Outsourced Risk Advisory (ORA)
Increasingly, outsourcing of core and non-core functions to Outsourced Service Provider (OSP) plays a vital role in helping client companies increase their efficiency and profitability. As a result, outsourcing has evolved into a strategic business practice.
As OSPs are becoming more integrated with the clients’ day-to-day operations, they can have more of an impact on the clients’ internal control framework, including their financial reporting and compliance requirements. This increased reliance on OSPs—and the critical role that they can play in their clients’ business—has led to increase in demand for outsourced assurance programs.
Leading edge professional service organizations understand the challenges that an integrated, outsourcing relationship can present. These organizations can help their clients effectively and efficiently meet existing and growing demand for third-party assurance reporting by incorporating multiple view—global, risk, compliance, industry, and customer views—into their approach. Our assurance-related services are structured to address multiple risks that organizations face today. The various assurance-related services that we provide are as under:
Service Organization Controls (SOC) reports: These reports help service organizations provide independent assurance to their clients on the internal financial controls (SOC1) and assurance on the trust principles (SOC2 and SOC3) reports.
Agreed upon procedures including vendor assessments: These are reports that are provided to companies based on an agreed upon set of controls between the service organization and the auditors.
Regulation asset-based securities (AB): This regulation is applicable to financial services. We provide assurance/attest report on mortgage-related operations.
Both providers and users of outsourced services are seeking the same goal—assurance that their risks are effectively managed. Risks with respect to compliance and regulatory related requirements are on increase and non-compliance can mean reputational and financial damages.
Unified compliance framework: Deloitte India has an integrated compliance framework that helps look at various compliance-related requirements at once.
SOX management testing: As part of the Sarbanes-Oxley requirement, the management is mandated to perform testing of internal controls over financial reporting for purposes of SOX 404. We assist the management to perform SOX 404 design evaluation and operating effectiveness testing.
Industry specific compliance: We provide readiness review for clients in compliance to various regulation/standards such as Payment Card Industry (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Gramm–Leach–Bliley Act (GLBA), etc. We also provide agreed upon procedures report with specific focus on the regulation or standard as mentioned. The service does not involve certification of the standard/regulation.