Out-Law / Your Daily Need-To-Know

Audit rights in outsourcing: certifications and third party reports

Out-Law Analysis | 08 Jul 2020 | 1:34 pm | 5 min. read

Financial institutions can rely on third party certifications and third party audit reports to help them comply with rules and guidelines around access and audit rights they must provide for in their outsourcing contracts. However, this is not as straightforward as it may seem.

Access and audit rights are often heavily negotiated in outsourcing and other service arrangements. European Banking Authority (EBA) guidelines on outsourcing have added an extra layer of strict requirements that need to be complied with.

What the EBA says on rights of access and audit

Under the EBA's guidelines, the institutions must ensure that their outsourcing contracts provide them with "full access to all relevant business premises" of their chosen outsourcing provider, including rights to access to devices, systems, networks and data pertinent to the "outsourced function" in cases where the outsourced function has been assessed as being critical or important, as well as in other cases where the risks merit it.

Provision must also be made in the outsourcing contract for regulators to exercise the same access and audit rights, although those rights of access by regulators must be able to be exercised for all outsourcings the banks enter into, not just those that are critical or important.

Where audit and access rights are to be provided for, the contracts must ensure "unrestricted rights of inspection and auditing related to the outsourcing arrangement".

However, paragraph 91(b) of the EBA guidelines states that a financial institution can rely to an extent on third party certifications and third party or internal audit reports made available by the supplier to comply with the obligations on access and audit.

What are third party certifications and third party or internal audit reports?

Organisations may wish to engage independent third parties to review their policies, procedures, controls and systems. A third party certification is a written assurance provided by an independent body that an organisation's policies, procedures, controls or systems, as applicable, meet a particular defined standard or requirement. The ISO/IEC 27001 family of standards, which cover information security management systems, are a well known example of such standards.

An audit report sets out the results or findings of an audit or review. Audit reports can be prepared in accordance with particular standards, and can contain opinions. Where the audit is performed by an independent third party, the resulting report is referred to as a third party audit report. If the audit is performed by an organisation's internal audit function, the report produced is referred to as an internal audit report.

When can a financial institution rely on certifications or third party audit reports?

Financial institutions should only rely on third party certifications and third party or internal audit reports if they are satisfied with the audit plan for the outsourced function. Financial institutions need to ensure that the scope of the certification or audit report covers the systems and key controls they identify, and "compliance with relevant regulatory requirements". It is not entirely clear what 'regulatory requirements' the EBA is referring to, though it likely means those regulatory requirements applicable to the financial institution that would also be assessed as part of an onsite audit. Any future versions of the certification or audit report must continue to cover the same key systems and controls. Systems include processes, applications, infrastructure and data centres.

Financial institutions will need to ensure they are satisfied with the aptitude of the certifiers or auditors. This does not only mean they should assess their qualifications and expertise – the EBA guidelines also refer to the need to factor in rotation of the certifying or auditing party, and re-performance or verification of the evidence in the underlying audit file, as part of that aptitude assessment. The reference to rotation, and re-performance and verification, shows an emphasis on ensuring sufficient independence and oversight on an ongoing basis.

Financial institutions also need to be satisfied that the certifications are issued, and audits performed, against widely recognised professional standards. The certifications and audits should include a test of the operational effectiveness of the key controls in place.

These are ongoing requirements. Financial institutions need to thoroughly assess the content of the certifications or audit reports on a continuous basis, and verify that the reports or certifications are not obsolete. Financial institutions must not rely solely on these certifications or reports over time.

Although financial institutions often flow down these conditions for relying on third party certifications and audit reports to the outsourced service provider, they are primarily internal obligations. Financial institutions need to ensure they are themselves satisfied as to the adequacy and sufficiency of the certifications and audit reports. Ultimately, reliance on such certifications and audit reports does not absolve a financial institution from its overall responsibility for outsourcing arrangements.

Contractual requirements where third party certifications or audit reports are relied upon

The EBA guidelines contain two explicit requirements for outsourcing contracts where certifications or audit reports are being relied upon.

Firstly, financial institutions must have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems or controls. This is a point that it is often resisted by suppliers. From a service provider's perspective, the attraction of third party certifications and reports can be diminished if they are required to negotiate further with the third party to satisfy the bespoke requirements of a large group of its customers. The number and frequency of requests for modification of the scope should be reasonable and legitimate from a risk management perspective.

Secondly, where the outsourced function is critical or important, the financial institution must retain the contractual right to perform individual audits at their discretion. This final requirement is problematic and arguably undermines the third-party certifications and third-party or internal audit reports regime. This is because an institution would usually only seek to rely on certifications or audit reports where a supplier is resistant to providing an individual audit right in the first place.

In practice, institutions and service providers have responded by negotiating a set of circumstances in which an individual audit right will be triggered. This is an area that financial institutions will need to carefully consider, having regard to the nature of the outsourcing arrangement and the underlying key risks.

Challenges with sub-contractors and cloud service providers

The question of relying on third party certifications and audit reports often arises where an outsourcing arrangement involves the use of sub-outsourcing to large cloud service providers. Cloud service providers commonly favour reliance on third party certifications and audit reports as an alternative to individual audit rights due to the shared nature of their facilities and their large customer base. This is a difficult area for financial institutions and service providers to negotiate; particularly given the bargaining power cloud service providers hold.

Often a service provider is itself willing to grant full audit rights, but is unable to procure the same rights from its sub-contractor. This is a complex issue for financial institutions, and one that needs to be carefully worked through, particularly as the EBA guidelines make clear that a financial institution should only agree to sub-outsourcing if the sub-contractor undertakes to grant the financial institution the same rights of access and audit as those granted by the service provider.

Other considerations for financial institutions

Relying on third party certifications and audit reports is not a one-off exercise, and financial institutions have ongoing responsibilities to ensure the adequacy and sufficiency of these arrangements. Financial institutions need to ensure that their internal policies and procedures on outsourcing reflect the requirements of the EBA guidelines in this regard.

From a practical point of view, financial institutions will need to ensure they have the necessary technical and subject matter expertise to be able to assess and review the certifications and audit reports both before and during the life of the outsourcing arrangement. This is a point made by the EBA itself – any staff of the financial institution reviewing third party certifications or audits must have appropriate and relevant skills and knowledge.

The EBA's guidelines on outsourcing have applied to new outsourcing arrangements from 30 September 2019. Financial institutions have until December 2021 to update their existing outsourcing contracts to meet the standards set out in the guidelines.