Common pitfalls over management’s review of third-party controls assurance reports and industry best practices

In the backdrop of increased focus on internal controls over financial reporting (‘ICFR’) and the importance of management oversight over third-party reporting, our recent experiences with some Global and Systemically Important Banks (‘G-SIBs’) have identified the following recurring themes.

Common pitfalls over management’s review of third-party controls assurance reports

1. Standard documentation and audit evidence

Given the multiple teams required for different process flows, companies often use different documentation approaches and methods to manage data in relation to controls. This results in inconsistent standards of documentation, and a general disconnect in the control framework. 

The best way for companies to manage document reviews and minimum third-party control requirements is to leverage standardised templates i.e. demonstrate clear mapping of key third party controls to the entity that has identified Sarbanes-Oxley (‘SOX’) risks. 

Additionally, management teams should also consider including available internal documentation for relevant internal assurance performed e.g. Third-Party Security Reviews to demonstrate the design and effectiveness of IT General Controls (‘ITGCs’). 

Where external evidence has been considered, management teams should document the SOX Outsourced Service Provider’s (‘OSPs’) policies, procedures, and evidence the operation of controls via walkthroughs and confirmations via email. Companies can also request specific testing controls to be performed by the OSP to gain independent assurance over controls e.g. asking their Internal Auditor to perform specific testing.

2. Fourth parties/nth parties

Management teams often fail to document their approach for fourth / nth party controls in relation to exclusions and carve-outs in controls assurance reports. This can be documented in their SOX methodology or Audit and Assurance Policy. 

For example, management teams should consider obtaining the SOX OSP’s Vendor Risk Management Policy and understand what controls they perform e.g. review of the 4th party’s SOC report which can be potentially shared with the entity for independent review.

The best way for companies to document this is to align SOX requirements with third-party / sourcing policies, for example:

a) Integrating SOX triggers as part of pre-contracting for services provided and standardised contractual terms for the requirement of control assurance report(s); and

b) Ensuring ongoing monitoring metrics are in place e.g. tracked as a critical supplier as well as controls capturing management’s review over third-party controls per report or vendor.

3. Testing exceptions

Control deficiencies can have a knock-on effect for other areas of the business as well as the external audit. A common pitfall is where management do not perform analysis to identify the further reaching impacts, in addition to root cause analysis and remediation.

Management teams should assess whether they can place controls reliance for year-on-year testing exceptions identified for the same controls. They should also understand what remediation has been undertaken by the SOX OSP and why this has been sufficient to address the root cause of the testing exception and determine whether compensating controls can be identified within the entity or whether alternative procedures are required.

4. Lack of documentation over IT dependencies (ITGCs and Business Automated Controls ‘BACs’)

Frequently businesses do not sufficiently detail operational controls with the related IT Systems and GITCs upon which the controls rely on. This is particularly prevalent for automated controls, or controls that are performed within an IT System.  

All key automated controls such as calculations, reconciliations or segregation of duties controls should be reviewed to assure that their key systems and any automatically generated reports are adequately documented.

5. Complementary End User Considerations (‘CEUCs’)

Management have often failed to assess the relevancy of compensating controls to address CEUCs where they have been explicitly carved out / excluded from controls assurance reports’ scope, and this has limited their ability to rely on third party reports.

Third party assurance reports should therefore be reviewed by management teams so they can assess whether their controls are operating sufficiently.  

6. Defining escalation procedures and reliance approach for controls assurance reports

Companies should consider whether escalation procedures are defined to ensure all issues and risks are appropriately addressed on a timely basis by management. 

For example, addressing challenges with inappropriate scoping (i.e. services, report type and controls), delays to timing of delivery and insufficient period coverage.

To find out more about the topic, please get in touch with one of our authors.