Third party assurance

Provide assurance to your customers through a strong third-party assurance program

Service providers today are in a highly competitive market place with new entrants and technology innovations bringing fresh challenges. As each provider sets out to distinguish their place in the market, the question of what truly sets a provider apart is becoming increasingly difficult to answer. Most of service organisations use third party assurance as an effective tool to demonstrate its controls environment.

Deloitte offers a range of different Service Auditor Reports depending on the type of third party assurance standards in place and requirement of your customers.

You can share this report with your customers and stakeholders which will avoid the need for multiple audits to be conducted by each customer, limiting disruption, time and cost impacts to your business.

Assurance Frameworks




SOC Cybersecurity

ISAE 3402

ISAE 3000


Third party assurance and the journey

Service organisations opt for third party assurance as an effective tool to demonstrate key controls designed to govern their critical systems. Below are the steps that service organisations embark upon to achieve their third party assurance objective.

Step 1: Understand requirement of customers

  • Understand high level requirement of various customers.
  • Rank the requirements in order of priority and commonality.

Step 2: Adopt suitable Assurance Standard

  • Select a suitable Assurance standard that meets customers’ requirements.
  • Identify relevant services and supporting IT platform to be covered by the Assurance report.
  • Understand the period of review and frequency for which Assurance reports are required by majority of customers.
  • Evaluate if sub-service organisations are being used for delivering services to customers and if they need to be included in scope of report.

Step 3: Readiness work for defining Control Objectives/Narratives

  • Develop a controls framework covering key services. You may consider adopting an appropriate standard and customise to define objectives.
  • Prepare the control narratives reflecting the services being offered to customers.
  • Sustain the control environment over a period of time.
  • Perform a readiness review to evaluate the gaps in design and operating effectiveness of controls.
  • Determine how evidence of controls is stored and retained.

Step 4: Evaluate, remediate findings and plan for Type 1 and then Type 2 report

  • Evaluate readiness review observations and remediation efforts required.
  • Post remediation, consider obtaining a Type 1 (Design evaluation) report first.
  • Following the Type 1 evaluation, plan for a Type 2 (Design and Operating Effectiveness evaluation) report. A Type 2 report will normally cover a period between 6 and 12 months.
  • Engage a service auditor to undertake the Type 2 evaluation.
  • Share the Type 1 or 2 report with customers and their external auditors.

What you achieve through third party assurance and SOC reports

  • Reputation and brand: Reduce the risk of a breach of security or privacy that can impact reputation and the confidence of customers, suppliers and potential buyers.
  • Service offering differentiation for new work: Position service offering as “best of breed” and give an added advantage over non-compliant competitors. Aids in scoring high on RFP/Tenders.
  • Revenue assurance and growth: Reduce the risk of customer credits/performance penalties.
  • Operational disruptions: Eliminate multiple audits by business partners and customers which drain valuable time and resources of operational and service personnel.

Related topics:

Did you find this useful?