What is a Shared Assessment Audit?
Shared Assessments was created by leading financial institutions, the Big 4 accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the service provider assessment process.
The Shared Assessments Program AUP (Agreed Upon Procedures) are used to document the service provider's management of its information security controls.
The AUP developed by Shared Assessments Program members with the Big 4 accounting firms acting as Technical Advisers, the AUP provides objective and consistent procedures to be performed under each control area (mapped to ISO 27001) during an onsite assessment. The tests within the AUP are executed by an independent accounting or assessment firm selected by the service provider. The procedures in the AUP are written to follow the AICPA professional standards AT (Attestation Standard) Section 201, which sets forth attestation standards and provides guidance to practitioners on performance and reporting in agreed upon procedures engagements. Results of the AUP are provided by the audit or assessment firm directly to the service provider without subjective opinions. In most of the AUP tests, results consist of population, sample size and number of failures within the sample. This allows the recipient financial institution to form its own opinions of the results to satisfy its own risk appetite. Depending on the recipient, AUP results may be used in place of a costly onsite assessment, reducing resources required by both the service provider and the financial institution.
Anecdotal evidence has shown than an AUP can be completed in as little as 4 day's onsite.
The end product from the above are wholly owned by the service provider that executes an AUP, They fully own the documents, results and distribution. Only they may decide who receives the results under their standard non-disclosure agreements.
Why do you need a Shared Assessment Audit?
In the financial industry alone, more than 200 laws, regulations, government bulletins, alerts, and other guidance documents address the information security obligations of financial institutions. Enforcement agencies such as the Federal Trade Commission (FTC) pursue companies whose poor or deceptive trade practices do not match the information security and privacy statements they voluntarily make to the public.
Adding to financial institutions' responsibilities, government regulators are beginning to require companies to ensure the security of any corporate information that falls under the control of its supply chain.
New legislation makes it clear that these responsibilities constitute a legal and corporate governance issue for upper management. The impact of failure to meet security obligations is no longer just a security breach. In many cases, laws put the onus directly on financial institution CEOs and boards of directors for any security violations.
Many laws require companies to implement ongoing processes to assess risks, identify and implement appropriate security measures, and be responsive to those risks, as well as to update their processes continuously to address new risks. In most cases, laws do not require the use of specific security measures or standards, nor do they offer any related guidance. Companies are left to decide how they will meet the new requirements, understanding that merely implementing so-called "strong security measures" is not sufficient.
To meet today's security requirements, financial institutions must demonstrate due diligence by following internationally proven and accepted standards that show consistency of process and provide maximum protection.
Unfortunately there is no silver bullet or one-size-fits-all industry approach to comply with all applicable laws and regulations, while also meeting client requirements. Instead, financial institutions need a layered, industry-focused approach to compliance.
How can eFortresses assist?
Partner with eFortresses as your assessment firm and benefit from our experienced subject matter experts. The Shared Assessments Program is a way for financial institutions and service providers to streamline the assessment process and raise the bar on security in the financial services industry. You or your corporation and your supply-chain will achieve substantial economies through our unique process, drive continuous improvement, and bring consistency of audit practices.
||Raise the bar on security for service providers to the finance industry.
||Reduce costs related to your supply-chain management.
||Integrated with ISO 27001, it facilitates improving your ISO 27001 program with financial institution additional requirements built in.
Contact us for a free cost analysis today.
For more information, please contact us by filling out this form