpose of such a Service Auditor Report is to provide clients and/or their auditors with an objective report that expresses an opinion about the control environment of a service organisation (i.e. provider of services). The result is an independent and objective opinion about a standardised set of service objectives that are tested only once to minimise business disruption.

User organisations that obtain a Service Auditor Report from their service organisation(s) receive valuable information regarding the service organisation’s controls and the effectiveness of those controls. The user organisation receives a detailed description of the service organisation’s controls as well as an independent assessment of whether the controls were placed in operation, suitably designed and/or operating effectively.

Benefits of a service auditor report

Third-party attestation reporting provides a range of benefits for users and providers of outsourced services.

User benefits include

  • Ensuring that the expectations of the third-party vendor relationship are met
  • Ensuring that the company’s multi-purpose reporting requirements - including operational and financial - are met
  • Valuable information - independent assessment of whether the controls of the service organisation were in place, suitably designed and operating effectively.
  • Cost savings - avoiding additional costs in sending the auditors of the user entity to the service organisation to perform their procedures.
  • Maintaining compliance with industry, governmental and other relevant regulatory requirements.

Provider benefits include

  • Commercial advantage - a method to differentiate a service organisation from its peers/competitors.
  • Cost savings - providing reports issued by the service auditor rather than customer audits - Savings on answering questionnaires. This frees up service organisation resources to complete more value added activities.
  • Broad assurance - provides reasonable assurance to a broad range of clients with a single report.
  • Compliance requirements - demonstrates to regulatory bodies that controls are in place and operating effectively.
  • Improve overall control awareness - generates increased awareness within the organisation of the importance of controls and embeds a strong control culture.

Service auditor reporting options

Deloitte understands the challenges that integrated, outsourcing relationships can present. Deloitte can help clients effectively and efficiently meet existing and growing demands for third-party assurance reporting by incorporating multiple views — global, risk, compliance, industry and customer views — into their approach.

Deloitte offers a range of third-party assurance reporting services:

Assurance related reporting

Assurance engagements undertaken by an auditor to provide an independent report on the user entities internal control environment for use by management of the service organisations, user entities and/or their auditors. Distinction is made between:

  • Assurance over financial reporting - SOC 1 - reports over controls that impacts the financial reporting of user entities. Typically performed under SSAE16 (issued by AICPA) and ISAE3402 (issued by IAASB) standard.
  • Assurance over non-financial information - ISAE 3000, SOC 2 and SOC 3 - reports on non-financial processing.

Factual reporting

Engagements undertaken by an auditor to report on factual observations as part ofan assessment. Distinction is made between:

  • Agreed-upon procedures (AUP) reporting - report of factual findings, based on specific and upfront agreed procedures performed on a “subject matter” or an “assertion”. AUP engagements are typically performed by using the ISRS 4400 standard.
  • Readiness assessment - readiness assessments explore how ready companies are to address risks or needs associated with their outsourced service provider programs. The readiness assessment reports can be transferrable across all third-party assurance report types (like the ones mentioned above).

Deloitte assists clients when it comes to selecting the most relevant solution for third party reporting.

More on Third Party Assurance

Third-party reporting proficiency with SOC 2+

Providing assurance with regard to the American Institute of Certified Public Accountants’ (AICPA) Trust Service Principles (TSPs) may be sufficient for some outsource service providers’ (OSPs) customers. But others may require greater detail. For this reason, the AICPA has created SOC 2+.

This extensible framework allows OSPs’ auditors (also known as service auditors) to incorporate various industry standards, such as the National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO), into one SOC 2 report.

Third-party reporting proficiency with SOC 2+

open in new window Read more

Third-party assurance optimisation

Outsource service providers are increasingly managing core business and IT processes for clients, which entails gaining unprecedented access to sensitive data and connectivity to critical systems. But when outsource service providers are more tightly integrated with day-to-day operations, they also have an impact on their clients’ internal control environments. Companies, therefore, are holding outsource service providers to the same level of risk monitoring and regulatory compliance that they hold themselves.

As demand for third-party assurance reports increases, how can outsource service providers implement a more streamlined approach for dealing with both customer and regulatory requirements?

Third-party assurance optimisation

open in new window Read more

Get in Touch

Johan Van Grieken

Johan Van Grieken

Partner, Risk Advisory

Johan is leading the IT Risk Consulting team in Belgium. He has specialised in the risks of governance, continuity, quality and sourcing. He leads consulting and assurance missions, helping clients to... More

Bert Truyman

Bert Truyman

Director, Risk Advisory

Bert leads the ICT Audit and Assurance group in Belgium providing ICT (internal) audit, Third party assurance (e.g ISAE 3402, SOC 2), risk & controls and compliance services. He has specialised in pro... More