UK Corporate Governance Code: third party risk assurance and SOC reports

The benefits of outsourcing are well known. It helps organisations grow their business and adopt new technology in a way that is both affordable and sustainable. Outsourced services often include processes and controls which have a significant impact on financial reporting (eg payroll, cloud services, shared service operations, data centres), meaning these third party providers will need to be considered as part of evaluating the internal control framework over financial reporting. Under the revised 2024 Code the board need to ensure they operate effective material controls and that they can confidently place reliance on the third party organisation’s controls environment when making their declaration on control performance.

What kind of assurance is available?

There are three key aspects of obtaining adequate assurance over outsourced services that you need to think about. 

1 Comprehensive third party risk governance framework

An effective third-party risk governance framework helps in managing material risk exposure through your third parties and typically should provide:

• visibility of all third party relationships and contracts, and their risk profiles including material risks
• a formal, pre-contract risk assessment and due diligence process
• use of standardised contracting and onboarding process
• third party questionnaires
• allowance for vendor site audits
• risk-based monitoring and oversight.

This can help drive efficiency and growth in your business and supply chain.

We have also seen the evolution of third-party risk governance frameworks from a ‘check-the-box’ process to a substantive function, at times onerous, for companies that are serious about managing third-party risk. However, these are not necessarily fit for purpose to meet the Code requirements.

2 Third-party audits (in-house or agreed upon procedures)

You can also choose to perform a review of internal controls managed by the third-party service provider, either using your in-house team or independent auditors.  However, commissioning third party audits for a large number of third parties can be a logistically difficult and resource intensive process.

3 Service Organisation Control reports

A preferred option for complying with the Code are Service Organisation Control (SOC) reports. This is one of the most effective ways to obtain independent validation of outsource services. Other ISO 9001/ 27001 or PCI certifications held by your third parties do not provide adequate scope coverage.

SOC reports bring several key benefits for Code compliance:

• Supporting your declaration - SOC reports provide a robust and independent assessment of the outsourced controls in support of the annual declaration on material control effectiveness
• Independent and objective – SOC reports are independent and objective, and provide an opinion on the quality of the internal control environment, which increases trust and confidence in their conclusions
• Efficient – SOC reports will eliminate the need for the third party service providers to support multiple separate audits from different customers
• Promote confidence – SOC reports enable outsourced service providers to provide confidence and competitive advantage in their offerings
• While there is no formal requirement on external audit to provide additional scrutiny under the revised Code, these SOC reports are understood and accepted by external auditors

Depending on your third party there are several different types of SOC reports that may be relevant for providing assurance.

1 SOC 1/ISAE 3402 for service organisations

The SOC 1 report focuses on a service organisation’s controls that are likely to be relevant to an audit of the financial statements for a user entity (customer) and issued under AICPA and ISAE 3402 standards. Control objectives are related to both business process and information technology. 

2 SOC 2/ISAE 3000 – SOC for service organisations

The SOC 2 report addresses a service organisation’s controls that relate to the AICPA’s Trust Services criteria in relation to availability, security, processing integrity, confidentiality, and privacy. SOC 2 reports are very common for third parties that provide services like data hosting, colocation, data processing, cloud storage, and Software-as-a-Service (SaaS).

3 AAF01/20 (financial services sector)

Complimentary to the ISAE3402 reporting standard, this service auditor report, established by the ICAEW, is focused on financial services. 

Key considerations for obtaining a SOC report

Before you request a SOC report from your third party there are various things to consider to make sure that the report is going to give you the assurance you need.

• Which type of SOC report is right for your third party service provider to meet your assurance requirements?
• Who is the service auditor and what is their experience and reputation at providing this type of assurance?
• Which locations and time period is covered? Does it provide adequate coverage for the specific fiscal year?
• Does the SOC report comprehensively cover all services provided by the third party?
• Does the report include testing the operating effectiveness of controls for a specific period of time, or does it only cover suitability of design tested at specific point in time?
• Does the scope of the system include a subservice organisation?
• Does the service organisation clearly outline the boundaries of their controls and identify specific controls that are the responsibility of the user entities?

As part of a readiness assessment for the Code compliance, you might require assurance on your third parties or you might need to provide your customers with some form of SOC. 

The key for engaging a SOC or performing a SOC readiness assessment is preparation and early gap analysis so there is ample time to remediate any issues identified.