You may occasionally hear from those who believe that no data is safe because of the internet. In most cases, that statement is true, and reports of major data leaks worldwide underscore the need to change how organisations handle data. In today’s business landscape, financial institutions lead the charge in outsourcing various functions to service providers to enhance their efficiency and focus on revenue-generating activities. But this has also raised concerns over the security of customer and other confidential information handled by outsiders. Consequently, the Association of Banks in Singapore issued guidelines in 2015 for which Outsourced Service Providers ("OSPs") are to be audited against annually. Among these is the Outsourced Service Provider Audit Report ("OSPAR"), which sets out baseline standards and controls to ensure that the OSPs maintain the same level of governance, rigour and consistency as the financial institutions.
Other guidelines include:
Engagement of external auditor
The OSP should engage a qualified auditor to perform audits in relation to the services that it will provide to the financial institution.
Period between audits
The audits should be scheduled annually with a minimum testing period of six months. The samples selected for testing the operating effectiveness of controls should cover the entire period since the previous audit. If the testing period is less than six months, the audit report should give reasons for this.
Reporting and handling of control failure
When an auditor finds a problem, the OSP is required to report the issues to the financial institution.
Rights of financial institutions
The financial institution retains the right to audit the OSP and its subcontractors. OSPAR certification provides credibility to the OSP and is a guarantee to FIs and their clients that the OSP complies with at least a minimum standard of controls and measures expected by the financial services industry.