- Traditional examinations require the client to know and understand the subject matter
- A direct examination puts more responsibility on the auditor
- A direct examination provides the same level of assurance as traditional examinations
As the market grows and develops, it changes. Some of these changes include renewed marketplace dependence on third parties. To talk about this change, risk evaluations and direct examinations, host Tyler Kern chatted with Weaver’s Neha Patel, Partner-in-Charge of IT Advisory Services, and Alexis Kennedy, Partner of IT Advisory Services.
Patel broke down the current marketplace dynamic, “end to end from an operational standpoint, you still see a lot of organizations rely on different organizations to outsource a couple of their activities or processes." There continues to be a need for consistent and relevant transparency in outsourcing, in order to make evaluating and processing risk more accurate.
"When you outsource something, you're putting the actual diligence and production of that service on a third party. However, you still retain some level of risk for them to do that appropriately and make sure that they're doing it according to how you would like them to do it," said Kennedy. Knowing if the third party can handle customer data security and deliver on time is essential to evaluating and choosing a third party outsource that can assure business capability.
Currently, there are two primary avenues of reporting conducted for companies. SOC 1 focuses on financial controls, internal controls and financial reporting, whereas SOC 2 typically addresses data security, availability and confidentiality. SSAE 21 is different. Kennedy explained, "What we are looking at doing here is providing an avenue by which organizations can take maybe smaller subsets of subject matter and issue a report and get third party assurance."
Having an auditor look at the precise controls of a company is especially important for those companies in the immature infancy stage. While the more traditional SOCs are assertion-based examinations, meaning the client must assert they have evaluated and understood the relevant subject matter before the examination, the direct examination puts the initiative on the auditor and does not require the client to provide an assertion prior to the examination. The direct examination pathway may be more attractive for organizations in infancy.
SSAE 21, Patel clarified, is “...Less about what management’s defining and now more about what the auditor may be comfortable defining and then still providing that same level of assurance. Further, it enables the auditor to perform an examination engagement in which the auditor obtains reasonable assurance by directly measuring or evaluating underlying subject matter against criteria and expressing an opinion that conveys the results of that measurement or evaluation. SSAE 21 also requires the examination report to indicate that the auditor is required to be independent and to meet the auditor’s other ethical responsibilities in accordance with relevant ethical requirements related to examination engagements