Third Party Assurance – ISAE3000/ISAE3402/SOC2 Attestation
Business processes can be outsourced, related risks cannot. It’s logical, but not always that easy. It’s perfectly normal that your clients request proof that their processes and data are secured and managed by you in line with best practices and/or applicable regulations. This type of assurance can be provided through a Third Party Assurance (TPA) report. In practice, we find three variants under the title of TPA reports: SOC1 (also known as ISAE3402) with a main focus on financial service providers and SOC2 and Privacy Attestations (reported under the international ISAE3000 standard), applicable to providers of non-financial services.
Being a service provider, a TPA report will give you a powerful commercial tool that you can use to convince your clients of the quality of your services, and that you have underpinned the key risks in relation to the service offered. In black and white.
In safe hands
Yes, you’ve got it right. A TPA report offers indisputable advantages. The attestation provides insight into all processes, how these processes (and related risks) are managed, and whether security measures and regulatory requirements are in line with best practices and/or applicable regulations. For example, the General Data Protection Regulation (GDPR) entered into force in 2018 which resulted in a significant increase of questions from customers in relation to data privacy and how you as a service provider ensure compliance with this regulation.
In short, these types of attestations will give your clients all the assurance they need, allowing them to confidently place their processes and data in your hands.
Suppose you are a service provider (IT service, Software as a Service provider, payroll processing provider, asset manager, etc.). How can you provide your client(s) peace of mind? Separate audits may offer solace, but they are expensive and put unnecessary pressure on the efficiency of your organisation. On top of that, the workload and costs for these individual audits per customer or service can quickly reach sky-high proportions - for both you and your client. With a TPA report in place, these individual audits are rolled into a single audit and aim to share insights into each process and the manner in which you manage and report risks with your clients. The goal ultimately being to address as many of your customers’ questions as possible, if not all of them.
Right to play
ISAE3402 and SOC2 (reported under the ISAE3000 standard) are currently the international standard for the attestation of outsourced processes and systems. ISAE3000 and ISAE3402 are issued by the International Federation of Accountants and consequently have a global reach and international recognition.
Due to the systematic rise in the number of compliance requirements for organisations, the market increasingly expects you as a service provider to be able to provide these types of certificates.
This increasing demand for “assurance” by service providers is currently the most prevalent among organisations active in the financial and public sectors, and among listed companies. In these sectors, specifications or RFPs (Request for Proposal) systematically contain a requirement in relation to the these certificates and thus has become a “right to play”. This will most likely be extended to other sectors in the future, e.g. the medical sector.
For more information on TPA reports, please consult our general TPA brochure as well as our brochure on Data Privacy Attestations, which specifically addresses the GDPR regulation introduced in May 2018.