Article

Third Party Assurance

Prime Performance

I recently saw some research that showed that the average age of an elite marathon runner is 28. Now I am neither an elite marathon runner, nor am I 28 years old, but this got me thinking about the time it takes to reach the top of a specific field. The combination of physical strength and endurance together with mental motivation and stamina that results in prime performance.

This year Third Party Assurance turns 28 years old. It was 1992 when the SAS70 standard came into effect. Since then we have seen the growth and evolution of the original standards – ISAE 3402 (2009), SSAE 16 (2010), SOC 2 (2015) and SSAE 18 (2017) – into the Third Party Assurance landscape that we see today.

Just like a prime performing athlete, Third Party Assurance is strong and exciting, racing forward to meet the growing needs of customers and stakeholders.  

So what does this mean for you?

Third Party Assurance is a powerful and robust mechanism for increasing trust in an ecosystem. Enhanced and refined over the years, a high quality ISAE 3402 report is able to address multiple stakeholder requirements and reduce the number of customer assurance queries that you need to respond to.

The degree to which your customers and their auditors can place reliance on the Assurance report is high, giving you and them the confidence in your internal controls.

A mature Third Party Assurance program will result in a self-improving environment that strives to improve with each report, taking the customer and auditor feedback on to continually enhance the overall control environment.

Just as every athlete knows you only get out what you put in, the outcome of your prime performing Third Party Assurance program will be increased value to you, your customers and our stakeholders. 

And yet, Third Party Assurance is not perfect.

There are still challenges that need to be overcome. Third Party Assurance programs grapple with the practicalities of meeting multiple customer needs, for example, and the timing impact thereof.

There is also continual need to enhance the understanding within organisations and their ecosystems of the value Third Party Assurance offers, and the mechanisms that drive its value. 

What about SOC 2, the 5 year old?

SOC 2 is just like a 1st grader, relying on its older family members, but already making an impact. SOC 2 is growing quickly, finding its place in the assurance world. SOC 2 is rising up to meet the needs as ecosystems rely ever more on technology, and the traditional boundaries of the enterprise no longer exist.

Where to next for Third Party Assurance?

As third Party Assurance continues to mature, we should see the broadening of the use of Service Auditor Reports, across geographies and industries.

We would also expect to see deeper specialisation of SOC 2+ and other assurance niches to come to the fore and meet the emerging assurance needs.

And more generally, we should see more Third Party Assurance optimisation. Where companies streamline their assurance programs to generate greater value, drive efficiencies and align compliance requirements so that the customers and stakeholder get the direct benefit of the enhanced service landscape.

Key Contact:
Trevor Wright
Deloitte Risk Advisory Africa
Email: trewright@deloitte.co.za
Direct: 011 209 8244

Did you find this useful?