Third-party assurance optimization has been saved
Perspectives
Third-party assurance optimization
Value creation strategies for service providers
Increasingly, companies are turning to third parties to manage core business and IT processes, giving outsource service providers (OSPs) access to sensitive data, with implications on internal control environments. As companies increasingly demand third-party assurance (TPA) reports, how can OSPs develop a streamlined approach?
Increased demand for third-party assurance reports
With more companies leveraging outsourcing as an integral driver for growth, the significance of TPA compliance continues to rise . And outsourcing has expanded the universe of risks, which now encompasses risks ranging from financial and operational to cyber and business continuity to sustainability risk. More than ever, companies are holding OSPs to the same level of risk monitoring and regulatory compliance that they hold themselves. As a result, demand for third-party assurance reports has skyrocketed. Annual service auditor reports reviewed by Deloitte reveal an increase of around 12 percent in the total number of reports annually.
Easing the burden
Increased regulation and greater reliance on outsourcing have led to a proliferation of third-party assurance reports, from the workhorse SOC 1 reports to Attestation (ATC-205), SOC 2, and Agreed-Upon Procedures (AUP) reports. In addition, a wide range of industry-specific reports have been issued, and TPA reports will likely extend to other business-critical areas such as cybersecurity.
OSPs are also often inundated with security questionnaires from individual clients, requests for customer-specific third-party assurance reports, and demands to arrange for burdensome on-site client auditor visits that well-designed TPA programs should address. Combine this with the need for OSPs to meet their own internal compliance requirements, and it’s easy to see why they are looking for ways to ease the burden.
Third-party assurance leading practices
Conquering the problem of TPA report proliferation calls for a comprehensive approach that can streamline efforts and make the best use of an OSP’s resources.
From protecting value to creating it
As companies step up use of outsourcers for the management of mission-critical operations and business processes, demand for TPA reporting is certain to increase. These reports can be complex, and every customer has different requirements. To stay on top of it all, make the best use of limited resources, and move your organization from merely protecting value to actually creating it, you need a big-picture view of your control environment.
With an enterprise-wide inventory of controls mapped to both internal and external requirements, you can be better positioned to efficiently and effectively deliver the level of comfort that your customers need from members of their extended enterprise.
To learn more, download our third-party assurance optimization report or visit our third-party assurance services page.
Get in touch
Sara Lademan
Partner| Deloitte Risk & Financial Advisory
Deloitte & Touche LLP
+1 312 486 2981
slademan@deloitte.com
Dan Zychinski
Managing Director | Deloitte Risk & Financial Advisory
Deloitte & Touche LLP
+1 404 220 1169
dzychinski@deloitte.com
Alan West
Senior Manager | Deloitte Risk & Financial Advisory
Deloitte & Touche LLP
+1 402 444 1807
alwest@deloitte.com
This is Full Width SCC
Recommendations
Third-party reporting proficiency with SOC 2+
SOC2+ reports and the focus on trust services criteria
A digital path to third-party ecosystem oversight
Extended enterprise risk management survey 2021