Third party assurance services

Transcription

1 TECHNOLOGY RISK SERVICES Third party assurance services Delivering assurance over your service providers

2 The current third party service provider environment Corporate UK has been transformed in recent years. Against the backdrop of increasing regulatory burden and in the face of dynamic and challenging markets, tough competition, resource pressures and increased IT complexity, firms are facing the challenge to improve performance. The use of third parties can introduce operational and financial improvements but can, if not managed properly, also magnify risk. The current corporate environment has increased the emphasis on outsourced service providers working with their clients and their clients auditors, to show that the risks associated with the outsourced service are being appropriately managed. Grant Thornton s third party assurance services, including the provision of service auditor reports, third party supplier operational and security risk assessments, third party contract reviews and customised vendor management audits, help to manage the third party risk and also provide assurance to senior management and other stakeholders. For many years the volume and diversity of services outsourced to third parties has been increasing across all industries. Many organisations today often depend on a vast number of service providers for support. We provide a few examples in the adjacent list. Information technology services including hosting, cloud computing, Software as a Service (SaaS) and Infrastructure as a Service (IaaS) Shared service centres Human resources and payroll Investment management and administration Pension administration Fund management Custody and securities administration Legislation, such as the 2002 Sarbanes Oxley Act, the Financial Instruments and Exchange Law (JSOX), other global data protection legislation, as well as several high profile data security incidents involving third parties, have helped to reinforce the general understanding that providing sensitive data to third parties can introduce significant additional risks. While outsourcing offers many established benefits, the current UK environment presents users of outsourced services with the very significant challenge of incorporating good governance practice over these functions, as well as demonstrating compliance. This is also compounded by ever changing and increasing levels of regulation and legislation. In the current commercial world doing the right thing is often not enough. A service organisation also needs to demonstrate that they have an effective operating environment. 2 Third party assurance services Third party assurance services 3

3 Absence of a third party risk assessment framework to enable effective categorisation and management of suppliers Third party assurance what are the available options? Inadequately defined contractual obligations Responding to stakeholder concerns Although companies outsource the performance of key services, they still retain responsibility for their regulatory requirements. They will also be responsible for ensuring that the control environments supporting their business processes are operating effectively, regardless of who is managing them. Companies will need to ensure that these outsourced processes are migrated in a structured manner and confirm procedures are in place to monitor and manage risks associated with the third party services provided. Third party audits There have been a number of high profile instances of third parties not properly controlling their client data. This has resulted in data loss, reputational damage and, in some instances, fines from the Information Commissioner s Office for failing to establish an appropriate control environment. Adjacent are some examples: There are many risks associated with use of third parties in financial, regulatory and operational terms. We have a team of specialist auditors who have undertaken various third party audits of outsourcing projects and operational contracts, and who have helped to identify improvement opportunities. As part of internal audit engagements or as standalone audits, we have performed the following third party reviews: Risk reviews of IT outsourcing projects Outsourcing contract reviews Poorly established system functional requirements which led to the non-delivery of a service contract Undefined Service Level Agreeemnts (SLAs) for systems which were not adequately tested prior to going live On-going service provisions where target service levels are not monitored or even measured Service providers can work with user organisations in several ways to provide this assurance by: Establishing detailed service level agreements with strong monitoring Obtaining a service auditor report from the outsourced service provider Project reviews over outsourcing programmes Reviews over vendor management and governance Cost verification audits Using a strong contractual and legal framework Using internal auditors to test the effectiveness of the outsourced control environment Completing an independent review of compliance with security and privacy requirements Royalty audits Third party functional and IT performance audits Third party security and data privacy audits 4 Third party assurance services Third party assurance services 5

4 Third party security assessment - case study We have completed security assessments, over several third party service providers, for a leading FTSE 100 media organisation. We established a bespoke testing framework aligned to industry good practice and which met client specific needs. We also completed systematic testing for a given period, communicating findings to both the third party service provider and user organisation. Third party supplier operational and security risk assessment As the business community continues to find new and innovative approaches to embrace the power of technology through established solutions, such as cloud computing and software/ infrastructure as a service or new means of mobile computing, the security threat increases in complexity. The need for reliable and up to date security practices, supported by the development of a mature organisational wide security culture, is now critical to protect organisational interests and executive reputations. The average cost of a data breach for a UK company has reached 1.7 million and is now 47 per lost customer record When allowing third parties access to a company s data, the operational activities may be outsourced, but the responsibility for ensuring that data is secure is not. Examples of fines for loss of laptops, unencrypted back-up tapes, customer information, etc demonstrate the financial, commercial and reputational impact of such breaches. Our third party security assessments can help assess the risk and possible impact of any information loss from third party vendors. We have performed a variety of customised third party security assessments to provide companies with the assurance that their third parties are securely and appropriately managing data in line with contractual agreements. Service auditor reports - SSAE 16, AAF, ISAE and ITF AAF 01/06, ITF reports, the international standard ISAE 3402 and the US SSAE 16 (previously known as SAS 70) are the most commonly used service auditor reports in the UK that deliver third party assurance over service providers. It is important to understand the differences and the expectations associated with each of the reporting frameworks in producing a service auditor report. This is to ensure the appropriate report type is selected. Each report has its own merits and we can help select the right report for different service providers and user organisation requirements. Service auditor reports, if planned and delivered effectively, can provide users of outsourced services and their auditors, with reasonable and demonstrable assurance that controls are operating effectively over outsourced processes. Additional benefits of service auditor reports may include: Meeting Sarbanes Oxley requirements associated with understanding operating effectiveness of outsourced controls Providing comfort that controls are being exercised over data Delivering assurance beyond the standard service level agreement Helping to identify process and technology weaknesses Auditors play a key role in the risk assessment associated with their clients outsourcing activities and service auditor reports including SSAE 16, ISAE 3402, AAF 01/06 and ITF 01/07. Reviews of risk management at, and after, migration are also being increasingly used. This is to provide a framework around which user organisations and their auditors can gain insight over the internal controls in place at service organisations. Service auditor reports SSAE 16 Statement on Standards for Attestation Engagements 16 ISAE 3402 International Standards for Assurance Engagements 3402 ITF 01/07 Information Technology Faculty of ICAEW 01/07 SAS 70 Service Organisation Auditing Standards 70 AAF 01/06 Audit and Assurance Faculty of ICAEW 01/06 Identifying the controls at the client organisation necessary to complement those of the outsourced service provider Service auditor report - case study Grant Thornton has helped many clients in obtaining service auditor reports against the AAF, ISAE 3402 and SSAE 16 frameworks. For one FTSE 350 services client, we initially held communications/understanding workshops to enhance awareness and communicate the implications of a service auditor report. We then facilitated identification of in-scope control objectives and associated control activities before performing a gap analysis. We have subsequently completed a number of type 1 and type 2 AAF reports in different parts of the client s business. 6 Third party assurance services Third party assurance services 7

5 Why Grant Thornton? Grant Thornton UK LLP is the UK member firm of Grant Thornton International, one of the world s leading international organisations of independently owned and managed accounting and consulting firms. This provides access to an international network and a wealth of multidisciplinary experience, offering comprehensive solutions to help you respond effectively to changing risks within, and outside, the organisation in order to achieve your business goals. Our team has experience of undertaking significant third party assurance work ranging from internal audits over outsourcing programmes, vendor management, contract reviews and management and bespoke third party security assessments. Our wealth of experience covers all industries and all sizes of clients and third parties and we can tailor our services to meet client needs. Our professionals understand your business. Commercially minded and risk focused, our team of independent thinkers offers, we believe, the best combination of quality, expertise and value. We aim to work in partnership with you to deliver incisive, value adding results. Our team features experienced audit, risk and contract experts, who have held senior positions in leading organisations. Who should I contact for assistance? To understand more about our third party assurance services or a wider range of our consulting services, please contact: Sandy Kumar Partner Head of Business Risk Services T +44 (0) E sandy.kumar@uk.gt.com Philip Keown Director Third Party Assurance Services Lead Corporates/Not for Profit T +44 (0) E philip.r.keown@uk.gt.com Ravi Joshi Associate Director Head of Technology Risk Services T +44 (0) E ravi.joshi@uk.gt.com Manu Sharma Associate Director Cyber Security and Privacy Services Lead T +44 (0) E manu.sharma@uk.gt.com How we can help We have an established methodology and considerable experience in working with our clients through all aspects of their service auditor reporting activities. This includes selecting and scoping, through to effective delivery of reports in line with SSAE 16, AAF 01/06, ITF 01/07 and ISAE 3402 standards. We can also provide expert reviews of third party contracts to ensure operational and other risks are appropriately managed and mitigated Grant Thornton UK LLP. All rights reserved. Grant Thornton means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton is a member firm of Grant Thornton International Ltd (Grant Thornton International). References to Grant Thornton are to the brand under which the Grant Thornton member firms operate and refer to one or more member firms, as the context requires. Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide services to clients. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V22817