| Booklet:
Audit Section: Third-Party Reviews of Technology Service Providers |
|||||||||||||||||||||||||||
A technology service provider (TSP) that processes work for several financial institutions often is subject to separate audits by internal auditors from each of the serviced institutions. These audits may duplicate each other, creating a hardship on the provider’s management and resources. The TSP can reduce that burden by arranging for its own third-party audit to determine the status and reliability of internal controls.
A third-party audit, in this context, is an audit of a TSP performed by independent auditors who are not employees of either the TSP or the serviced institution(s). The TSP, its auditors, or its serviced institutions may engage the third-party auditor. The serviced institutions’ auditors may use this third-party review to determine the scope of any additional audit coverage they require to evaluate the system and controls at the TSP. Examiners can also use the third-party review to help scope their activities.
Financial institutions are required to effectively manage their relationships with key TSPs. Institution management meets this requirement related to audit controls by:
|
|
Directly auditing the TSP’s operations and controls; |
|
|
Employing the services of external auditors to evaluate the TSP’s operations and controls; or |
|
|
Receiving and reviewing sufficiently detailed independent audit reports from the TSP. |
Institutions using such audits to complement their own coverage should ensure that the independent auditor was qualified to perform the review, that the scope satisfies their own audit objectives and that any significant reported deficiencies are corrected. It is critically important that the examiner and the institution understand the nature and scope of the engagement and the level of assurance accruing from the accounting firm’s work product. Attest-level services are reviews that result in the expression of an opinion by the reporting practitioner. See Chapter 1, “Attest Engagements,” of Statement on Standards for Attestation Engagements (SSAE) No. 10, Attestation Standards: Revision and Recodification. Advisory-level services can be strategic, diagnostic, implementation, and sustaining/managing services, among others. See Statement on Standards for Consulting Services (AICPA, Professional Standards, vol. 2, CS sec. 100). There is no expression of an opinion in Advisory Service engagements.
Users of audit reports should not rely solely on the information contained in the report to verify the internal control environment of the TSP. They should use additional verification and monitoring procedures as discussed more fully in the IT Handbook’s “Outsourcing Technology Services Booklet.” Refer to that booklet for additional information on vendor management and to supplement the examination coverage in this booklet.
The following two types of reviews were developed by the AICPA and are frequently used by independent accounting firms to provide assurance regarding the internal controls of TSPs:
|
|
SAS 70 reviews |
|
|
Trust services reviews |
SAS
70 REVIEWS
The objectives, scope, and audit procedures of each third-party audit
differ according to the needs of those engaging the auditor. The AICPA
Statement on Auditing Standards (SAS) Number 70 provides guidance for
independent auditors when performing a SAS 70 audit of a service organization,
and when auditing financial statements of an entity that uses a service
organization to process its transactions.
SAS 70 provides a uniform reporting format for third-party reviews of TSPs in order to facilitate the description and disclosure of the service provider’s processes and controls to customers and their auditors. SAS 70 is a widely recognized standard and indicates that a service provider has had its control objectives and activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion (service auditor's report) is issued to the TSP at the conclusion of the SAS 70 process. The report contains a detailed description of the TSP’s controls and an independent assessment of whether the controls are in place and suitably designed for the service provider’s operations. The independent assessment of controls is based on testing certain controls to determine whether they are designed and operating with sufficient effectiveness to achieve the related control objective for the specified time period.
There are two types of service auditor's reports: a type I report provides the service organization’s description of controls at a specific point in time, and the auditor’s opinions as to whether the description is presented fairly and whether the controls are suitably designed to achieve the related control objectives; a type II report includes all of the elements of the Type I report as well as actual testing of the controls to determine whether they are operating with sufficient effectiveness to achieve the related control objectives over a period of not less than six months.
User institutions can usually obtain service auditor's reports from their TSPs. The fact that a provider chooses not to undergo a SAS 70 or other independent review, or chooses not to disclose the results of the review, is a matter that institutions should consider when performing due diligence to determine whether to engage, or to continue to engage, the provider’s services.
TRUST SERVICES REVIEWS
The AICPA established its Trust Services Principles and Criteria, a core
set of principles, criteria and illustrative controls, to address the
risks of IT and to establish confidence in systems reliability and e-commerce
activities. Following are the Trust Services Principles and Criteria developed
by the AICPA for use by practitioners in the performance of a Trust Services
engagement:
|
|
Security – The system is protected against unauthorized access, both physical and logical. |
|
|
Availability – The system is available for operation and use as committed or agreed. |
|
|
Processing Integrity – System processing is complete, accurate, timely, and authorized. |
|
|
Online Privacy – Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed. |
|
|
Confidentiality – Information designated as confidential is protected as committed or agreed. |
Each of the principles and related criteria are organized into four broad areas of review:
|
|
Policy – The institution has defined and documented its polices relevant to the particular principal. |
|
|
Communications – The entity has communicated its defined policies to authorized users. |
|
|
Procedures – The entity uses procedures to achieve its objectives in accordance with its defined policies. |
|
|
Monitoring – The entity monitors the system and takes action to maintain compliance with its defined policies. |
Licensed accounting firms can offer a wide range of advisory and attest services using the Trust Services Principles and Criteria. TSPs frequently engage independent accounting firms to perform SysTrust and WebTrust Reviews, two specific Trust Services reviews developed by the AICPA for reviewing IT systems and controls.
|
|
SysTrust – In this type of review, a licensed CPA provides independent verification that a TSP has effective controls in place so that the system can function reliably. The institution prepares a description of the aspects of the system subject to be reviewed so that the scope of the review is clear to readers of the report. This system description is attached to the CPA’s report. The auditor determines the presence of system controls and tests the effectiveness of the controls during the period covered by the SysTrust report. If the review is an attest-level engagement, the CPA firm’s attestation is represented by the report to management and may also be represented by a SysTrust seal on the institution’s website. |
|
|
WebTrust – The objective of a WebTrust engagement is for a licensed CPA to provide independent verification that an institution’s website complies with the Trust Services Principles and Criteria in the particular subject matter reviewed (i.e., confidentiality, security, etc.). If the engagement is an attest-level review, assurance is represented by the CPA’s report to management. An institution whose website has met the Trust Services Principles and Criteria in a particular subject matter area is eligible to display the WebTrust seal for that area to provide independent verification that an institution’s website is in compliance. Clicking on the WebTrust seal reveals the date the seal was granted and the date it expires, the site's business practices and policies, Trust Services Principles and Criteria used to examine the site, the report of the independent accountant, as well as links to other sites with active WebTrust seals. |
For
further information regarding third party engagements see the AICPA website
at www.aicpa.org.