Third Party Assurance

Third Party Assurance - Providing assurance to third parties

Organisations are being requested or required to provide more and more information about their internal controls environment to a variety of external and internal stakeholders.

In other terms, anyone who does not have control or direct oversight of information, data processing or other deliverables that are managed, processed or produced by someone else may want assurances that such information, data processing or deliverables are in accordance with their expectations.

Therefore, clients or other interested parties (i.e. "third parties") that rely on others (be it as a customer, service provider or a link in a supply chain) need a robust way of demonstrating that the risks associated with the provision of the service are identified, controlled, measured and managed in a reliable and cost efficient manner.

Third Party Assurance, a general term that we are using to articulate a three-way relationship between various parties and involving PwC, may be an effective mechanism for PwC to provide required independent assurances to another party.

The following illustrates Third Party Assurance relationships that may exist across different industries:

Third Party Assurance relationships

Stakeholder (Third Party)

  • Regulatorybodies
  • Customer / clients
  • Management
  • Board of Directors
  • Market reviewer
  • Auditors
  • Investors

Service Provider

  • Real Estate / Private Equity
  • Asset Managers
  • Transfer agency
  • Fund Administration
  • Custodian Services
  • Health and Insurance
  • Media and technology
  • State Owned Entities
  • Shared Services Centres


  • SOC / ISAE Reports
  • Readiness assessment
  • Agreed Upon Procedures
  • Due Diligence
  • Control optimisation reviews

The following are some of the reports that we can issue:

  • Service Organisation Controls (SOC) Reports
    SOC reports is the terminology used by the American Institute of Certified Public Accountants (AICPA) to refer to reports on controls at service organisations.
    • SOC 1 Reports: AT 801 - Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting
    • SOC 2 Reports: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy (AT section 101)
    • SOC 3 Reports: Trust Services Report for Service Organizations (SysTrust)
  • ISAE 3402:
    The International Audit and Assurance Standards Board (IAASB) equivalent of SOC1 reports
  • ISAE 3000:
    The International Audit and Assurance Standards Board (IAASB) equivalent of SOC 2
    • Agreed Upon Procedures reports
    • Readiness Assessments

The following are activities for which there is an increasing demand to provide third party assurance reports:

  • Governance and Compliance
  • Regulatory
  • Information Technology
  • Fiduciary
  • Local Tax for investment funds and collective investment vehicles
  • Alternative products in the AM industry
  • Media and technology