White
Paper
Service
Organization Control Reporting: Managing Risks and Building
Trust
By Dan Schroeder, CPA, MBA, CISA, CIA, CISM
Increasingly,
companies are relying on third parties, or service organizations,
to perform vital functions on their behalf. These services
often represent significant risks to their users; i.e.,
“user entities.” While a user entity can outsource functions
to a service organization, they still own the risks associated
with those services. Thus, the success and reputation of
user entities frequently depends on how well service organizations
are managing their risks.
Accordingly,
a critical success factor for service organizations is their
ability to control the risks they represent to their customers
– the user entities. This usually arises in the sales cycle,
when a service organization will need to help their prospective
customers gain comfort that that the service organization’s
risk management practices are adequate for their needs.
In some
cases, a user entity can become comfortable with the service
organization’s controls through informal means, such as
interviews, questionnaires, and site visits. But in many
cases, the inherent risks represented by the service organization
are so significant that the user entity will need independent
reporting on the service organization’s controls to provide
assurance that risks are being managed at a level appropriate
for their needs.
Determining
the type of assurance reporting needed for each service
requires a consideration of both the nature of the risk
(e.g., financial, operational, or compliance) and the degree
of the risk represented by that service to the user entity.
The purpose of this paper is to provide guidance to representatives
from both service organizations and user entities as to
how the new AICPA Service Organization Control framework
can be used to meet both organizations’ risk management
needs in a pragmatic and sustainable manner.
But
first, we’ll take a look at the market drivers ...
|
