Can your customers trust your services? Third Party Assurance

Transcription

1 Can your customers trust your services? Third Party Assurance ISAE 3402 and SSAE 16 Audit Services

2 Your customers need confidence... The concentration on the core business and the increasing cost pressure are the two main factors for the steady rise of outsourced services. Due to increasing national and international requirements (e.g. Sarbanes-Oxley Act) outsourcing services gained in importance. In addition the extent and the nature of the outsourced services became more complex. Service providers of all types, especially those servicing the financial institutions or hosting data centres, must demonstrate to their customers and their customers stakeholders that they provide complete, accurate, and secure transaction processing in a well controlled environment. Indeed, in many instances, service provider companies are required by their customers to have a third-party examination of their services to provide assurance in connection with financial or internal audits. If your organisation provides services having effect on the entity s financial statements, then you may be asked to provide a report on internal controls for the benefit of the entity s management and their financial statement auditors. Conversely, if your company outsources some or all of its business operations to a service organisation and these operations have an effect on your financial statements, then an audit report may provide you and your independent auditors information about the service organisation s control environment, their related control objectives, and their effect on your financial statements. For organisations providing transaction processing for their customers, a ISAE 3402/SSAE 16 report including an independent auditor opinion is an effective method of communication that internal controls over systems and processes are suitably designed and are operating effectively within a well-controlled environment. Such formal communication has recently become an important success factor when differentiating between service organisations and demonstrating ability to achieve high quality performance.

3 What can you do to raise their confidence? Providing assurance to your customers PwC provides the assurance that your customers are looking for through ISAE 3402, SSAE 16 attestations. Statement on Standards for Attestation Engagements 16 (SSAE 16) is the US standard issued by the American Institute of Certified Public Accountants. The International Standard on Assurance Engagements 3402 (ISAE 3402) is issued by the International Auditing and Assurance Standards Board (IAASB). By providing your customers a Third Party Services report, your customers have an independent assessment of controls and processes. This is a report that provides them with the confidence they are seeking. The ISAE 3402/SSAE 16 report allows a company s auditor to understand the controls that are in place and rely on controls operating effectively at the service provider. The report should eliminate or significantly reduce the requirement for the company s auditor to do additional testing of a service provider s controls. The SAS 70 standard is obsolete from 15 June 2012 and is superseded by two new standards, the International Standard on Assurance Engagements 3402 (ISAE 3402) and Statement on Standards for Attestation Engagements 16 (SSAE 16).

4 What are Third Party Assurance reports? ISAE 3402 and SSAE 16 Audit The ISAE 3402/SSAE 16 audit report allows a company s auditor to understand the controls that are in place and operating effectively at the service provider. The report should eliminate or significantly reduce the requirement for the company s auditor to do additional testing of a service provider s controls. Some of the common services which are often relevant to ISAE 3402/SSAE 16 are those functions provided by application service providers, benefit administrators, mortgage processing companies, insurance claims processing companies, and payroll processing providers. The ISAE 3402/SSAE 16 audit report is not applicable to all third party service providers. Only those outsourced operations that affect user organizations financial statements can be addressed by a ISAE 3402/SSAE 16 audit. The cost of a ISAE 3402/SSAE 16 can vary greatly depending on the complexity of the services you provide. The good news is that having a ISAE 3402/SSAE 16 audit performed by us is much less intrusive and costly than undergoing audits by all of your customers and their auditors. A ISAE 3402/SSAE 16 audit is performed to address just those services that are relevant to the financial reporting of your customers. As such we have scaled ISAE 3402/SSAE 16 audits to cover a wide range of services from a small financial application with few relevant key controls to a complex global IT operation with many locations and dozens of controls. Our scoping identification process can help you define just the controls that may be key to your customers.

5 Benefits of Third Party Assurance services An independent, third-party assurance that adequate internal controls exist for customer information, and associated business processes and operations. Differentiating your organization from its peers by demonstrating the establishment of a sound control environment and a commitment to safeguarding your customer data. Building trust and strengthening relationships between you and your customers. Reducing the strain on your own organization by eliminating multiple visits from your customers auditors by having one ISAE 3402/SSAE 16 review performed. Identification of opportunities for improvement in business process and management of information technology operations. Provision of information for your customers external auditors regarding the effectiveness of your internal controls, which is required for your customers annual Sarbanes-Oxley Section 404 compliance. Removing the burden of having to manage and respond to multiple stakeholder requests. Allowing the organisation to be transparent about its processes in a controlled manner. Minimising the costs to the business by reducing the level of disruption to audit as usual activities. Enabling a fresh-look at processes and controls in order to identify appropriate control improvements that meet stakeholder requirements. Independent assurance about the service being provided to customer.

6 How can PwC help you? Scope identification PwC will assist you with defining the technologies and processes that should be included in a ISAE 3402/SSAE 16 audit that would meet the audit requirements of your customers. This effort will deliver a draft set of control activities that you should have in place to meet your customers expectations. Readiness assessment PwC will assist you in a preliminary assessment of the effective controls in place. Through interviews and limited testing, we will help you identify where controls need improvement. We will deliver recommendations of controls requiring remediation of documentation or effectiveness. Management can use these recommendations to improve controls in preparation for the ISAE 3402/SSAE 16 audit. ISAE 3402/SSAE 16 audit Our team will leverage the relationships and experience gained in the Scope Identification and Readiness Assessment to perform an efficient and effective audit of the control objectives defined by management. The deliverable of this service will be a report of independent Auditors (opinion) and the supporting description of control objectives, control activities, test procedures performed and related test results. Why should you utilize PwC? The way in which we differentiate our approach from the competition is the way we focus on our individual client s needs. We provide ISAE 3402 and SSAE 16 to over 50 clients in the Central and Eastern Europe region. We are a recognized leader of ISAE 3402 /SSAE 16 services due to the depth and rigor of our work. Our ongoing commitment to the highest level of quality, our well-tested and flexible approach, and our public stance regarding personal integrity, clearly differentiates the services we offer. We provide assurance services to a lot of companies in the Financial Services, Technology, Consumer and other industries. PwC has extensive TPA services knowledge and experience performing ISAE 3402 /SSAE 16 audits and related projects, enabling us to maximize the value we provide to your organization. Our proven ISAE 3402 /SSAE 16 methodology and experience bring immediate value to your organization through the three primary services outlined above.

7 Who are we? Contact us PwC ( provides industry-focused assurance, tax and advisory services to build public trust and enhance value for its clients and their stakeholders. More than 169,000 people in 158 countries across our network share their thinking, experience and solutions to develop fresh perspectives and practical advice. PwC refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity. Mircea Bozga Partner Assurance Services Tel: mircea.bozga@ro.pwc.com Ovidiu Sandu Manager Assurance Services Tel: ovidiu.sandu@ro.pwc.com

8 2013 PwC. All rights reserved. Not for further distribution without the permission of PwC. PwC refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm s professional judgment or bind another member firm or PwCIL in any way.