Gaining trust by third-party assurance ISAE reports

In today’s competitive and regulated markets, professional service providers must gain the trust of their customers. A third-party assurance report is a great tool to demonstrate and communicate trustworthiness. In this article I will describe the characteristics of an ISAE report and how these third-party attestations can be of great benefits for both service organizations
and for the customers who are purchasing their services.

The challenge
For many years now organizations have outsourced certain parts of their business operations to external service organizations. Outsourcing has several benefits, such as cost reductions and enabling management to focus on the key business processes. There are however risks involved that need to be managed. The main risk is probably the lack of insight and control of the operations being outsourced. Control failures and quality problems at the external party may not be properly communicated, which could lead to devastating consequences both in terms of reputation and costs.

I have been working as an auditor now for more than 20 years and I have performed numerous audits of organizations´ processes and controls related to managing their outsourced vendors. In my view, organizations are often struggling with performing sufficient monitoring and auditing of their suppliers. Regular vendor meetings are often performed where availability incidents and on-going activities are discussed and reported; however, the internal control and security processes at the vendor are rarely reviewed. Some organizations, often the larger ones, do perform regular supplier audits. My experience is however that these audits are often rather time consuming and it is sometimes difficult to obtain the right competence as well as get sufficient attention from the supplier. On the other hand, from a supplier perspective with many customers, it can be very challenging to be subject to individual reviews and audits from several customers.

The solution
A solution that manages these challenges and risks is that the supplier provides an independent assurance report. This has become more and more common and is standardized through the ISAE-standard (International Standard on Assurance Engagements). Through this report the supplier obtains an independent assertion that sufficient controls have been implemented to manage defined control objectives within the delivered services. The report can then be provided to their customers as an evidence of satisfactory internal processes and controls. The ISAE report consists of two main sections. In the first section, the service organization describes its internal control environment and the significant controls that
are performed. The second section contains the independent auditor’s performed tests and its opinion on the reliability of the controls performed by the service organization.

There are two different ISAE reports depending on the scope of the assessment. ISAE3402 (sometimes referred to as SOC1) is used for verifying internal control over financial reporting, whereas ISAE3000 (sometimes referred to as SOC2) is used for verifying internal control over operations, information security and sustainability. So far ISAE3402 has been more commonly used, often promoted by the external auditors of the customers. However, due to the increasing cyber threats and regulations linked to information security and CSR, there is also an increasing need for third-party assurance reports to include availability, integrity, confidentiality and traceability of the processed information, which is covered in the ISAE3000.

The ISAE reports can be provided on two levels. You can either issue a type I report to verify the design and implementation of controls at a specific point in time or issue a type II report to verify operational effectiveness through sample testing for a period of 6-12 months. Naturally, a type II report gives a higher degree of assurance. It is recommended though to start with a type I report the first year and then obtain a type II report the following years.

The benefits
It is becoming more common for organizations that outsource important parts of their business to include a requirement of an ISAE-report in the vendor agreement. Naturally, this is very beneficial for the organization as it gives a high level of assurance of the internal controls without having to perform their own reviews and audits of the outsourced vendor. In addition, there are several regulatory requirements related to controls over outsourced procedures. This sounds good, you might think, but what are the benefits for the service organization? Obtaining a ISAE certificate is off course compatible with a certain cost. There are several benefits also for the service organization. The main benefit is that this report can be provided to the customers instead of spending time on answering different questionnaires or participating in individual audits from customers.

This is especially beneficial for service organizations where a standardized service is being provided to multiple customers. In
addition, it also builds trust and the service organizations providing ISAE reports have also seen a competitive advantage in tender procedures as it also demonstrates a high level of transparency towards customers. Furthermore, it increases control awareness within the service organization and is a great way of continuously measuring and evaluating the
performance.

So, if you are a professional service provider, I strongly recommend that you investigate if and how a third-party assurance report can help your organization to gain trust in the market. And if your organization is relying on deliveries from professional services, I recommend that you ask your service providers to present a third-party assurance report.

Magnus Thyllman

Director, IT Assurance

Send email

+46708417703