It’s about service providers
Services can be outsourced, from a client to a service provider. The outsourced services might be critical to the integrity of the client’s financial statements. A common case is information technology outsourcing, in which the integrity of transaction data is protected by the service provider’s information security, cyber security, and other technology controls. Another common example is human resources or payroll. In an investment fund, the client who owns the fund is responsible for financial statements and regulatory compliance, but the client may have multiple layers of outsourcing. The client might outsource investing activities, and separately outsource administration of fund member transactions. Each of the service providers might in turn outsource the information technology supporting the fund. Any layer of the outsourcing can compromise the integrity of the fund financial statements.
The integrity of the client’s financial statements depends critically on the controls maintained in all service provider organisations.
You might also expect that each service provider has multiple clients. I once met an accountant who provided administrative and technology services for 2000 legally separate investment funds. Australians will recognise those as self-managed superannuation funds, each for one individual.
Outsourcing with reliance on service provider controls means that the client, and the client’s external stakeholders, each have a clear interest in the service provider’s internal controls, at a detailed operational level.
In particular, the client’s financial statement auditors will need independent assurance that the service provider maintains key controls, and that each of the key controls have operated effectively over the whole of each financial reporting period.
The default way for the client’s auditors to get this assurance is to physically test the service provider controls—on the service provider’s premises, and all up in their computer network. The service provider might feel it is an invasion. It will at best consume a lot of management time.
Client auditors will feel like an invading army if each separate client sends in separate auditors to test the same controls.
But there is a smart way through this: controls reporting.
How controls reporting works
In a controls reporting arrangement, the service provider controls are audited once for each financial reporting period. The single controls auditor is selected by the service provider in a way that will satisfy the most exacting client’s demand for independent assurance. The auditor will be a recognised external auditor with all the qualifications, reputation, and legal liabilities displayed by financial statement auditors. The controls auditor may or may not be the service provider’s financial auditor. In practice, the controls auditor is often the firm engaged as the service provider’s internal auditor.
The assurance report from the service provider to each client describes the controls maintained over the period, with an auditor’s opinion on each of the controls.
The description of each control comes from the service provider’s management hierarchy, with certification at the board director level of the service provider organisation. The starting point is control descriptions signed quarterly by operational managers.
The audit opinions are signed by the audit principal, based on audit tests of each described control.
The controls report structure and process parallel the financial statement report: replace ‘financial statement items’ with ‘described controls’. The look of a controls report is somewhat different, due to the level of operational detail. The audit opinions may be required to describe audit test procedures, something not expected in financial audits. Another difference is that controls reports are not usually published, as the proper readership goes only as far as the client and the client’s auditor.
The licence to rely on ‘reported’ controls
If the controls audit conforms to the applicable auditing standard, the client’s financial statement auditor is legally allowed to rely on the controls report, without going anywhere near the service provider.
The general auditing standard for controls reporting between service provider and client is ISAE 3402 (ASAE 3402 in Australia). There are Australian extensions to that standard for specific industries, for instance Guidance Statement 007 for investment management services. The extensions prescribe requirements in greater detail than the general standard.
How everyone wins
The obvious benefit is the single audit of service provider controls, in place of the separate audits by the auditors for each client.
Beyond that, the tangible detail in the controls report can calm down a client organisation otherwise prone to anxiety and distrust. In my world, that was the real reason for the controls reporting program. At the least, the client’s contract managers will find the controls report a useful resource.
A third benefit from controls reporting is that it leads service provider managers to understand that they own internal control, and that controls should not be dropped or changed without some thought for the implications. In your world, all that might be obvious. In my world, it has not been. Managers have often regarded controls as laid down by mysterious tradition, or as property of the auditors. Less mystically, they have simply started with no clear concept of ‘internal control’ or of ‘key controls’, having heard those words only in occasional eye-glazing conversations with auditors. The same managers generally maintained excellent systems. The routine of describing and certifying specific controls every quarter is very helpful to management ownership and understanding.
Audited controls reporting can chew up a lot of the service provider’s audit budget. But there is a greater saving from the reduction in time spent by the client’s auditors. On this basis, the cost of auditing controls reports could be priced into the client service contracts, at a good discount for each separate client. In my experience, the repeating controls audits simply covered some of the ground that the annual audit program would have tried to cover in other ways, less efficiently. That is not to say there should not be other internal audits. Controls report audits have a very narrow assurance objective.
There are other versions of controls reporting around the world, with different applications and implications, such as Sarbanes-Oxley Act (SOX) 404 reporting for US-based enterprises.
So why not?
Some versions of controls reporting, specifically SOX 404, have a dubious reputation. But outsourcing is everywhere, and controls reporting from service provider to client makes perfect sense wherever there is outsourcing that affects financial integrity or regulatory compliance. Think of information technology, payroll, or accounting services. Think about the services relied upon by your service provider. Some of them are sure to have IT services up in a digital cloud. That makes two layers of outsourcing. Cloud services definitely need controls, backed up with audit assurance.
Audited reporting on controls should be normal. When your enterprise is outsourcing a service, first ask yourself how you will be assured that the service provider maintains the key controls demanded by your financial statement auditors, your regulators, and your stakeholders. An intelligent answer will include audited controls reporting, in one form or another.