A controls report provides a structured and standardised way for a service organisation to articulate the controls which address their most critical service objectives, aligned to your clients’ most critical risks.
These controls are tested by an independent auditor, which lends a far higher level of credibility to your statements about the quality of your controls than any self-attestation can provide.
This is therefore an effective way of demonstrating that your organisation is committed to a strong internal control environment which can be easily provided to third parties.
Clients, and prospective clients, are becoming more demanding of firms and asking for the higher level of comfort that comes with external assurance.
Prospective clients are specifically asking for external assurance as part of their own due diligence procedures as part of the RFP process. By being proactive, you have the opportunity to ensure that controls reporting is a positive differentiator when pursuing prospective clients.
A controls report with control objectives allows for benchmarking against your peers and an understanding of where you may be doing more or less than your competitors.
With external assurance, the controls environment will be looked at with fresh eyes and challenged by experienced controls reporting practitioners, which keeps them evolving and focused.
By obtaining external assurance you can add an additional level of challenge over your controls, giving you more confidence over the quality of the operation of controls before an issue occurs.
Obtaining a controls report requires management to first create / formalise the internal control framework and risk mapping. The key steps that are required of management therefore in this first step are:
Management then engage an independent auditor (like PwC) to assess the controls framework that is currently in place, and provide an independent assurance opinion on those internal controls.
Once this independent assurance report/opinion has been received, it is included with the management description of the control framework (which also includes the mapping against the key risk) and together this is the Controls Report.
Management identifies the key risks that they want to obtain assurance over, usually with reference to existing frameworks of ‘control objectives’ relevant to different subjects.
PwC reviews the design of management’s controls against management’s stated control objectives and also assesses whether the control objectives capture the relevant risks against the relevant framework as at a point in time.
PwC performs testing and provides an opinion on management’s controls and whether they operated effectively for a period of time (at least 3 months) in a report for the board and management, which can also be provided to interested third parties.
There are different types of controls reports which report under different frameworks; the key ones detailed below. The decision of which framework to follow is usually driven by the user location, expectations and requirements, as they may be more familiar with their local flavour of controls reports.
In addition to operational or business process controls reporting, there is a growing demand for assurance on technology controls related to
The most common of these currently is SOC 2, which we discuss in more detail below.
There is also an increasing demand for independent assurance over the management and security of sensitive data, as companies have realised the extent of information being shared with service organisations and the scale of the risk. Organisations who rely on third parties to use, store, and dispose of critical data need comfort that their service provider’s control environment is strong and able to protect both financial and non-financial information.
To satisfy regulators’ and other stakeholders’ demands for assurance around internal controls over non-financial reporting, a SOC 2 report can be prepared to focus on controls specific to security, availability, processing integrity, confidentiality, and privacy. Service providers can also use this single report to satisfy the needs of multiple constituents and meet their contractual commitments (service commitments and system requirements) over the diverse set of controls covered.
The scope of a SOC 2 report includes assessments of a service organizations system of controls related to customer data focused on the following areas:
Kirsten Barker
Partner, Head of Non-Financial Audit & ESG in Asset & Wealth Management, PwC United Kingdom