Outsource service providers are struggling with how best to meet varied and growing assurance demands from their clients, with many scratching their heads over whether they are taking the best approach in improving their reporting process.
Of more than 2,700 participants in a recent Deloitte webcast, 17 percent said they receive so many requests for assurance reports or compliance questionnaires from customers or regulators each year that the requests are too numerous to count. Nearly half said they don’t know how many questionnaires the company receives. The toughest questions to answer, participants said, are those focused on security, followed by industry-specific rules or regulations.
That’s likely not very comforting to public companies that rely on third parties for outsourced services, just as companies grow more reliant on outsourcing and as regulators put more pressure on companies to take ownership of the controls that govern their outsourced data or information. “The need to get information around what you are outsourcing is greater than what’s ever been,” says Dan Kinsella, a partner and third-party risk management leader at Deloitte.
Auditors are seeing big increases year over year in outsourcing, “and it’s getting closer to core,” says Kinsella. Companies are outsourcing more technology, applications, and application management, for example, that are central to the operation of the business, not just activities at the periphery, he says. “We know of companies that don’t do anything in IT,” he says. “It’s all outsourced.”
Audit firms like Deloitte and PwC, who are on both sides of the audit demand serving both service organizations and their clients, are trying to be proactive with service organizations to help them streamline their third-party assurance requests. Deloitte calls it “third party assurance optimization.” At PwC, they refer to it as “SOC 2 plus,” suggesting a boost to the accounting profession’s standard reporting process for facilitating third-party assurance requests.
Directors at companies in the business of providing outsourced services are lamenting what they spend on compliance activities and are asking for ways to make the process more efficient, says Kinsella. “Right now, the number of reports they provide coupled with individual unique questionnaires they get -- it’s complete insanity,” says Kinsella. “We have customers getting thousands of questionnaires, hundreds of requests each quarter for on-site visits, plus the reports they are already providing.”
Deloitte’s optimization approach involves taking stock of the various third-party assurance requirements a given service provider faces, and aligning them so testing for the benefit of one requirement can satisfy many other requests. “It’s a mapping exercise,” say Kinsella. “There are a lot of frameworks, and there’s a lot of overlap among all of them. We’re seeing a concerted effort at sophisticated companies to look at how we can do this in a cohesive fashion.”