Determination of Needs for the Purpose of IT Attestation

Mads Gadgaard Bjerre

Student thesis: Master thesis


Companies are increasingly outsourcing technology and business processes to service organisations. However, although the technology and processes are outsourced, the risk is not. This has led to increased demand for control assurance of activities performed by third parties. This need is compounded by global competition, various emerging threats, and growing regulatory requirements. In addition, with the recent introduction of new assurance standard reports, many companies are struggling to understand, react, and respond to the implications of these standards. IT attestation helps organisations satisfying requirements regarding third-party risk and compliance assurance and demonstrates the integrity of the control environment. However, in order to gain from the potential benefits, each company has to determine their overall attestation needs. Central elements come into play during the determination process and will be the pivot of the process. The methodical approach comprises observations from practical experience, client interactions and best practice methodology, closely combined with relevant theory, audit standards and relevant legislation. This thesis deals with internal and external needs as well as audit requirements, related internal needs with regards to outsourced IT processes, how they are managed and how the control environment performs in general. External needs are discussed focusing on regulatory requirements and legislation. The audit requirements roots from the reliance on attestation work in regards to the audit process. If elements in the internal or external needs or audit requirements are not covered, the need cannot be fulfilled due to lack of control objectives or irrelevant controls in the control environment, the attestation work is not living up to the potential it was designed to cover. Relevant attestation reports are presented as opportunities for meeting the attestation needs. The requirements are broad and selecting an optimal attestation type is relatively complex. The probability of mastering this selection increases if the three above mentioned focusses are handled correctly and the precise need is determined. Whether the selection of a relevant assurance report is possible and more importantly whether the report actually covers the need is up for discussion. Recommendations originates from this discussion and present actual possibilities, based on the current situation, for a match between the attestation work and the company's need.

EducationsMSc in Auditing, (Graduate Programme) Final Thesis
Publication date2016
Number of pages87