The demands for increased transparency and trusted information being placed on companies by their stakeholders, including regulators, investors and society have never been greater. Recent corporate failures, scandals and data breaches continue to amplify stakeholder concerns.
Locally, the GFSC is tuned in and responding, issuing a Code of Corporate Governance which will apply to Guernsey regulated entities from 1 January 2012.
From next year all companies will have to confirm to the GFSC that their directors have considered the effectiveness of their corporate governance practices and are satisfied with their degree of compliance with the code.
As a company director, particularly if you outsource a critical business function to an external service provider, such as a fund administrator or custodian, how do you assess these concerns and ensure you can sign your assurance statement to the GFSC?
Well the starting point should be Third Party Assurance (“TPA”) reporting. Last decade these reports were mainly the remit of major global operators, driven by US legislation such as Sarbanes-Oxley. Post financial crisis though, we’ve seen demand for these reports increase across all industries in Europe and in our local market.
It’s important to realise from the outset, that a TPA report doesn’t just benefit your stakeholders. This is not just an added cost to running your business. For those service providers that get it right there could be an opportunity to develop a response to the transparency challenge that gives your business a strategic advantage.
In essence, it’s an assurance report by a professional accountant on the controls operated by a service provider, which can be given to a customer of the service provider. They’re most commonly known as SAS 70 reports, but this particular US standard has now been superceded and locally we expect the new International Standard on Assurance Engagements (ISAE) 3402 – Assurance Reports on Controls at a Service Organisation, will be the preferred choice of standard.
The days of these reports existing just to satisfy the auditors are long gone. Third party assurance reports have value for businesses, their stakeholders and their auditors. For instance, Principle 4 of the GFSC Corporate Governance Code sets out requirements concerning accountability. The related guidance states that the Board retains responsibility and accountability for all material outsourced functions. A third party assurance report will provide detailed information about the control environment of the service provider so is an essential tool in helping the Board satisfy their requirements for good corporate governance.
First check the scope to ensure it’s relevant. The report may have been prepared solely for a specific location or business activity so you shouldn’t assume your business is covered by it. Also check if the operation of the controls has been tested over a specified period (a Type 2 report) or if the design of the controls has just been assessed at a single point in time (a Type 1 report). Whilst a Type 1 report will provide you with an understanding of the controls operated by the service provider, the comfort you and your auditors can place on it is limited compared to a Type 2 report.
Read the audit report to ensure a clean opinion has been given. In the unlikely case that the opinion has been qualified due to a significant issue being identified, hopefully your service provider will have already contacted you to explain the reasons but if not, you obviously need to discuss this immediately with them.
Next review the control activities to identify whether any minor exceptions have been identified during the evaluation and testing of the controls. Whilst these exceptions would not have been serious enough to lead to a qualified opinion, you may need to investigate further and even perform some testing yourself to ensure your business has not been impacted.
Finally read the rest of the report to gain an understanding of the activities and overall control environment to confirm that they are consistent with your knowledge of the service provider. Any surprises may alter your assessment of the risk of working with that service provider.
If your organisation provides outsourced services and your customers’ control environment is dependent on your systems, procedures and controls then why not provide a report on your internal controls so that you can demonstrate that you are doing the right things and doing things right.
Obviously there may well be some investment you have to make in remedial action and procedure enhancements, as well as the cost of the report to get your TPA report. But the difference it can make to your strength once in place will give you a great return on investment.
Firstly, any changes made to the control environment whilst preparing for the report will improve your business effectiveness, giving you greater peace of mind that your business is robustly managed and potentially bringing financial savings. It’s an extremely well structured, effective way of raising the bar internally that will also reduce the number of audits you are subject to as your customers’ auditors can take reliance on the report.
Secondly, looking at your ability to win and retain clients, TPA reports are strong market differentiators that say you are confident in your controls and you welcome external review. So with a TPA report, you’re likely to be ranked much higher in an investment manager shortlist of service providers, than those that don’t have one.
Finally, to get the very best value from your report don’t forget to tell everyone that you’ve done it.
And remember, amongst all the carrots that make TPA’s attractive, there is also the stick, in the future it may become such a pre-requisite that not having one will stop you even making selection shortlists.
Guernsey’s finance industry is built upon a long standing reputation of quality and professionalism. Good corporate governance and third party assurance reports are a positive step to maintain standards across the industry and early adoption by service providers offers a strategic advantage in the global marketplace.