Third party assurance services

Similar documents
Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Contract risk and assurance

Capital Projects. Providing assurance over effective delivery of projects

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

Guidance for audit committees. The internal audit function

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

The Audit Plan for West Mercia Energy Joint Committee

UK Stewardship Code. Response by Generation Investment Management LLP. London / 31 March, Generation Investment Management Page 1

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

ISO Gap Analysis - Case Study

Cyber Security Evolved

Internal Audit - progress report and plan

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Informing the audit risk assessment for West Midlands Integrated Transport Authority Pension Fund

Insight and Peer Analysis

Report to Governors on the Quality Report 2013/14

Understanding ISO and Preparing for the Modern Era of Cloud Security

A Flexible and Comprehensive Approach to a Cloud Compliance Program

DRAFT. Informing the audit risk assessment for Cheshire Fire Authority. Year ending 31 March 2013 xx April 2013

Mitigating and managing cyber risk: ten issues to consider

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

Third Party Supplier Security

Audit Quality Thematic Review

Henkel s Compliance Management System (CMS)

Risk Management Policy

In partnership with. Food & Drink A fresh approach to risk management

Pharma CloudAdoption. and Qualification Trends

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Shared service centres

Auditing Outsourcing Arrangements

Information Governance Management Framework

Overview TECHIS Carry out security testing activities

Governance in brief BIS and the FRC consult on options for UK implementation of the EU Audit Directive & Regulation

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY

Guidance on data security breach management

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

Validating Enterprise Systems: A Practical Guide

ICANWK616A Manage security, privacy and compliance of cloud service deployment

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Cyber/ Network Security. FINEX Global

Aberdeen City Council IT Governance

ICAEW. Audit Insights. Cyber Security 2015

Information Commissioner's Office

The Annual Audit Letter for Torbay Council

Securing the Microsoft Cloud

IT strategy. What is an IT strategy? 3. Why do you need an IT strategy? 5. How do you write an IT strategy? 6. Conclusion 12. Further information 13

Growth Through Excellence

NSW Government. Data Centre & Cloud Readiness Assessment Services Standard. v1.0. June 2015

Care Providers Protecting your organisation, supporting its success. Risk Management Insurance Employee Benefits Investment Management

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

APB ETHICAL STANDARD 5 NON-AUDIT SERVICES PROVIDED TO AUDIT CLIENTS

Orchestrating the New Paradigm Cloud Assurance

OUTSOURCING AND SERVICE AUDITOR S REPORTS

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Specialist Cloud Services Lot 4 Cloud Printing and Imaging Consultancy Services

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

Lloyd s Managing Agents FSA Solvency II Data Audit

Information Security: Business Assurance Guidelines

Nine Steps to Smart Security for Small Businesses

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Safeguarding life, property and the environment

Guidance on data security breach management

Information Commissioner's Office

NSW Government Digital Information Security Policy

DATA QUALITY STRATEGY

Manchester City Council

Carey Group Company Secretarial (UK) The professional corporate support service

ESKITP Implement procedures and standards relating to metrics for IT service delivery

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

Hans Bos Microsoft Nederland.

3 rd Party Vendor Risk Management

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers)

Risk & Assurance. Tailored to your needs. Internal audit solutions

Tasmanian Cloud & Government use of public cloud services

Cloud computing. Advantages and disadvantages

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Disaster recovery strategic planning: How achievable will it be?

The promise and pitfalls of cyber insurance January 2016

Transcription:

TECHNOLOGY RISK SERVICES Third party assurance services Delivering assurance over your service providers

The current third party service provider environment Corporate UK has been transformed in recent years. Against the backdrop of increasing regulatory burden and in the face of dynamic and challenging markets, tough competition, resource pressures and increased IT complexity, firms are facing the challenge to improve performance. The use of third parties can introduce operational and financial improvements but can, if not managed properly, also magnify risk. The current corporate environment has increased the emphasis on outsourced service providers working with their clients and their clients auditors, to show that the risks associated with the outsourced service are being appropriately managed. Grant Thornton s third party assurance services, including the provision of service auditor reports, third party supplier operational and security risk assessments, third party contract reviews and customised vendor management audits, help to manage the third party risk and also provide assurance to senior management and other stakeholders. For many years the volume and diversity of services outsourced to third parties has been increasing across all industries. Many organisations today often depend on a vast number of service providers for support. We provide a few examples in the adjacent list. Information technology services including hosting, cloud computing, Software as a Service (SaaS) and Infrastructure as a Service (IaaS) Shared service centres Human resources and payroll Investment management and administration Pension administration Fund management Custody and securities administration Legislation, such as the 2002 Sarbanes Oxley Act, the Financial Instruments and Exchange Law (JSOX), other global data protection legislation, as well as several high profile data security incidents involving third parties, have helped to reinforce the general understanding that providing sensitive data to third parties can introduce significant additional risks. While outsourcing offers many established benefits, the current UK environment presents users of outsourced services with the very significant challenge of incorporating good governance practice over these functions, as well as demonstrating compliance. This is also compounded by ever changing and increasing levels of regulation and legislation. In the current commercial world doing the right thing is often not enough. A service organisation also needs to demonstrate that they have an effective operating environment. 2 Third party assurance services Third party assurance services 3

Absence of a third party risk assessment framework to enable effective categorisation and management of suppliers Third party assurance what are the available options? Inadequately defined contractual obligations Responding to stakeholder concerns Although companies outsource the performance of key services, they still retain responsibility for their regulatory requirements. They will also be responsible for ensuring that the control environments supporting their business processes are operating effectively, regardless of who is managing them. Companies will need to ensure that these outsourced processes are migrated in a structured manner and confirm procedures are in place to monitor and manage risks associated with the third party services provided. Third party audits There have been a number of high profile instances of third parties not properly controlling their client data. This has resulted in data loss, reputational damage and, in some instances, fines from the Information Commissioner s Office for failing to establish an appropriate control environment. Adjacent are some examples: There are many risks associated with use of third parties in financial, regulatory and operational terms. We have a team of specialist auditors who have undertaken various third party audits of outsourcing projects and operational contracts, and who have helped to identify improvement opportunities. As part of internal audit engagements or as standalone audits, we have performed the following third party reviews: Risk reviews of IT outsourcing projects Outsourcing contract reviews Poorly established system functional requirements which led to the non-delivery of a service contract Undefined Service Level Agreeemnts (SLAs) for systems which were not adequately tested prior to going live On-going service provisions where target service levels are not monitored or even measured Service providers can work with user organisations in several ways to provide this assurance by: Establishing detailed service level agreements with strong monitoring Obtaining a service auditor report from the outsourced service provider Project reviews over outsourcing programmes Reviews over vendor management and governance Cost verification audits Using a strong contractual and legal framework Using internal auditors to test the effectiveness of the outsourced control environment Completing an independent review of compliance with security and privacy requirements Royalty audits Third party functional and IT performance audits Third party security and data privacy audits 4 Third party assurance services Third party assurance services 5

Third party security assessment - case study We have completed security assessments, over several third party service providers, for a leading FTSE 100 media organisation. We established a bespoke testing framework aligned to industry good practice and which met client specific needs. We also completed systematic testing for a given period, communicating findings to both the third party service provider and user organisation. Third party supplier operational and security risk assessment As the business community continues to find new and innovative approaches to embrace the power of technology through established solutions, such as cloud computing and software/ infrastructure as a service or new means of mobile computing, the security threat increases in complexity. The need for reliable and up to date security practices, supported by the development of a mature organisational wide security culture, is now critical to protect organisational interests and executive reputations. The average cost of a data breach for a UK company has reached 1.7 million and is now 47 per lost customer record When allowing third parties access to a company s data, the operational activities may be outsourced, but the responsibility for ensuring that data is secure is not. Examples of fines for loss of laptops, unencrypted back-up tapes, customer information, etc demonstrate the financial, commercial and reputational impact of such breaches. Our third party security assessments can help assess the risk and possible impact of any information loss from third party vendors. We have performed a variety of customised third party security assessments to provide companies with the assurance that their third parties are securely and appropriately managing data in line with contractual agreements. Service auditor reports - SSAE 16, AAF, ISAE and ITF AAF 01/06, ITF reports, the international standard ISAE 3402 and the US SSAE 16 (previously known as SAS 70) are the most commonly used service auditor reports in the UK that deliver third party assurance over service providers. It is important to understand the differences and the expectations associated with each of the reporting frameworks in producing a service auditor report. This is to ensure the appropriate report type is selected. Each report has its own merits and we can help select the right report for different service providers and user organisation requirements. Service auditor reports, if planned and delivered effectively, can provide users of outsourced services and their auditors, with reasonable and demonstrable assurance that controls are operating effectively over outsourced processes. Additional benefits of service auditor reports may include: Meeting Sarbanes Oxley requirements associated with understanding operating effectiveness of outsourced controls Providing comfort that controls are being exercised over data Delivering assurance beyond the standard service level agreement Helping to identify process and technology weaknesses Auditors play a key role in the risk assessment associated with their clients outsourcing activities and service auditor reports including SSAE 16, ISAE 3402, AAF 01/06 and ITF 01/07. Reviews of risk management at, and after, migration are also being increasingly used. This is to provide a framework around which user organisations and their auditors can gain insight over the internal controls in place at service organisations. Service auditor reports SSAE 16 Statement on Standards for Attestation Engagements 16 ISAE 3402 International Standards for Assurance Engagements 3402 ITF 01/07 Information Technology Faculty of ICAEW 01/07 SAS 70 Service Organisation Auditing Standards 70 AAF 01/06 Audit and Assurance Faculty of ICAEW 01/06 Identifying the controls at the client organisation necessary to complement those of the outsourced service provider Service auditor report - case study Grant Thornton has helped many clients in obtaining service auditor reports against the AAF, ISAE 3402 and SSAE 16 frameworks. For one FTSE 350 services client, we initially held communications/understanding workshops to enhance awareness and communicate the implications of a service auditor report. We then facilitated identification of in-scope control objectives and associated control activities before performing a gap analysis. We have subsequently completed a number of type 1 and type 2 AAF reports in different parts of the client s business. 6 Third party assurance services Third party assurance services 7

Why Grant Thornton? Grant Thornton UK LLP is the UK member firm of Grant Thornton International, one of the world s leading international organisations of independently owned and managed accounting and consulting firms. This provides access to an international network and a wealth of multidisciplinary experience, offering comprehensive solutions to help you respond effectively to changing risks within, and outside, the organisation in order to achieve your business goals. Our team has experience of undertaking significant third party assurance work ranging from internal audits over outsourcing programmes, vendor management, contract reviews and management and bespoke third party security assessments. Our wealth of experience covers all industries and all sizes of clients and third parties and we can tailor our services to meet client needs. Our professionals understand your business. Commercially minded and risk focused, our team of independent thinkers offers, we believe, the best combination of quality, expertise and value. We aim to work in partnership with you to deliver incisive, value adding results. Our team features experienced audit, risk and contract experts, who have held senior positions in leading organisations. Who should I contact for assistance? To understand more about our third party assurance services or a wider range of our consulting services, please contact: Sandy Kumar Partner Head of Business Risk Services T +44 (0)20 7728 3248 E sandy.kumar@uk.gt.com Philip Keown Director Third Party Assurance Services Lead Corporates/Not for Profit T +44 (0)20 7728 2394 E philip.r.keown@uk.gt.com Ravi Joshi Associate Director Head of Technology Risk Services T +44 (0)20 7865 2571 E ravi.joshi@uk.gt.com Manu Sharma Associate Director Cyber Security and Privacy Services Lead T +44 (0)20 7865 2406 E manu.sharma@uk.gt.com How we can help We have an established methodology and considerable experience in working with our clients through all aspects of their service auditor reporting activities. This includes selecting and scoping, through to effective delivery of reports in line with SSAE 16, AAF 01/06, ITF 01/07 and ISAE 3402 standards. We can also provide expert reviews of third party contracts to ensure operational and other risks are appropriately managed and mitigated. 2013 Grant Thornton UK LLP. All rights reserved. Grant Thornton means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton is a member firm of Grant Thornton International Ltd (Grant Thornton International). References to Grant Thornton are to the brand under which the Grant Thornton member firms operate and refer to one or more member firms, as the context requires. Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide services to clients. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V22817

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information