Outsourcing has evolved into a strategic business practice to help companies improve their efficiency and performance. As a consequence, outsourcing service providers are gaining greater influence over their clients' internal control systems.
Outsourcing is a growing trend, especially in the area of information technology. Not least because of the increasing complexity of IT hardware, IT infrastructures and applications. But also with regard to the increasing demands on IT security, more and more companies are using corresponding cloud services, such as Infrastructure as a Service (IaaS) or Software as a Service (SaaS). In addition to IT services, accounting, personnel, purchasing and sales processes are increasingly being outsourced to internal shared service centers (SSC) or as part of business process outsourcing (BPO).
However, the compliance and security risks associated with outsourcing always remain with the outsourcing company itself. As the role of outsourcing service providers continues to grow, so does the need for comprehensive and flexible reporting on the outsourced services.
Optimization of third-party assurance reporting
Service providers are subject to various legal, government and industry-specific regulations. These requirements can result from accounting regulations, but also from requirements of data protection, cyber security and supply chain. This variety of possible regulations that service providers must comply with and report on requires a multidirectional approach. Third Party Assurance reporting helps service providers to efficiently define and audit their approach and control framework. Third Party Assurance Reporting also ensures efficient communication with clients.
A structured approach to auditing service-related control systems increases the quality of the service-related control system and saves service providers time and money, which leads to more satisfied customers, e.g. by reducing the number of requests to audit a service provider's internal controls by different customers and their auditors.
BDO's outsourcing assurance services help clients to define a control framework that meets all legal, regulatory and industry requirements, to optimize the reporting process to third parties and to audit the service-related control system.
Outsourcing Project Assurance
The outsourcing of business and IT processes to shared service centers, IT service providers or within the scope of business process outsourcing is associated with transformation risks that can negatively impact the quality of the outsourced processes and controls, data integrity and system availability. These transformation risks can be mitigated by well designed project management and appropriate quality assurance.
Our transformation specialists will guide you through the individual project phases in an audit-oriented manner and provide you with feedback on project risks during the project.
The BDO Difference
We offer to build up appropriate internal control systems together with you, which cover the requirements in the balancing act between legal/regulatory compliance, efficiency, effectiveness and traceability.
With our experience and experts, we support you in the preparation and execution of audits of service-related control systems. Our step-by-step audit approach has proven its worth, especially for initial audits.
When auditing internationally distributed control systems (IT infrastructures, shared service centers, etc.) we have access to our excellent international BDO network of experts in a total of 167 countries.
Our third-party assurance services include
• Audits in accordance with the standards:
• IDW PS 951 ("The audit of the internal control system at the service company for functions outsourced to the service company")
• ISAE 3402 ("International Standard on Assurance Engagements 3402")
• SOC1 ("Reporting on an Examination of Controls at an Entity Relevant to Customers' Internal Control Over Financial Reporting")
• SOC2 ("Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy")
• SOC for Cybersecurity ("Reporting on an Entity's Cybersecurity Risk Management Program and Controls")
• SOC for Supply Chain ("Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System")
• ISAE 3000 and BSI C5 (cloud certification)
• Outsourcing Readiness Assessments and Optimization: Audit support for the implementation of a control framework and the development of an integrated reporting process
• Outsourcing Project Assurance: Auditing support for outsourcing projects, e.g. to shared service centers or other structures of external service providers
• Shared Service Center Assessments: We analyze the status in the SSC and offer you concrete proposals to ensure optimization and certification. Aspects we address are SSC maturity, processes, activity split, internal controls, automation and compliance requirements.