Organisations are increasingly outsourcing activities to third party service providers. It is often difficult however, for an organisation to gain comfort that the third party service provider has implemented robust security controls to protect their confidential and sensitive information. If you are a provider of services to third parties, you can provide ongoing confidence to your clients that you are following good practice, meeting their expectations, and protecting the information entrusted to you. KPMG can help, by offering a broad range of certification and third party assurance services to meet your needs.

The type of assurance you provide to your clients will vary depending upon their specific needs and the services you provide. KPMG provides a variety of services to support you.

These include:

Third party assurance report

A third party assurance report, also known as a Service Organisation Assurance Report (SOAR), demonstrates an appreciation of clients’ risks through obtaining third party assurance on effective processes and controls under an established international framework. These reports are known around the world by a variety of names such as SAS 70, SOC 1 or SOC 2. In New Zealand, these are known by the names of the underlying reporting standards used, being ISAE (NZ) 3000, ISAE (NZ) 3402 and SAE 3150.

Having a third party assurance report over your services also gives you an edge in the market. It shows your controls have been independently audited, and demonstrates your commitment to a robust control environment. It can also be used to reduce the amount of time and effort your customers’ auditors need to spend directly auditing your operations, saving time, money and effort.

Certification

Similar to third party assurance reports, certification can also be performed against specific standards to help demonstrate to management, clients and other third parties, that robust security controls are in place. The most common standard certified against is ISO 27001. This standard focuses on the implementation of an Information Security Management System (ISMS) and covers a variety of areas including physical and environmental security, information security policies, access control and operations security.