Cloud-based services, technology platforms and security operations are helping businesses across all sectors. And although these services help businesses focus on their core activities, reduce their costs and get them closer to their customers, they also carry the risk of a control failure or data loss.

Many businesses are now demanding greater visibility over IT and business control environments. As a third party, demonstrating to your customers that you have effective design and operation of key controls in place can be a key differentiator in the market.

If you provide technology, security or software services, or are in the Fintech space, we can support with the effective design and operation of your controls.

We provide assurance over the controls you operate through a range of service auditor reports, including:

• SOC 1;
• SOC 2;
• SOC 3;
• ISAE 3402/3000; and
• AAF.

Gaining vital assurance

By having assurance upfront, you are likely to receive fewer audit requests from your customers and third parties. Being able to demonstrate the effective design and operation of key controls in line with internationally recognised standards can give you the competitive advantage. You will reduce the risk that a control failure leads to adverse publicity, regulatory scrutiny and fines, and financial loss.

As well as providing assurance, our team can also give you insights into control improvements that could reduce your own operating costs and improve business performance.

Our approach

We offer a range of service auditor reports depending on the type of third-party assurance standards in place and your customers’ requirements. Having a tailored approach to your business’s needs helps you get the most value out of your assurance project.

We typically help our clients in four areas:

• understanding your customers’ requirements – we help you understand and prioritise your customers’ requirements, putting the key focus areas at the top of the agenda;
• scoping and selecting a standard – we help you select the most appropriate to assess your controls, identify which services and supporting technology are in scope, and determine the best frequency of assurance reporting;
• develop a controls framework – we help you prepare the control objectives and agenda, and identify the supporting evidence needed. An early review also helps you to identify any control gaps, focus your remediation efforts and avoid surprises later down the line; and
• scoping and selecting a standard – we evaluate the controls by typically performing two types of reviews: a Type 1 (design evaluation) and Type 2 (design and operating effectiveness) review. You can then share the report with your customers and their auditors.

For more information about managing third-party risk, please contact Sheila Pancholi and Steve Snaith.