More and more service providers see the benefits of obtaining ISAE attestation reports beyond showing their clients that they are in control. They are starting to use these reports to differentiate themselves in a very competitive market, locally and globally.
ISAE now is the international reference in the market when it comes to service providers: from ISAE3402 which is specific to financially relevant services, to ISAE3000/SOC 2 which relates to aspects such as security, availability or privacy. While the process of obtaining such reports can be long and costly, it has become a necessity for many service providers. As regulatory pressures intensify and customer expectations rise, demonstrating the implementation of a sound internal control system is crucial in these days of hyperconnectivity. According to a KPMG survey, over 75% of companies consider that third-party risk management is a strategic priority.
ISAE as a business development enabler
However, lately we have had discussions with several service providers who wanted to use these reports as an enabler in their business development strategy. While there are strict restrictions in distributing them, providers can still inform their clients and prospects that the services they offer are subject to such attestations. And it makes a big difference.
Increasing number of outsourced IT services
The evolution of the market and accelerated digital transformation in the last two years have changed the rules of the game. Companies outsource more and more IT services, from basic hosting of servers all the way to software-as-a-service (SaaS), and they need to get comfort over their outsourced services. Most large service providers have been able to demonstrate the effectiveness of their controls through ISAE reports for decades now (since the early 2000s and the implementation of Sarbanes-Oxley). But a growing number of smaller ones are also heading in that direction. In Switzerland, the move is gradual but has accelerated in the last year as companies strive to compete and stay relevant.
A must-have requirement
We also regularly assist clients in evaluating and selecting service providers, and we can confirm that ISAE is becoming a must-have requirement. As an example, one of our clients was recently evaluating several potential suppliers for the hosting, support and maintenance of their SAP environment. One of their requirements was to have an "audit-proof" service, meaning they did not want to put their financial audit at risk by switching providers. In the end they shortlisted only those candidates who issued an ISAE3402 report, leaving no chance to the others, even the ones with certifications such as ISO 27001. It was clear then that there is no way around getting an ISAE attestation, no matter how well you can market your services.