More and more companies are outsourcing secondary processes such as personnel administration, ICT services and pension schemes to service companies. In doing so, you as the outsourcing party remain responsible for the execution of these processes. Laying down the agreements in an SLA (Service Level Agreement) is not enough. An SLA mainly provides operational information about the outsourced activities, but provides too little certainty about the quality of the services. You do get that assurance with ISAE3402 reports and TPMs.
What is a TPM?
TPM stands for Third Party Memorandum and is intended to demonstrate the quality of the companies' control and ICT services. If you outsource services to third parties, such as your administration or your ICT services, a TPM report gives you assurance that the service companies have adequately performed the outsourced service. Do you need assurance from your suppliers? Let our independent RSM auditors give an opinion on this. For the details of a TPM, see " What is an ISAE3402 report?
What is an ISAE3402 report?
An ISAE3402 report provides insight into the extent to which the service companies are 'in control' of its processes. In the report, the management of the service companies makes an 'in control' statement to its user companies. An independent auditor then assesses this statement.
An ISAE4302 report takes two forms:
1. Reviewing the design and existence of control measures
2. Reviewing the design, existence and effective operation of control measures for a given period of time
When is an ISAE3402 report required?
This report is mainly applied to outsourced services with a financial relationship to the financial statements, such as asset management, payrolling or HR services. An ISAE3402 report is similar to SOC1. SOC1 can be issued by auditor and IT Auditor.
For outsourced ICT processes, such as IT service providers, data centres and hosting services, where the focus is on security, availability and confidentiality, a SOC2 report is issued by an independent auditor.
How do we proceed?
To carry out a TPM or ISAE3402 audit, we draw up a schedule together with you. For a first-year audit, we recommend starting with a 0 measurement prior to the formal process, to see where your companies stands.
Besides our certifying role, you can also engage us to make your companies 'ISAE3402-ready'. Together with your staff, we will draw up a plan to guide your companies through the certification process. As advice and assurance must be strictly separated, we cannot perform the certification for you in this situation.
More information?
Would you like more information about TPM or ISAE3402 reporting and what RSM IT Audit can do for you in this regard? Please contact our team.