Third-Party Reviews of Technology Service Providers
A technology service provider (TSP) that processes work for financial institutions often is subject to separate audits by internal auditors from each of the serviced institutions. These audits may duplicate each other, creating a hardship on the provider's management and resources. The TSP can reduce that burden by arranging for its own third-party audit to determine the status and reliability of internal controls and by sharing the results of that audit with its client financial institutions.
A third-party audit or review is performed by independent auditors who are not employees of either the TSP or the serviced institution(s). The TSP, its auditors, or its serviced institutions may engage the third-party auditor. The serviced institutions' auditors may use this third-party review to determine the scope of any additional audit coverage they require to evaluate the system and controls at the TSP. Examiners can also use the third-party review to help scope their supervisory activities.
Financial institutions are required to effectively manage their relationships with key TSPs. Institution management meets this requirement related to audit controls by:
- Directly auditing the TSP's operations and controls
- Employing the services of external auditors to evaluate the TSP's operations and controls; or
- Receiving from, and reviewing sufficiently detailed independent audit reports on, the TSP.
Financial institutions using such audits to complement their own coverage should ensure that the independent auditor is qualified to perform the review, that the scope satisfies their own audit objectives, and that any significant deficiencies reported are corrected. It is critically important that the examiner and the institution understand the nature and scope of the engagement and the level of assurance accruing from the work product of the reviewing firm.
There are two common types of independent third-party reviews: attestation reviews and non-attestation reviews. Attestation reviewsFor example, AICPA's SSAE-16 Type I and Type II, SOC 2 Type I and Type II, SOC 3 (Web Trust). See http://www.aicpa.org/_catalogs/masterpage/Search.aspx?S=soc+1 are generally conducted by Certified Public Accountants (CPAs) and are based upon Attestation Standards issued by the American Institute of Certified Public Accounts (AICPA). Non-attestation reviews include those performed by IT consultants or others; they may be based upon external standardsISACA, NIST, IAA, & etc. or industry developed criteria.Shared Assessments Program; see http://www.sharedassessments.org/
The type of independent third-party review chosen should be based upon the size and complexity of the servicer, the products and services it offers, and its risk profile because the level of assurance provided varies with each type of review.
Users of audit reports or reviews should not rely solely on the information contained in the report to verify the internal control environment of the TSP. They should use additional verification and monitoring procedures as discussed more fully in the Outsourcing Technology Services Booklet of the FFIEC IT Examination Handbook. Refer to that booklet for additional information on vendor management and to supplement the examination coverage in this booklet.
Examples of Arrangements
Appendix A: Examination Procedures