TPA governance banner


Third-party governance and risk management reporting

Principles for optimizing third-party assurance reporting

As third-party assurance report requests escalate, outsource service providers (OSPs) increasingly need a way to enhance their third-party governance portfolios. While there’s no “right” way for OSPs to structure efforts to comply with customer demands for assurance, there are some guiding principles to help streamline the processes.

The demand for third-party assurance

The market is still coming to terms with the escalating third-party assurance (TPA) demands being placed on OSPs. The American Institute of Certified Public Accountants (AICPA) and other industry organizations have been evolving their frameworks to provide a greater level of assurance and streamline reporting processes. To this end, the AICPA created a Service Organization Control (SOC) called SOC 2+, an extensible framework that allows service auditors to incorporate various industry standards into a SOC 2 report. The AICPA also created a new cybersecurity attestation reporting framework in 2017, known as SOC for Cybersecurity.

For OSPs that process, handle, or host customer data relevant to financial reporting, a SOC 1 report continues to be necessary, regardless of what other types of reports are required. Amid this complex and rapidly evolving compliance landscape, it’s easy to see why OSPs are being challenged to rein in the costs of third-party assurance reporting while still providing customers with the required level of assurance around their controls.

Top five guiding principles

The proliferation of reports, combined with regulatory and compliance requirements, demands a more efficient approach to third-party governance and risk management. Though each organization is unique, we have assembled a list of the top five broadly applicable principles for better managing a complex third-party governance portfolio. This is based on our observations in performing independent, third-party examinations for OSPs—from startups to multinational organizations—across every major industry.

  1. Establish a TPA governance steering committee.
    This should be a group of people that don’t have day-to-day TPA responsibilities but that has the right experience, expertise, and background to help guide the entire portfolio. Establishing a steering committee offers a path to aligning and streamlining obligations across the entire organization. The role of the steering committee is to:
    1. Counsel people throughout the organization on efficient use of TPA governance resources
    2. Define and disseminate an overall TPA governance roadmap for the organization
    3. Empower people to make well-informed contracting decisions through a better understanding of how TPA reports are used
    4. Share leading practices across the organization
    5. Identify and eliminate redundant efforts
    6. Assist in communicating with customers regarding why certain reporting decisions are made
  2. Institute a check in the contracting process to ensure that the company’s commitments to TPA reporting are appropriate.
    Prior to being finalized, contracts should be reviewed by a sanctioned gatekeeper, possibly someone in the TPA Project Management Office (PMO), who can check to see if the SOC obligations specified in the contract are appropriate for the type of customer and aligned with the kind of work the company will be doing.
  3. Align TPA governance to other risk and compliance efforts within the organization.
    Creating a library of all requirements enterprise-wide is the first step in identifying both gaps and overlaps. Compiled and managed by the TPA PMO, the library should include internally identified requirements and requirements included in any TPA governance reports the organization issues. The inventory should also include requirements covered in any questionnaires or service-level agreements that the organization responds to periodically. Finally, the library should be periodically updated through an established process with clear lines of responsibility.
  4. Use SOC 2+ reports as much as possible.
    SOC 2+ reports are highly flexible tools that can incorporate multiple frameworks and industry standards into TPA reporting. By providing a standardized format for meeting a broad range of regulatory and industry control requirements, SOC 2+ reports eliminate the need for redundant activities and one-off responses. SOC 2+ reports can also be tailored to meet the ever-growing list of security questionnaires by mapping to a suitable and available criterion, such as the standardized information gathering (SIG) questionnaire.
  5. Proactively manage the full costs of TPA responsibilities.
    A complete analysis of TPA costs should include not only auditors’ fees but also the time that dedicated employees spend in managing the third-party governance portfolio, as well as the time control that owners spend in addressing requests.

connecting dots

Risk and controls optimization summary

What can organizations do?

city connectivity

Meeting demand and creating value

With the risks of outsourcing coming under increased scrutiny, the demand for TPA reporting is ballooning. Similarly, the cost of meeting this increasingly complex web of third-party governance and risk management requirements is expanding. Taking a proactive approach is a key step in containing both the costs and demands. To be effective, this approach should be inclusive of managing not only external expenditures but also internal costs in keeping the third-party governance portfolio up and running.

Building a solid foundation by establishing a TPA steering committee and creating consistent governance processes, enforced by the TPA PMO, is often a good place to start. Considering third-party governance costs and obligations during the contracting process is another area that can yield rapid improvements.

Those who act to reduce the burdens of TPA reporting, instead of just reacting to them, should be better positioned to deliver the heightened level of comfort their customers need while creating significant value for their organizations.

blur lights

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?