Most organizations outsource some, if not many, corporate, technology or business services, and the trend continues. But what does that mean when it comes to controls? Here we explore some important aspects of how to stay in control when outsourcing to third-party providers.
Trust no longer is sufficient
As witnessed by the increased market presence (and revenue) of service providers across the globe, outsourcing is here to stay. Competitive prices, better customer service, streamlined processes, etc.; these elements continue to push firms to shift operations to service providers. However, with rising customer expectations and intensifying regulatory pressures, organizations need to stay on top of certain essential aspects, such as third-party risk management and controls operations. In 2019, 91% of respondents to KPMG’s CIO survey felt that they could do more to build customer trust. That says a lot about the current state of the market.
Yet there is still a long way to go to reach that level of trust. Numerous organizations are still heavily focused on cost-saving strategies at the expense of sound risk management. During the COVID-19 crisis, a large IT service provider located in India was the victim of a cybersecurity breach following a ransomware attack, which led to several of their clients being compromised as well. While everyone can and will be subject to such attacks, it should remain a priority for any organization to want to stay in control, no matter whether operations are executed internally or externally.
Prioritizing risk management
Third-party risk management should be at the top of Enterprise Risk Management’s agenda when organizations outsource critical services and operations such as payroll, technology or customer services. From reviewing, updating and enforcing contractual clauses around the use of confidential data, service-level agreements, and employee behavior, to conducting independent reviews of their service providers, companies have multiple options to get in control. However, this can lead to an increased compliance burden. International Standards, such as the International Standard on Assurance Engagements (ISAE) 3402, have been around for a while now, but we are seeing that the European and Swiss markets have not yet fully adopted those. Recently, a Swiss payroll service provider we work with was asked by one of their main clients to issue an ISAE 3402 report within a year, and an ISAE 3000/SOC 2 report within 2 years. This came as a complete surprise to the service provider who is nowhere near ready to (1) provide evidence of sufficient design and implementation of controls, and (2) invest in such a costly exercise. The main concern remains for organizations who haven’t enforced such measures: their service providers need to get a clear and comprehensive understanding of how vulnerable they are to regulatory sanctions, cyberattacks or customer complaints.
What about other certifications?
When it comes to information security, numerous organizations have successfully passed certifications such as ISO27001, which covers the implementation of an Information Security Management System. However, those often fall short of customers’ expectations in the sense that they do not provide sufficient assurance over the effective design, implementation and operation of controls. We have seen several cases where service providers who had obtained an ISO27001 certification failed to obtain an attestation or assurance report on the very same systems and processes. That is explained by the varying depth of evaluations conducted by the independent auditors, as well as the differences in internal methodologies, standards and quality requirements followed by them. In addition, attestation reports are for the most part highly confidential compared to certifications as they present very detailed information on the providers’ operations, processes and controls, the details of the various testing conducted by the service auditor, as well as the results of those tests. This provides organizations with the most transparent and comprehensive picture of how controls effectively address risks.
Are attestation reports sufficient?
Independent attestation reports such as ISAE or SOC (Service Organization Controls) are a good way to provide better transparency around the reliability of controls and processes at a service provider. But they should not be the only way to gain assurance over these controls, at the risk of becoming a simple check-the-box exercise. One of our audit clients recently received a SOC 1 report with a qualified opinion from one of their cloud providers (i.e. the controls failed to meet their objective and thus cannot be relied on). While it is normal for this to occur every once in a while, it can be very disrupting when it happens a few days before a filing date and the service provider has given no warning that this was coming. Therefore, companies should monitor their service providers continuously through robust third-party risk management procedures.