Welcome » IT Booklets » Audit » Third-Party Reviews of Technology Service Providers
A technology service provider (TSP) that processes work for several financial institutions often is subject to separate audits by internal auditors from each of the serviced institutions. These audits may duplicate each other, creating a hardship on the provider's management and resources. The TSP can reduce that burden by arranging for its own third-party audit to determine the status and reliability of internal controls.
A third-party audit, in this context, is an audit of a TSP performed by independent auditors who are not employees of either the TSP or the serviced institution(s). The TSP, its auditors, or its serviced institutions may engage the third-party auditor. The serviced institutions' auditors may use this third-party review to determine the scope of any additional audit coverage they require to evaluate the system and controls at the TSP. Examiners can also use the third-party review to help scope their activities.
Financial institutions are required to effectively manage their relationships with key TSPs. Institution management meets this requirement related to audit controls by:
Institutions using such audits to complement their own coverage should ensure that the independent auditor was qualified to perform the review, that the scope satisfies their own audit objectives and that any significant reported deficiencies are corrected. It is critically important that the examiner and the institution understand the nature and scope of the engagement and the level of assurance accruing from the accounting firm's work product. Attest-level services are reviews that result in the expression of an opinion by the reporting practitioner. See Chapter 1, "Attest Engagements," of Statement on Standards for Attestation Engagements (SSAE) No. 10, Attestation Standards: Revision and Recodification. Advisory-level services can be strategic, diagnostic, implementation, and sustaining/managing services, among others. See Statement on Standards for Consulting Services (AICPA, Professional Standards, vol. 2, CS sec. 100). There is no expression of an opinion in Advisory Service engagements.
Users of audit reports should not rely solely on the information contained in the report to verify the internal control environment of the TSP. They should use additional verification and monitoring procedures as discussed more fully in the IT Handbook's "Outsourcing Technology Services Booklet." Refer to that booklet for additional information on vendor management and to supplement the examination coverage in this booklet.
The following two types of reviews were developed by the AICPA and are frequently used by independent accounting firms to provide assurance regarding the internal controls of TSPs: