Article

Third Party Assurance

Take control of third-party risk with a strong third-party assurance program

Today, there is a growing awareness of organisations that outsourcing functions of their business to a third party introduces certain risks.

As a consequence it is critical for user organisations to manage any potential risk and obtain proper assurance and transparency over those services outsourced to a third party. One of the most effective ways which service organisations (i.e. third parties) can communicate information about its risk management and controls is through a Service Auditor Report. Deloitte offers a range of Third Party Assurance services such as ISAE 3402, SSAE 18, ISAE 3000, SOC 1, SOC 2, SOC 3 and Agreed-Upon Procedures (AUP) reporting.

Deloitte has developed a comprehensive and structured approach for Third Party Assurance services. Our methodology for preparing and delivering service auditor reports follows a phased approach which is customised to meet specific business needs of our clients. Our approach incorporates a risk-centric focus, while also identifying the effective and efficient methods for identifying scope, testing controls and executing the tasks and activities associated with third-party assurance reporting.

Third-Party benefits and risks

Third parties — whether traditional vendors, business partners or inter-affiliates — often reduce time to market, lower service delivery costs and improve customer experiences. An extended enterprise can allow a company to access specialised talent not available in-house, driving product or service innovation. The use of third parties can also help an institution to better focus on its core capabilities.

But along with the benefits come additional risks. It is important for companies to be aware of all of the risks that may be typically associated with outsourcing, including, but not limited to reputational, control, compliance, privacy, financial,
operational and information security risks. Outsourcing any component of a company’s business to a service organisation can introduce any or all of these risks — either directly or indirectly. Direct risks are typically associated with the actual processing or hosting of data. Indirect risks, which can be equally as critical, are normally associated with how the data is managed (or mismanaged) and the clients’ perception of the relationship between the provider and users of outsourced services. To effectively manage these risks, executives rely on specific reports (see Service Auditor Reporting Options) from their service organisations.

Did you find this useful?