Service auditor reports (SAR) offer assurance over outsourced services, but finding the right solution can be a minefield. Eddie Best looks at the different SAR options available to help you find the right fit for your business.
As businesses continue towards digital transformation and a simplified architecture, dynamic service delivery models are becoming the norm. Outsourcing helps businesses expand their service lines and adopt new technology in a way that is both affordable and sustainable.
When new capabilities are needed, outsourcing has become the default, reducing pressure on in-house IT teams and improving competitiveness. Hence, users of outsource service providers need assurance from the service organisation as the user entities are responsible to their customers, regulators and other stakeholders.
Service auditor reports are used to cover a wide variety of outsourced services, for example:
hosting of data centres
managing cloud services
achieving information security standards
Demonstrating oversight and assurance
With outsourced services becoming such a key element of any business, it is essential to provide the right assurance over their delivery to your users. Service auditor reports can benefit service organisations offering third-party or outsourced services by:
providing assurance over key controls in a standardised format
reducing duplication of effort, time and costs across from multiple user audits through one assurance report for mutual use
evidencing control and oversight over outsourced services provided for the benefit of user entities, regulators and other stakeholders
enhancing credibility and demonstrating best practice to potential user entities
Choosing the right service auditor reports
To maximise the value of service auditor reports, it is vital to choose the right type of report for your business. Some are designed to assess financial reporting needs, others look at non-financial needs.
The defining factors will largely be based on what services you offer, what sectors your users operate in and your geographical locations.
Financial service auditor reporting
SOC 1, ISAE 3402 and AAF 01/20 reports are used by service organisations in all business sectors to provide assurance where the services provided impact the user entities’ financial reporting. Let's look at each one individually:
Service and Organisation (SOC) 1
The service organisation (outsource service provider) identifies the most appropriate controls to be included in their SOC 1 report for review by the service auditor. Based on the attestation and examination standards ATC-105, ATC-205 and ATC320, your customers can use SOC 1 service auditor reports for management monitoring purposes, and by their external auditor to support the financial audit.
The SOC standards principally apply in the USA and are recognised worldwide. Distribution of the SOC 1 report is restricted to defined users of the services.
SOC 1 reports are also known as SSAE 18, or formerly SAS 70 reports.
As with the SOC1 report, the service organisation identifies the most-appropriate controls to be included in their ISAE 3402 service auditor reports for review by the service auditor.
The ISAE reports are used by the user entities and their external auditors and are an international standard recognised worldwide. Distribution of the ISAE 3402 report is restricted to defined users of the services.
These types of service auditor reports use the UK assurance standards, which are based on the international standards ISAE 3402 and ISAE 3000. They are useful for the outsourcers’ customers and their external auditors, and distribution is restricted to defined users.
The AAF 01/20 has control objectives for the following services, with the service organisation identifying the most appropriate controls to be assessed:
Property investment management
Property investment administration
Information Technology (IT)
Non-financial service auditor reporting
SOC 2, SOC 3 and ISAE 3000 service auditor reports are useful for organisations that hold, store or process their clients' information, but where these services are not significant for financial reporting. This might include cloud service, software as a service, data analytics or data centre providers, among others.
SOC 2 reports focus on one or more of the pre-defined Trust Service Criteria (TSC), as outlined in the example scope below. This type of report is recognised worldwide, but its distribution is restricted to defined users of the services, such as clients, business partners, customers or regulators. SOC 2 reports apply the ISAE 3000 standard and national equivalents, such as AT in the USA.
Some user entities may want assurance beyond the TSC, focusing on key topics such as the General Data Protection Regulation (GDPR), the National Institute of Standards and Technology, or the Health Information Trust Alliance (HITRUST) Common Security Framework. A SOC 2 report can offer assurance over these industry specific frameworks.
SOC 3 reports are essentially a light touch version of SOC 2, and they are primarily a marketing tool. Like SOC 2 reports, these are based on one or more of the Trust Services Criteria and apply the same standards, but they only contain management’s assertion of assurance and the auditor’s opinion on that assertion. SOC 3 reports apply worldwide and they can be freely distributed or posted on a website.
This service auditor reports option is for services that do not impact the users’ financial reporting. The service organisation identifies the controls to be included for assessment by the service auditor. The ISAE is an international standard recognised worldwide, and as with other service auditor reports, the distribution is restricted to the users of the service.
Type 1 or type 2 service auditor reports?
To further complicate the question of which review is the best fit for your business, service auditor reports are split into type 1 and type 2. As outlined above, service auditor reports differ according to the topic under review; but type 1 versus type 2 is about the level of assurance and the depth of reporting.
Type 1 service auditor reports look at a specific point in time to provide:
a description of the service organisation’s system and controls supported by a management assertion and an auditor’s opinion on the fairness of that description
a statement of whether the controls were in operation as designed at the point in time of review
an auditor’s opinion on whether the controls are designed suitability to meet the control objectives
Type 2 service auditor reports add a management assertion and an auditor’s opinion on the operating effectiveness of the controls over a predefined period, usually 12 months.
What to do now?
Service auditor reports are mandatory for most regulated or listed firms, but others can benefit from them as best practice to support their customers. You may need a collection of reports depending on your business activities and customer base. Use our information above to find the right report for your needs.
Third party risk – time for an outsourcing standard?
For more information on service auditor reports and how we can help, get in touch