Site Search

Menu

Services

Menu

Strategy&

Featured

Rethink Risk

Business in focus

Transformation

Loading Results

Building Credibility Through a Controls Report

The path to ISAE 3000 or ISAE 3402 Controls Assurance
Scenic view of the sea

90% of businesses expect to increase their dependency on 3rd parties for critical business functions; However only 40% of businesses are very confident their critical third parties can meet their trust expectations.

(Source: Data from the PwC 2021 Global Digital Trust Insights survey.)

A controls report can help address this trust gap

A controls report provides a structured and standardised way for a service organisation to articulate the controls which address their most critical service objectives, aligned to your clients’ most critical risks.

These controls are tested by an independent auditor, which lends a far higher level of credibility to your statements about the quality of your controls than any self-attestation can provide.

This is therefore an effective way of demonstrating that your organisation is committed to a strong internal control environment which can be easily provided to third parties.

The benefits of independent controls assurance

1. Credibility

Clients, and prospective clients, are becoming more demanding of firms and asking for the higher level of comfort that comes with external assurance.

2. Growth

Prospective clients are specifically asking for external assurance as part of their own due diligence procedures as part of the RFP process. By being proactive, you have the opportunity to ensure that controls reporting is a positive differentiator when pursuing prospective clients.

3. Comparability

A controls report with control objectives allows for benchmarking against your peers and an understanding of where you may be doing more or less than your competitors.

4. Challenge

With external assurance, the controls environment will be looked at with fresh eyes and challenged by experienced controls reporting practitioners, which keeps them evolving and focused.

5. Comfort

By obtaining external assurance you can add an additional level of challenge over your controls, giving you more confidence over the quality of the operation of controls before an issue occurs.

The path to independent assurance

Obtaining a controls report requires management to first create / formalise the internal control framework and risk mapping. The key steps that are required of management therefore in this first step are:

  • Determining the key relevant risks (usually with reference to a defined framework such as ISAE 3402/ AAF 01/20 and/or your services catalogue).
  • Defining the internal controls that are in place at the business.
  • Mapping these internal controls against the previously identified key risks.

Management then engage an independent auditor (like PwC) to assess the controls framework that is currently in place, and provide an independent assurance opinion on those internal controls.

Once this independent assurance report/opinion has been received, it is included with the management description of the control framework (which also includes the mapping against the key risk) and together this is the Controls Report.

1. Controls formalisation

Management identifies the key risks that they want to obtain assurance over, usually with reference to existing frameworks of ‘control objectives’ relevant to different subjects.

2. Type 1 reporting

PwC reviews the design of management’s controls against management’s stated control objectives and also assesses whether the control objectives capture the relevant risks against the relevant framework as at a point in time.

3. Type 2 reporting

PwC performs testing and provides an opinion on management’s controls and whether they operated effectively for a period of time (at least 3 months) in a report for the board and management, which can also be provided to interested third parties.

Common subjects for external controls assurance

Financial reporting controls

If you provide services relevant to your clients’ financial reporting, then it is important to demonstrate the completeness and accuracy of the information processing related to their finances.

Data confidentiality

As organisations have adapted to life with GDPR, they have become more aware of the service providers who are holding their client data, and demanding assurance over data security and confidentiality.

Service level compliance

Where services are critical, organisations can differentiate themselves with prospective customers by having a clear, transparent controls report over their critical services.

Operational resilience and availability

Where service availability is important for user organisations, and especially where user organisations’ reputation is tied to availability of services provided by a third party.
< Back

< Back
[+] Read More

Reporting frameworks and standards

There are different types of controls reports which report under different frameworks; the key ones detailed below. The decision of which framework to follow is usually driven by the user location, expectations and requirements, as they may be more familiar with their local flavour of controls reports.

International (ISAE 3000 / ISAE 3402)

ISAE 3000

  • Overarching ‘International Standard on Assurance Engagements (ISAE) 3000 for all non-audit assurance.
  • Used for controls report where the subject matter is not service organisation controls as they relate to financial reporting.

ISAE 3402

  • The International Auditing and Assurance Standards Board’s (IAASB) ‘International Standard on Assurance Engagements (ISAE) 3402’ established to provide a global framework.
  • Subject matter specific standard under the ISAE 3000 umbrella, to be applied only for service organisation controls as they relate to financial reporting.

UK (AAF 01/20)

AAF 01 / 20

  • Additional UK ICAEW guidance that supplements ISAE 3402 assurance reports for financial reporting.
  • Includes prescriptive control objectives for asset management organisations.
  • The most recent and advanced of all the frameworks.

US (SSAE 18 / SOC1)

SSAE 18 / SOC 1

  • US AICPA guidance used for financial reporting.
  • Includes Subservice Organisation Control (‘CSOCs’) – controls implemented by a subservice organisation.
  • Normally dual issued under ISAE 3402 and AT-C Section 320.
  • SOC (‘System and Organization Controls Report’) sometimes used to describe any controls report.

Technology controls reporting (SOC2)

In addition to operational or business process controls reporting, there is a growing demand for assurance on technology controls related to

  • data security,
  • operational resilience, or
  • cybersecurity

The most common of these currently is SOC 2, which we discuss in more detail below.

Going beyond financial reporting controls

Assurance under a SOC 2 framework

There is also an increasing demand for independent assurance over the management and security of sensitive data, as companies have realised the extent of information being shared with service organisations and the scale of the risk. Organisations who rely on third parties to use, store, and dispose of critical data need comfort that their service provider’s control environment is strong and able to protect both financial and non-financial information.

To satisfy regulators’ and other stakeholders’ demands for assurance around internal controls over non-financial reporting, a SOC 2 report can be prepared to focus on controls specific to security, availability, processing integrity, confidentiality, and privacy. Service providers can also use this single report to satisfy the needs of multiple constituents and meet their contractual commitments (service commitments and system requirements) over the diverse set of controls covered.

The scope of a SOC 2 report includes assessments of a service organizations system of controls related to customer data focused on the following areas:

  • Infrastructure: The collection of physical and virtual resources that support the overall IT environment used by the service organisation
  • Software: The applications and system software that the service organization uses to support data processing
  • People: The personnel involved in the governance, management, operation, security and use of the system providing services to customers
  • Data: Transaction streams, files, databases and other output files and data used or processed by the organisation’s system
  • Procedures: The automated and manual procedures related to the services that the organisation provides to customers

Key benefits of a SOC 2 report

  • Manage outsourcing risks over vendor controls
    Provision of SOC 2 can assist organisations in meeting certain contractual commitments and regulatory requirements with regards to data security
  • Time & Cost saving
    Organisations can benefit from reduced time and increased savings related to individual vendor questionnaires, on-going monitoring and on-site assessments
  • Coverage beyond financial controls
    A SOC 2 goes beyond the scope of financial reporting and therefore controls which would typically be determined as ‘non-key’ controls for a SOC 1 can be covered in the scope of a SOC 2
  • Greater  transparency for stakeholders
    Provision of a SOC 2 can drive confidence among that the organisations risks are being managed appropriately, assured by a recognised assurer under a consistent and recognisable framework

Contact us

Kevin Rollo

Kevin Rollo

Partner, Third Party Assurance, PwC United Kingdom

Linkedin Follow Email
Kirsten Barker

Kirsten Barker

Partner, Head of Non-Financial Audit & ESG in Asset & Wealth Management, PwC United Kingdom

Linkedin Follow Email
Timothy Ruangvoravat

Timothy Ruangvoravat

Director, Third Party Assurance, PwC United Kingdom

Linkedin Follow Email
Follow us
Audit Consulting Deals Risk Tax Industries About us Offices Media centre Careers Alumni Sitemap

© 2015 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.