1 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

Third-Party Assurance (TPA) Optimization and Control Rationalization

2 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization

For large, complex service organizations, a thoughtful approach to assurance can save time, money, and lead to more satisfied clients and prospects

Understand Integrate Rationalize Enhance

Identify reporting requirements – internal and external

Report definition and inventory

Integrate control testing requirements across the enterprise to reduce work effort

Regulatory requirement mapping

Level set scope and report type requirements

Identification of redundant controls

Identification of control gaps and areas of improvement

Streamline overall TPA approach to better respond to customer queries

Implement salesforce training

Implement regular optimization activities related to TPA trends and industry

TPA Optimization

Monitor

Execute on-going monitoring activities related to third-party assurance requirements, testing, and reporting including common approach

Establish continuous monitoring techniques and technology

3 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization - Understand

• Identify internal reporting requirements – SOX, financial audit, operational audits, service level agreements, key performance indicators, etc.

• Identify external reporting requirements – regulatory, industry, and customer

• Report definition and inventory• Reporting type (SOC 1, SOC 2,

AT101, Agreed Upon Procedures, etc.)

• Inventory of reports – internal, customer facing, regulators

• Define TPA environment based on steps above

Understand Integrate Rationalize MonitorEnhance

TPA Optimization

Key Activities: TPA report inventory, regulatory requirement inventory, and extended enterprise mapping

4 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization - Integrate

• Integrated control assessments:• Construction of customer facing

integrated requirements dashboards• Identification of targeted efficiency

areas (where there is overlap)• Creation of new controls/scope to

better meet integrated requirements• Regulatory assessments:

• Identification of legislative and other regulatory requirements

• Utilization of an integrated requirements framework

• Mapping control framework to global regulatory requirements

• Identification of gaps• Building global regulatory

testing/monitoring approach

Understand Integrate Rationalize MonitorEnhance

TPA Optimization

Key Activities: integrated control framework, regulatory control mapping

5 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization – Rationalize

• Level set scope and report type requirements• What report types best fit

customer/regulator need?• Do the report periods align and meet

customer requirements?• Identification of redundant controls

• Identification and definition of key controls across multiple reporting frameworks

• Utilizing integrated controls, can efficiencies be identified?

• Identification of control gaps and areas of improvement

• Do control gaps exist? If so, remediation efforts should be aligned with broader risk/controls framework

Understand Integrate Rationalize MonitorEnhance

TPA Optimization

FDICIA Privacy 3rd PartyGLBA Basel II SEC ● ● ●

Functional Leads

Compliance Managers

Information SecurityLegal Audit Service/

Arch LeadsCompliance Managers

Lines of Business Corporate IT

INTEGRATED RISK & COMPLIANCE MANAGEMENT

Common Data and Technology Architecture

Common Risk & Compliance Management Processes

Common Risk & Compliance Governance and Requirements

Key Activities: rationalized control set, gap assessment, and risk and control map

6 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization – Enhance

Understand Integrate Rationalize MonitorEnhance

TPA Optimization

Key Activities: salesforce training sessions, TPA report repository, customer query process improvement assessment, and report readiness assessments

How does a service organization enhance their brand through third-party assurance?• Streamline overall TPA approach to better respond to customer queries• Implement salesforce training• Implement regular optimization activities related to TPA trends and industry

How does a service organization utilize TPA reporting for a competitive advantage?• Understanding trends and hot topics related to assurance (SOC 2, cyber risk attestations, etc.)

and implementing into the TPA process• Performing readiness exercises and efficiently mapping controls to new requirements• Utilizing online tools/portals for ease of report delivery (for current and prospective customers)

7 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization – Monitor

Understand Integrate Rationalize MonitorEnhance

TPA Optimization

• Establishing monitoring activities• People: identification of the right skillsets and stakeholders related to third-party assurance

across the organization• Process: identification of an efficient and effective process for managing third-party

assurance reporting • Technology: Automated Control Execution (ACE) for continuous monitoring

• Utilization of analytics to automate and test controls • Real-time monitoring rather than point in time testing• Testing and design efficiencies

Key Activities: implementation of continuous monitoring technology, third-party assurance monitoring control assessment

8 Third Party Assurance Optimization and Control Rationalization Copyright © 2016 Deloitte Development LLC. All rights reserved.

TPA Optimization – Conclusion

Understand Integrate Rationalize Enhance

Increased outsourcing and regulations are raising the bar on OSPs

Complexity of environment and customer requirements are driving needs and confusion at the same time

Better way to efficiently do this, create sales opportunities through differentiation, and streamline internal processes

TPA Optimization

Monitor

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2016 Deloitte Development LLC. All rights reserved.36 USC 220506Member of Deloitte Touche Tohmatsu Limited