Third party assurance services
Delivering assurance over your service providers
2 Third party assurance services Third party assurance services 3
The current third party service
provider environment
Corporate UK has been transformed in recent years. Against the backdrop of increasing regulatory burden and in the face of dynamic and challenging markets, tough competition, resource pressures and increased IT complexity, firms are facing the challenge to improve performance.
The use of third parties can introduce operational and financial improvements but can, if not managed properly, also magnify risk.
The current corporate environment has increased the emphasis on outsourced service providers working with their clients and their clients’ auditors, to show that the risks associated with the outsourced service are being appropriately managed.
Grant Thornton’s third party assurance services, including the provision of service auditor reports, third party supplier operational and security risk assessments, third party contract reviews and customised vendor management audits, help to manage the third party risk and also provide assurance to senior management and other stakeholders.
Legislation, such as the 2002 Sarbanes Oxley
Act, the Financial Instruments and Exchange
Law (JSOX), other global data protection
legislation, as well as several high profile data
security incidents involving third parties, have
helped to reinforce the general understanding
that providing sensitive data to third parties
can introduce significant additional risks.
For many years the volume and diversity of services outsourced to third parties has been increasing across all industries. Many organisations today often depend on a vast number of service providers for support. We provide a few examples in the adjacent list.
While outsourcing offers many established benefits, the current UK environment presents users of outsourced services with the very significant challenge of incorporating good governance practice over these functions, as well as demonstrating compliance. This is also compounded by ever changing and increasing levels of regulation and legislation.
In the current commercial world ‘doing the right thing’ is often not enough. A service organisation also needs to demonstrate that they have an effective operating environment.
Information technology services including hosting, cloud computing, Software as a Service (SaaS) and
Infrastructure as a Service (IaaS)
Shared service centres
Human resources and payroll
Investment management and administration
Pension administration
Fund management
Responding to
stakeholder concerns
Although companies outsource the performance of key services, they still retain responsibility for their regulatory requirements. They will also be
responsible for ensuring that the control environments supporting their business processes are operating effectively, regardless of who is managing them.
Companies will need to ensure that these outsourced processes are migrated in a structured manner and confirm procedures are in place to monitor and manage risks associated with the third party services provided.
Service providers can work with user organisations in several ways to provide this assurance by:
Completing an independent review of compliance with security and privacy
requirements Using internal auditors to test the
effectiveness of the outsourced control environment
Using a strong contractual and legal framework
Obtaining a service auditor report from the outsourced service provider Establishing detailed service level
agreements with strong monitoring
Third party assurance –
what are the available options?
Third party auditsThere have been a number of high profile instances of third parties not properly controlling their client data. This has resulted in data loss, reputational damage and, in some instances, fines from the Information Commissioner’s Office for failing to establish an appropriate control environment. Adjacent are some examples:
There are many risks associated with use of third parties in financial, regulatory and operational terms.
We have a team of specialist auditors who have undertaken various third party audits of outsourcing projects and operational contracts, and who have helped to identify improvement opportunities.
As part of internal audit engagements or as standalone audits, we have performed the following third party reviews:
Risk reviews of IT outsourcing projects
Project reviews over outsourcing programmes
Reviews over vendor management and governance Outsourcing contract reviews
Cost verification audits
Royalty audits
Third party functional and IT performance audits
Third party security and data privacy audits
Inadequately defined contractual obligations Absence of a third party risk assessment framework to enable effective categorisation and management of suppliers
Poorly established system functional requirements which led to the non-delivery of a service contract
Undefined Service Level Agreeemnts (SLAs) for systems which were not adequately tested prior to going live
On-going service provisions where target service levels are not monitored or even measured
Meeting Sarbanes Oxley requirements associated with understanding operating effectiveness of outsourced controls
Providing comfort that controls are being exercised over data
Delivering assurance beyond the standard service level agreement
Helping to identify process and technology weaknesses
Identifying the controls at the client organisation necessary to complement those of the outsourced service provider
Third party assurance services 7
When allowing third parties access to a company’s data, the operational activities may be outsourced, but the responsibility for ensuring that data is secure is not. Examples of fines for loss of laptops, unencrypted back-up tapes, customer information, etc demonstrate the financial, commercial and reputational impact of such breaches.
Our third party security assessments can help assess the risk and possible impact of any information loss
from third party vendors.
We have performed a variety of customised third party security assessments to provide companies with the assurance that their third parties are securely and appropriately managing data in line with contractual agreements.
Service auditor reports -
SSAE 16, AAF, ISAE and ITF
AAF 01/06, ITF reports, the international standard ISAE 3402 and the US SSAE 16 (previously known as SAS 70) are the most commonly used service auditor reports in the UK that deliver third party assurance over service providers.
It is important to understand the differences and the expectations associated with each of the reporting frameworks in producing a service auditor report. This is to ensure the appropriate report type is selected. Each report has its own merits and we can help select the right report for different service providers and user organisation requirements.
Service auditor reports, if planned and delivered effectively, can provide users of outsourced services and their auditors, with reasonable and demonstrable assurance that controls are operating effectively over outsourced processes.
Additional benefits of service auditor reports may include:
Service auditor report - case study
Grant Thornton has helped many clients in obtaining service auditor reports against the AAF, ISAE 3402 and SSAE 16 frameworks.
For one FTSE 350 services client, we initially held communications/understanding workshops to enhance awareness and communicate the implications of a service auditor report. We then facilitated identification of in-scope control objectives and associated control activities before performing a gap analysis. We have subsequently completed a number of type 1 and type 2 AAF reports in different parts of the client’s business.
Third party supplier
operational and security
risk assessment
As the business community continues to find new and innovative approaches to embrace the power of technology through established solutions, such as cloud computing and software/ infrastructure as a service or new means of mobile computing, the security threat increases in complexity.
The need for reliable and up to date security practices, supported by the development of a mature organisational wide security culture, is now critical to protect organisational interests and executive reputations.
The average cost of a data breach for a UK company has reached £1.7 million and is now £47 per lost customer record
Third party security assessment - case study
We have completed security assessments, over several third party service providers, for a leading FTSE 100 media organisation. We established a bespoke testing framework aligned to industry good practice and which met client specific needs. We also completed systematic testing for a given period, communicating findings to both the third party service provider and user organisation.
6 Third party assurance services
Auditors play a key role in the risk assessment associated with their clients’ outsourcing activities and service auditor reports including SSAE 16, ISAE 3402, AAF 01/06 and ITF 01/07.
Reviews of risk management at, and after, migration are also being increasingly used. This is to provide a framework around which user organisations and their auditors can gain insight over the internal controls in place at service organisations.
Service auditor reports SSAE 16
Statement on Standards for Attestation Engagements 16
ISAE 3402
International Standards for Assurance Engagements 3402
ITF 01/07
Information Technology Faculty of ICAEW 01/07
SAS 70
Service Organisation Auditing Standards 70
AAF 01/06
Audit and Assurance Faculty of ICAEW 01/06
Sandy Kumar
Partner
Head of Business Risk Services
T +44 (0)20 7728 3248 E sandy.kumar@uk.gt.com
Philip Keown
Director
Third Party Assurance Services Lead Corporates/Not for Profit
T +44 (0)20 7728 2394 E philip.r.keown@uk.gt.com
Ravi Joshi
Associate Director
Head of Technology Risk Services
T +44 (0)20 7865 2571 E ravi.joshi@uk.gt.com
Manu Sharma
Associate Director
Cyber Security and Privacy Services Lead
T +44 (0)20 7865 2406 E manu.sharma@uk.gt.com
Who should I contact for assistance?
To understand more about our third party assurance services or a wider range of our consulting services, please contact:
© 2013 Grant Thornton UK LLP. All rights reserved. ‘Grant Thornton’ means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton is a member firm of Grant Thornton International Ltd (Grant Thornton International). References to ‘Grant Thornton’ are to the brand under which the Grant Thornton member firms operate and refer to one or more member firms, as the context requires. Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide
Why Grant Thornton?
• Grant Thornton UK LLP is the UK member firm of Grant Thornton International, one
of the world’s leading international organisations of independently owned and managed
accounting and consulting firms. This provides access to an international network and
a wealth of multidisciplinary experience, offering comprehensive solutions to help you
respond effectively to changing risks within, and outside, the organisation in order to
achieve your business goals. Our team has experience of undertaking significant third
party assurance work ranging from internal audits over outsourcing programmes,
vendor management, contract reviews and management and bespoke third party security
assessments. Our wealth of experience covers all industries and all sizes of clients and third
parties and we can tailor our services to meet client needs.
• Our professionals understand your business. Commercially minded and risk focused, our
team of independent thinkers offers, we believe, the best combination of quality, expertise
and value. We aim to work in partnership with you to deliver incisive, value adding results.
Our team features experienced audit, risk and contract experts, who have held senior
positions in leading organisations.
How we can help
We have an established methodology and considerable experience in working with our clients through all aspects of their service auditor reporting activities. This includes selecting and scoping, through to effective delivery of reports in line with SSAE 16, AAF 01/06, ITF 01/07 and ISAE 3402 standards.
We can also provide expert reviews of third party contracts to ensure operational and other risks are appropriately managed and mitigated.
