Reports of data breaches and malicious attacks on companies have been rife and now outsourcers are scrambling to reassure their clients, according to PricewaterhouseCoopers (PwC).
It has become vital for companies which provide administration and data services to other businesses to explain how they operate and protect their services to establish and maintain credibility.
According to PwC, an increasing number of outsourcers are working to reassure their stakeholders through an independently assured report that all their processes are robust and client data is safe.
These third-party service organisations are looking to stimulate greater trust among their clients through increased transparency in their controls and turn this into competitive advantage, said PwC.
Outsourcers keen to allay security fears
Outsourcers can use either the newly updated US Statement of Auditing Standards 70 (SAS 70) to provide assurances that adequate controls are in place, or apply the new ISAE 3402 standard, which is a way for companies to improve standards of internal control.
"Breakdowns in internal controls have been widely publicised by the media. Companies are increasingly looking for comfort that the operational activities that they have outsourced, be it transaction processing, logistics management or cloud computing, are being properly controlled," said Neil Hewitt, partner at PwC.
Perhaps the biggest area of cross-sector risk today involves data privacy, integrity and reliability, along with concerns arising from IT trends, including cloud computing, offshore datacentres, digital transformation and social networking, said PwC. But being safe in the knowledge that confidential information is secure is a priority for all companies outsourcing services and their stakeholders.
Applying adequate controls
In the financial services industry investors have been looking for greater transparency around internal controls for years, but in other industries where regulation is imminent but uncertain, companies are still gearing up for greater scrutiny by getting their houses in order.
ISAE3402 provides the independent assurance of SAS70, but it also requires much greater commitment from the outsourcer in the form of a "management assertion" confirming that the controls put in place are adequate.
The new standard, therefore, seeks to build trust by asking companies to consider whether their control objectives and the controls themselves fully address the risks in their business, and requires companies to ensure the descriptions of their systems and processes include appropriate information on the types of services provided, the control activities in place, and details of change during the year.
Even though the differences between SAS70 and ISAE3402 are subtle, PwC has been working with a number of organisations to work through what this will mean for their business and the reports they will issue under ISAE 3402.
Hewitt said each new data breach story brings with it a renewed focus on the importance of robust internal controls and companies' ability to report on them.
"2011 may be a good time for all companies to remap their businesses risk information and demonstrate to existing and potential customers how seriously they take the quality and security of their services," he says.