Frequently Asked Questions
- Is Shared Assessments a certification?
- Does the Shared Assessments Program evolve with regulatory changes?
- Will the Shared Assessments Program eliminate our company's need to conduct testing at the service provider's location?
- Does BITS certify assessment firms?
- I already provide my clients with a SAS70. How is Shared Assessments different?
- How can my company get involved?
Is Shared Assessments a certification?
No. The Shared Assessments Program is a process by which organizations gather detailed information on a service provider's controls (people, process and procedures) and test those controls. Each outsourcer will need to evaluate Shared Assessments Program reports as part of its overall risk assessment and management process.
Does the Shared Assessments Program evolve with regulatory changes?
Yes. That process is managed by the Program's Technical Development Committee (TDC). The TDC meets semiannually to discuss appropriate adjustments to the documents and ensure they are aligned with regulatory changes. Additionally, the tools have been mapped to ISO 27022, PCI-DSS 1.1, and COBIT.
Will the Shared Assessments Program eliminate our company's need to conduct testing at the service provider's location?
No, anyone may perform an assessment. Service providers are encouraged to engage reputable firms that their clients will view as credible.
I already provide my clients with a SAS70. How is Shared Assessments different?
There are important differences between Shared Assessments and the SAS70.
The SAS70:
- Is designed to report on controls that have a financial statement assertion impact
- Results in auditor-to-auditor communication
- Requires the service auditor to use judgment in forming their opinion(s) on whether:
- The service organization description of controls is fairly presented
- The controls are suitably designed, and in the case of a Type II report, are operating effectively
- Is flexible in scope to allow service auditors to address a variety of service organization control processes, thus will not be consistent from one client to the next
The Shared Assessments Program:
- Is designed to be risk-oriented
- Provides raw data for financial institution use
- Provides a consistent testing framework to evaluate controls
- Contains detailed testing results for each procedure
- Requires individual financial institutions to make own judgment regarding sufficiency of controls based on the results presented
Learn more [pdf].
How can my company get involved?
There are a number of ways to get involved in Shared Assessments. First, adopt and integrate the tools into your vendor management program. Secondly, contribute to the evolution process and join the Shared Assessments Working Group—a unique community of industry leaders. Working Group membership allows your company access to regular meetings with other member outsourcers, service providers and assessment firms and a voice in the development of the Shared Assessments industry standards.
For more information about membership, contact Michele Edson, michele@santa-fe-group.com, or call Michele at 831-637-1879.