Outsourcing any component of a companies’ business introduces certain risks. As a consequence, the use of outsourcing requires companies to better manage their risks associated with the outsourced services.
Specifically, the outsourcing companies (user organisation) require a degree of assurance that the service provider has a well-established internal control framework, that is suitably designed and operating effectively.
One of the most effective ways a service organisation can communicate information about its risk management and controls is through a service auditor report (e.g. ISAE3402).
The purpose of such a service auditor report is to provide clients and/or their auditors with an objective report that expresses an opinion about the control environment of a service organisation (i.e. provider of services).
The result is an independent and objective opinion about a standardised set of service objectives that are tested only once to minimise business disruption.
As a service provider, it is crucial to know the risks that may affect your clients and how to build that confidence. One way is to demonstrate that you have a well-established internal control framework that is operating effectively. That is what third-party assurance is all about.
Outsourcing an activity requires maintaining control over the resulting risks. Companies that rely on services provided by third parties, which have a direct impact on the presentation of financial information or on activities carried out in the internal control environment, must have adequate justification that controls have been implemented by their external service provider and are sufficiently functional. The ISAE3402 standard was created for the certification of internal control approaches by an external auditor.
ISAE3402 highlights the controls of the user organisation affecting the annual report. Therefore, ISAE3402 focuses on detailed control objects, including requirements like correctness, timeliness, completeness, presentation and cutoff. ISAE3402 is only a conceptual norm framework.
There are two types of ISAE3402 reports providing different levels of assurance. These are:
- Type I – Covering the design and implementation of internal controls in place to address specific control objectives
- Type II – In addition to providing the same assurance as a Type I report, a Type II report also provides assurance as to the operating effectiveness of the selected internal controls for a given period of time (generally one year).
The ISAE3000 reports are similar to ISAE3402 reports in the way they are structured. However, these reports are aimed at assurance engagements other than audits or reviews of historical financial information.
ISAE3000 reports will cover a wide field of applications and are often used in connection with areas such as cybersecurity and data privacy (GDPR) that are not directly related to financial reporting.
Similar to the ISAE 3402 reports, there are two types of reports providing different levels of assurance. These are:
Point-in-time - Covering the design and implementation of internal controls in place to address specific control objective
Period – In addition to providing the same assurance as a point–in-time report, an audit report covering a period of time, provides assurance as to the operating effectiveness of the selected internal controls for a given period of time (generally one year).
A 4400 audit report will cover specific agreed upon procedures.
Typically, Deloitte performs a specified set of procedures and reports the results as part of the 4400 report.
SOC 2 is a report on an examination of controls over a service organisation’s system relevant to security, availability, processing integrity, confidentiality, and privacy. Additional "suitable criteria" (e.g. CSA, NIST) may be added to a SOC 2 report to create a SOC 2+ report.
In comparison with ISAE 3402, SOC2 reports cover IT security in a broader sense. The focus of SOC2 reports are predefined focus areas, containing example controls.
Data processors can be monitored in different ways. The most common way is through an audit report.
Deloitte offers an ISAE3000 report which is tailored around data protection and processing of personal data on behalf of customers subject to the General Data Protection Regulation (GDPR). This report is based on a framework established in collaboration with FSR – danske revisorer, covering all relevant aspects, specified in the data processor agreement.
An audit report on GDPR will typically be accompanied by a GAP workshop ahead of performing the actual audit, in order to identify any GAPs that might lead to observations or qualifications.
Such a GAP workshop is performed by an experienced manager and can be done either physically or virtually.
Typically, when issuing an audit report (ISAE 3402, etc.) for the first time, a workshop including a GAP analysis is performed ahead of performing the actual audit, in order to identify any GAPs that might lead to observations or qualifications.
A GAP workshop is performed by an experienced manager and can be done either physically or virtually.
Risk Advisory’s IT & Specialised Assurance offers a wide range of maturity assessments on areas such as IT security, data privacy, etc.
The maturity assessments can be tailored to specific requirements and can cover assurance-related areas such as IT Governance, IT Operations, Change management, etc.
- Identification and assessment of risks of material misstatement, including significant risk
- Deep technical skills and industry knowledge applied to data and control testing activities
- Increased persuasiveness of audit evidence
- Improved efficiency and effectiveness of audit procedures
- Results that identify trends in the underlying data or systems that can be used to support testing conclusions and generate meaningful insights that may be communicated to management and those charged with governance
- Assurance for third parties in a “test once” and “satisfy many” reporting model.