It is a truism that financial services organisations across the world have found themselves under greatly increased scrutiny through the economic downturn. National governments have stepped in to provide liquidity, shore up banking balance sheets or in some cases take institutions into public ownership. Governance and scrutiny have increased across the breadth of financial businesses, whether as a requirement for shareholders, enhanced regulation or more informed client compliance. Risk, which is present in all businesses, needs to be more visible and better understood – through control and assurance.
Data control and assurance is clearly crucial and new risk management requirements are placing increasing burdens on information systems and technology. Already, the level of complexity of information systems means that extracting, analysing and presenting meaningful information from the plethora of data is a challenge that many organisations are struggling to meet.
For many years, top-flight organisations have sought formal assurance concerning operational controls and numerous standards have emerged. In the post Sarbanes-Oxley era, audit driven standards have come to the fore. More recently these have been combined into the international ISAE3402 (‘ISAE’ comes from the International Standard on Assurance Engagements), which has become the de facto global standard. Any organisation that has significant activity in investment management or fund administration or any need to provide protection or safe custody of assets, whether real or digital, needs to be considering formal assurance, whether for regulatory (including SOX) or competitive reasons.
For offshore-based institutions the control and assurance issues are often even more acute since they perhaps do not have the scale to set up major financial information reporting projects.
Typically, an organisation needs to start with defining and implementing an information strategy. This needs to align a number of perspectives, from corporate governance, to regulatory through client assurance, product development, and technology issues. Finally, assurance needs to be provided through an independent and trusted review and continuous reporting.
Further, many organisations use technology service providers so that they can concentrate on their core financial service functions. Hence, any requirements for assurance in terms of financial information reporting and control are multiplied when using technology providers. This can be the case whether the providers simply offer real estate hosting services or fully outsourced services.
ISAE3402 covers principles of security, privacy, confidentiality, availability and process integrity. ISAE3402 was derived from within the accounting space by the International Auditing and Assurance Standards Board (IAASB). Its advantages are:
- It covers both financial and non-financial control processes.
- Like other audit standards, it requires third party continuous audit.
- It can give detail about how processes work as well as operating effectiveness.
- It can be mapped to other frameworks (eg, ISO27001, CSA, Solvency II, PCI DSS etc).
- It has full international recognition.
In addition, the ISO type accreditations provide only a framework for adhering to process but no actual assurance of value protection. This is why the IASE3402 standard is expanding from asset managers and investment advisers to wider service organisations, including IT service providers.
The service auditors issue an unqualified opinion when they are satisfied that
- the description of controls fairly presents the system that was designed and implemented through the period in scope,
- the controls related to the control objectives are suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period in scope, and
- the controls tested, if operating effectively, were those necessary to provide reasonable assurance that the control objectives operated effectively throughout the period in scope.
In the offshore market, Itex has been pursuing ISAE3402 accreditation for some time and has gained Type 1 assurance. This move was in response to requests from our more advanced and far-sighted clients for such formal assurance. In order to obtain this assurance, Itex has worked with one of the leading global audit organisations to firmly embed all necessary processes, practices and reporting to guarantee asset protection.
Ian Jauncey, Managing Director, Itex