Which assurance report is right for you?
For organisations going through the controls assurance process for the first time, it can be quite confusing. There are a number of industry and regulatory frameworks that have been developed to assist in this exercise (SOC 1, ASAE 3402, GS 007, ISAE 3402, SOC 2, ASAE 3150, CPS 231, CPS 234 and SOC 3 just to name a few), and choosing which auditing standard is right to satisfy your customers is typically the first step in the process.
Emerging areas of control assurance
I am a fin-tech or similar who wants to become an accredited data recipient in the Open Banking / Consumer Data Right regime.
I am an outsourced service provider with access to consumer data or other sensitive information from an APRA regulated entity.
I am a technology company looking to demonstrate the security, resilience or processing integrity of my technology environment (especially to target the US market).
|As part of your application to become accredited, you will be asked to provide a controls assurance report on your organisation’s information security controls, issued under ASAE 3150. Once accredited, you are required to undertake a biennial independent review to remain accredited.
Read more about Consumer Data Rights.
|You may be asked to provide a controls assurance report to help your customer achieve their monitoring obligations under CPS 231 and CPS 234. Typically, these reports are issued under ASAE 3150 or System and Organisation Control reporting 2 framework.||You may be asked to provide a controls assurance report on security, availability, processing integrity, confidentiality and/or privacy under System and Organisation Control reporting 2 (SOC 2).
Read more about SOC 2 reporting here.
Older, legacy standards
I am an outsourced service provider supporting business, financial or technology processes that are relevant to my customer's financial reporting.
I am an outsourced provider of investment management services or supporting technology.
|You may be asked to provide a controls assurance report under ASAE 3402. Depending upon who your customers are, they may be more familiar with the terms SOC 1 (primarily US-based customers) or the ISAE 3402. It is worth noting, however, that the difference between these standards is minimal.||You may be asked to provide a controls assurance report under Guidance Statement (GS) 007. GS 007 is a special type of ASAE 3402 report with a focus on one or more of the following services:
2. Asset management
3. Property management
4. Superannuation member administration
5. Investment administration
7. Information technology
Why partner with Grant Thornton for controls assurance?
In our experience, controls assurance engagements are often lumped together with other audit initiatives. As a result, we have observed many incidents of the controls assurance engagement being deprioritised, performed by inexperienced resources or, at worst, performed with a lack of transparency over the true cost of the work. Perhaps due to these factors, we have established a trusted reputation in performing controls assurance engagements for organisations outside of their normal financial audit work and we pride ourselves on delivering where others may have fallen short.
Our controls assurance team consists of approximately 20 national resources experienced in all aspects of the development and testing of control assurance programs. As a result, it is uncommon for us to encounter issues that we have not dealt with before and we leverage our experience to make the assurance process as easy as possible for our clients.
As topics such as auditor rotation and failings of corporate governance continue to dominate the headlines, our team is focussed on ensuring independence from the outset and at all times, and are confident that our safeguards are strong.
We understand that keeping things simple is a recipe for success. To help simplify the controls assurance journey for our clients, we have developed ‘best practice’ control frameworks for each of the standards outlined above. For our clients who are just starting out, this means that you will be able to fit our control frameworks to your existing processes. For clients who have previously issued an assurance report, we use these control frameworks as a sanity check to make sure that there are no existing gaps and give increased confidence that the resulting report will satisfy your customers.
Subscribe to receive our publications
Subscribe now to be kept up-to-date with timely and relevant insights, unique to the nature of your business, your areas of interest and the industry in which you operate.