5 ways to better manage third-party assurance programmes


By Sabine Vollmer

Companies are increasingly expecting outsourcing to do more than reduce costs, but their approach to third-party risk and performance reporting is often less ambitious, Deloitte research suggests.

Nearly one-third (31%) of 280 executives Deloitte polled this year said outsourcing offers an opportunity to increase revenue by driving innovation into the business. Cost reduction remained the primary goal for 59% of executives, and 20% aimed to improve efficiency.

As the use of outsourcing expands, so does the need to share risk and performance reporting, according to another Deloitte poll of 2,070 professionals at third-party service providers and their clients. About 17% of respondents said the number of requests for assurance reports or compliance questionnaires exceeds 30 per year.

The polled professionals had several suggestions on how best to approach a company’s third-party assurance (TPA) reporting process, but 48% said they were unsure their own companies followed those suggestions in managing TPA programmes.

“There’s confusion, a lack of consistency and clarity,” said Dan Kinsella, CPA/CITP, a Deloitte Advisory partner and national third-party risk management leader at Deloitte & Touche.

Regulations that are constantly evolving and difficulty finding technology that fits regulators’ requirements are responsible for the confusion, Kinsella said. But as a 2013 data breach at US retailer Target showed, that doesn’t absolve companies from the responsibility, he said. “You can outsource the activity, but you can never outsource the risk.”

In the data breach, an intruder installed point-of-sale malware on registers in US stores and managed to steal payment card data from approximately 40 million credit and debit card accounts, Target reported in filings with the US Securities and Exchange Commission (SEC).

The intruder gained access through a third-party service provider performing electronic billing, contract submission, and project management for Target. So far, the data breach has cost the retailer about $200 million, according to SEC filings.

To make sure third-party service providers and their customers understand the risks and compliance expectations and stay on top of the ever-changing risk landscape, Deloitte suggests following these five recommendations:

  1. Understand the outsourcing environment that you are working in. Know the internal and external reporting requirements, and take a holistic view of the types of reporting that may satisfy diverse needs.
  2. Integrate control-testing requirements across the enterprise and use a test-once-satisfy-many approach.
  3. Rationalise reporting requirements and control frameworks into non-duplicative, efficient mechanisms to better fit the needs of all parties.
  4. Enhance reporting methodologies and transparency to sustain more efficient and effective communication streams.
  5. Monitor third-party assurance processes and outsourcing relationships proactively by regularly revisiting the approach and considering process automation.

Sabine Vollmer (svollmer@aicpa.org) is a CGMA Magazine senior editor.