Exposure Draft of Standard on Internal Audit (SIA) 530, Third Party Service Provider (Comments to be received by February 05, 2020)
STANDARD ON INTERNAL AUDIT (SIA) 530
THIRD PARTY SERVICE PROVIDER
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 530, Third Party Service Provider.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at firstname.lastname@example.org or email@example.com
Last date for sending comments is February 05, 2020.
STANDARD ON INTERNAL AUDIT (SIA) 530
THIRD PARTY SERVICE PROVIDER
This Standard on Internal Audit (SIA) 530, “Third Party Service Provider,” issued by the Council of the Institute of Chartered Accountants of India (ICAI) should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework Governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 This standard deals with the responsibility of the Internal Auditor regarding the risks associated in situations where some part of the entity’s business operations, processes and information resides with Third-Party Service Providers (TPSPs).
1.2 When any organisation outsources some aspect of their business operations and information processing to TPSPs who perform the business function or collect, store and process, transmit, maintain and dispose information concerning the business, it presents unique challenges of risk management for them (the “User Entity”).
These risks normally surface in the form of business processing, financial and operational management, information security, legal compliance, business continuity etc. In such situations, the Information Technology (IT) systems (where this information resides) are generally being managed by the TPSP and hence not directly available to the organisation. With increased reliance on third party service organizations, there is a need to review and access these risks, residing elsewhere, in an effective manner.
1.3 The nature and extent of work to be performed by the User Entity’s Internal Auditor depends upon the importance of the business process information to the User Entity and the significance and relevance of the outsourced services to the audit. Also, the extent of work to be performed would depend on whether the TPSPs give assurance to their User Entities in the form of a “Third Party Audit and Assurance (TPAA)” report which seeks to communicate valuable risk management and control environment related information prevailing with them.
1.4 Scope: This standard applies to both the TPSP and their User Entities and outlines the requirements for conducting internal audits.
2.1 The primary objective of this standard is to outline the key requirement for providing independent assurance over information residing with third party service providers. These requirements are in the nature of:
(a) Assessment of risks associated with securing and protecting the information;
(b) Evaluation of adequacy of controls to address risk of errors and irregularities from financial, operational processing and reporting requirements;
(c) Cost and operational efficiencies in the collection, storage and processing of company information; and
(d) Ensuring compliance with IT policies and standards, as well as contractual, statutory, and regulatory requirements.
2.2 One objective is to issue an independent audit report on TPSP’s Controls. These reports are designed to help the User Entity to build trust on the controls at the TPSP. Conversely, these reports also help to build confidence with the TPSP in their own service delivery processes and controls.
2.3 Another objective of this standard is to outline requirement of the Internal Auditor in evaluating the TPAA report provided by Independent auditor covering outsourced processes of TPSP.
3.1 The Internal Auditor shall study and evaluate the scope of TPSP services, governance and oversight process in place to outsource and manage risks of deploying TPSP, especially those who have access and control over critical information of the User Entity (refer Para 4.1).
3.2 The Internal Auditor shall review the Pre and Post-engagement due diligence undertaken by the entity, including an assessment of the control environment at the TPSP. This review shall include the control assessment, control retained in and outsourced, so that scope and plan can be defined to review the control procedures necessary at both sides (refer Para 4.2).
3.3 A periodic independent risk assessment of each third-party arrangement shall be conducted by the management and reviewed by Internal Auditor to ensure adequate control activities are designed, implemented and operating effectively (refer Para 4.3).
3.4 The Internal Auditor shall conduct an independent audit of the TPSP (where permissible), which review shall include TPSP entity’s level control, IT and process controls. The scope shall cover evaluation of the periodic on-going performance monitoring controls and procedures in place to ensure a desired level of service, control design, implementation and operating effectiveness. The review shall be undertaken in compliance with Standards on Internal Audit, especially, (SIA) 520, Auditing in an Information Technology Environment (refer Para 4.4.).
In case the TPSP uses an entity that perform functions or processing for the service provider that may be part of the user organization’s information system, in such case the Internal Auditor may either review the same as part of his scope or consider relying on work of other auditors.
3.5 In case the Internal Auditor is not performing an independent audit but obtains TPAA reports, such review shall be undertaken in compliance with Standard on Internal Audit (SIA) 240, Using the Work of an Expert and Standard on Internal Audit (SIA) 520, Auditing in an Information Technology Environment (refer Para 4.5).
Internal auditor of User Entities outsourcing to TPSP shall review scope of outsourcing, review third party governance and oversight. Certain key elements of the third-party governance and oversight process are as follows (indicative list):
(a) A comprehensive database of all third-party arrangements and their respective business owners.
(b) Categorisation of each arrangement should be based on various criteria such as age of the relationship, service type, locations, risk assessment, cost/benefits, etc.;
(c) Evaluation of the business criticality of the arrangement and the significance of the service provided on the User Entity, especially its system of risk management and internal controls;
(d) The roles and responsibilities of the User Entity officials charged with governance and oversight of these arrangements, and the manner in which they are discharging their responsibilities.
(e) Summary of how the arrangements was established, and details of the contractual obligations, during and post termination of the arrangement;
(f) Details of the Service Levels Arrangements (SLAs), and the manner in which these are measured, verified and monitored for compliance.
(g) Systems and controls through which all the information of the User Entity is collected, processed, stored and secured.
(h) Overview of the nature of Governance and Oversight mechanisms in place at the third-party service provider level to protect the company information, including details of any TPAA reports which are to be provided by them to the User Entity or allowing user entity with right to audit and seek information as required.
The User Entity shall undertake a due diligence review of the governance, risk and control environment at the TPSP and their ability to provide a highly reliable and secure IT systems. Apart from conducting a back-ground check of the TPSP, an assessment should be made to evaluate their ability to conduct business with high-integrity, and in a safe and secure manner.
At times a TPAA report issued by an independent service auditor can provide assurance of the reliability of the IT systems in place, in which case the Internal Auditor should review the reliability of the TPAA report, by reviewing the scope and details of the audit procedures undertaken. Post engagement of the TPSP, procedures should be undertaken to on-board the staff and management of the TPSP for implementation of all systems and controls necessary to ensure a seamless service, in line with expectations. For activities outsourced, a plan of the scope of controls should be undertaken for pre and post transition.
An independent risk assessment of the third-party relationship shall be performed by the Internal Auditor, taking into account the nature of the service provided and their criticality to the overall business management and financial reporting. For example, with risks of data breach, even though a call centre, TPSP of the User Entity may not be engaged in any financial transaction processing, they may still have access to its Customer database, which would be business critical information.
Aspect of Non-disclosure agreement for protecting the information may also be covered as part of the risk assessment. The Internal Auditor will review the controls at the TPSP and highlight any missing or weak controls over risk exposures and any further steps required to strengthen the controls. The contractual arrangements with the TPSP should permit the Internal Auditor to conduct such a risk assessment, including necessary internal audit procedures covering in scope outsourced services at and adequate frequency
The Internal Auditor will undertake a review of the steps taken by management to periodically monitor the performance of the TPSP, in line with the SLAs and other legal stipulations. In addition, there shall be a regular assessment of any independent reviews undertaken at the TPSP by a service auditor followed by TPAA reports.
The Internal Auditor will gather sufficient and reliable evidence to confirm adequate mitigation of risks emanating from the outsourcing of the services to the TPSP. Monitoring by management needs to be a continuous, on-going exercise and the comprehensiveness of assessment would depend on the risk rating of the service organization.
The Independent third-party audit report submitted by TPSP shall be evaluated considering the risk assessed for outsourcing and corresponding processes and controls. There are certain activities of processes which are retained by User Entity, and the auditor will review the controls retained at User Entity to form an overall opinion on controls.
The Internal Auditor will ensure that the TPAA report review was undertaken in compliance with
Standard on Internal Audit (SIA) 520, Auditing in an Information Technology Environment.
5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.