One giant leap for third party assurance standards

While the world may have changed dramatically over the last 40 years, many
would expect the standards for audit to change with it. Unfortunately this has
not been the case when it comes to third party assurance, despite regulations on
transparency seeing a frenzy of activity over the last ten years.

Created by the Americans, over four decades ago, the previous standard, SAS
70, is in need of a relaunch.

The International Auditing and Assurance Standards Board (IAASB) has created
an improved third party assurance standard for June 2011 – which offers
guidelines for auditors to report to clients about the inter­nal controls of
outsourced bus­iness process service suppliers.

SAS 70, had been the globally adopted standard for audits of outsourcing
companies’ controls since 1969. But FDs’ need for third party assurance by
auditors has dramatically increased since the introduction of US rules on
internal controls, namely Sarbanes-Oxley.

The huge increase in focus on risk required a fresh and modern standard to
replace SAS 70. New standard ISAE 3402 will include reports on operational risk
areas, wider regulatory compliance, as well as business continuity planning and
disaster recovery.

Richard Porter, partner, performance assurance leader at PwC, said that
stakeholder pressure for great risk assurance about businesses’ outsourced
service providers had also added to momentum for a more robust standard.
“Markets now want to know more about a company – more than its financial
information. They want to make sure they have the right controls, governance in
place. It’s there to bring transparency.”

The new standard requires the management to make specific assertions on the
controls of their business processes. “At the moment management don’t have to
assert that everything is accurate,” said Michael Elysee, head of IT advisory in
risk and compliance at KPMG.

If auditors checked the strength of one outsourcer, they could use the report
on that company for all of their audit clients – negating the need for separate

This would prove useful for companies using online software or cloud

Companies use cloud computing to store sensitive data. The data centres,
usually found in North America, are known for having military-like safeguards to
protect the information, but third party assurance is still needed.

Unfortunately the previous lack of a modern and all-encompassing single
international standard has resulted in some global organisations reporting under
various local standards, which creates inconsistencies and confusion.
Arnold Schilder, IAASB chair, said: “This new standard sets a global benchmark
for reporting on controls at a service organisation, thereby helping to fulfill
the needs of those who use such services and their auditors under international


While not exactly glamorous, this is a vital component for transparency
around businesses’ risk manage­ment. The improved standard might save FDs some
sleep over their data being held thousands of miles away.

Further reading:

Related reading