Outsourcing operations does not transfer the risk associated with that process. The organization that is outsourcing (user entity) continues to remain responsible for governance, risk management and compliance for the processes / operations now managed by their service provider. Regulators and industry bodies are focused on addressing the risks arising out these changes. In this context, service providers (service organizations) build trust and confidence in the services performed and the associated controls through system and organization controls (SOC) reports.

Deloitte offers a range of third-party assurance services and also assists clients in selecting the most suitable third-party reporting option:

• Assurance related reporting undertaken to provide an independent report on the user entities internal control environment for use by management of the service organizations, user entities and/or their auditors.
  • Assurance over financial reporting process - SOC 1 reports over controls that impacts the financial reporting of user entities. Typically performed under SSAE18 (issued by AICPA) and ISAE3402 (issued by IAASB) standard.
  • Assurance over operations - ISAE3000, SOC 2, SOC 3 and custom SOC reports.
    • ISAE 3000 - Assurance report over non-financial processing for the criteria defined by the entity rather than standard: internal controls, sustainability, compliance with laws / regulations, other requirements.
    • SOC 2 report - Assurance report on non-financial processing based on one or more of the Trust Service Principles which are security, availability, processing integrity, confidentiality and privacy.
    • SOC 3 report - Short public report that can be used for marketing purpose on non-financial processing based on one or more of the Trust Service Principles.
    • Customized SOC reports to meet specific industry or customer requirements, such as, SOC for Supply Chain, SOC 2+ reports for applicable industry standards such as NIST, ISO, CSA, GDPR, CMMC, FedRAMP and/or others
• Factual reporting on findings/observations as part of an assessment.
  
  • Agreed-upon procedures (AUP) report - report of factual findings, based on specific and upfront agreed procedures performed on a “subject matter” or an “assertion”. AUP engagements are typically performed using the ISRS 4400 or SSAE 19 standard.
  • Readiness assessment - readiness assessments to explore companies’ preparedness to address risks or needs associated with their outsourced service provider programs.

IT controls evaluation conducted as a part of the organizations internal controls programs is key to identifying and ensuring clients response to risks arising from information technology and the digital ecosystem in which they operate.

Deloitte can support clients in IT risk assessments and in performing design and operating effectiveness reviews for IT General Controls and automated controls across various ERPs and custom-built applications. Depending on client specific requirements this also includes data migration reviews, interface controls reviews, access and functional segregation assurance.

An organisations controllership, information technology and security functions need to be risk intelligent in order address risks arising out the technological changes.

Deloitte’s team of IT risk specialists support clients in improving IT processes and controls, to effectively identify, understand and implement relevant internal controls methodology and processes.

• Define – Identify relevant risks and build IT controls framework to meet internal and external compliance requirements, on account of process changes, ERP and application changes or enhancements, and BOT implementation.
• Optimize – Determine feasibility of IT controls standardization, controls rationalization, better use/leveraging automated controls through full use of standard system functionality, recommend effective remediation measures basis industry and sector expertise for gaps identified.
• Embed – Developing and delivering training programs on IT risks and controls, IT policy procedure buildout, controls remediation support, SME support to meet specific industry or technology/tool requirements