Outsourced Service Provider Audit Report (OSPAR)

of

[Name of Outsourced Service Provider]

[Outsourced Service Description]

Period covered
[ddMonth 20yy] until [ddMonth 20yy]

This report is confidential and restricted for the use by [Outsourced Service Provider] and [specific / banking] clients only

Notes from‘The Association of Banks in Singapore’ (ABS)

This ABS Outsourced Service Provide Audit Report (OSPAR) Template version 1.1 is documented with reference to the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers version 1.1.

The auditors engaged by the Outsourced Service Providers (OSPs) to perform the control audits against the ABS Guidelines on Control Objectives Procedures for Outsourced Service Provider must use this OSPAR template to document the OSPs’ control audit results. This OSPAR template documents the minimum contents to be included in the control audit reports of the OSPs. This template also aims to provide the report structure to document the control audit results of the OSPs in a consistent manner, enabling the Financial Institution (FI) clients of the OSPs to interpret the control audit results accurately.

The auditors engaged have the choice to use the audit framework/standards such as ISAE3000 / SSAE3000 in performing and signing-off on the audits of the OSPs.

Audit firms that wish to perform thesecontrol audits need to submit the CVs of their auditors to ABS by emailing to .

<ABS Comment for Auditors: Please remove all the ABS comment clauses in this template when delivery the audit reports to the OSPs.

Contents

Section 1 / Management of [Name of OSP] Assertion Regarding Its Services Throughout The Period [dd Month yyyy] to [dd Month yyyy]
Section 2 / Independent Auditor’s Summary Report
Section 3 / Description of OSP’s Services Throughout The Period [dd Month yyyy] to [dd Month yyyy]
Overview and Background
Financial Institution (FI) Clients’ Responsibilities
Components of the Services Provided
Components of the Technology Related Services
  1. ENTITY LEVEL CONTROLS
  1. GENERAL INFORMATION TECHNOLOGY (IT) CONTROLS
  2. Logical Security
  3. Physical Security
  4. Change Management
  5. Incident Management
  6. Backup and Disaster Recovery
  7. Network and Security Management
  8. Security Incident Response
  9. System Vulnerability Assessments
  10. Technology Refresh Management
  1. SERVICE CONTROLS
  2. Setting-up of New Clients/Processes
  3. Authorising and Processing Transactions
  4. Maintaining Records
  5. Safeguarding Assets
  6. Service Reporting and Monitoring

Section 4 / Applicable ABS Controls Criteria, Tests of Controls and Test Results

Section 1 – Management of [Name of OSP] Assertion Regarding Its Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]

<ABS Comment: OSP Management must provide the engaged auditor(s) with a written assertion that is attached in this section as management’s description of its organisation’s services. In caseOSP Management refuses to provide a written assertion, whichrepresents a scope limitation and consequently, the auditor(s) should withdraw from the engagement.

[OSP’s Letterhead]

[Name of OSP]'sAssertion

ABS Comment: OSP Management isto provide users of this control audit report with information about the [type or name of] services the OSP provides, particularly service controls intended to meet the criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers. Confirm, to the best of the OSP’s knowledge and belief.

  1. We have prepared the attached description titled “Description of [name of OSP]'s [type or name of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]”(the “Description”). The Description is intended to provide users of this control audit report with information about the [type or name of] services, particularly service controls intended to meet the criteria set forth in the ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers. We confirm, to the best of our knowledge and belief, that the Description fairly presents the [type or name of] services throughout the period [dd Month yyyy] to [dd Month yyyy], based on the following Description criteria:
  1. The Description contains the following information:
  1. The types of services provided
  1. The components of the system used to provide the services, which are the following:

(1) Infrastructure: The physical and hardware components of a system (facilities, equipment, and networks)

(2)Software: The programs and operating software of a system (systems, applications, and utilities)

(3)People: The personnel involved in the operation and use of a system (developers, operators, users, and managers)

(4)Procedures: The automated and manual procedures involved in the operation of a system

(5)Data: The information used and supported by a system (transaction streams, files, databases, and tables)

  1. The boundaries or aspects of the services covered by the Description
  1. How the services/systems capture and address significant events and conditions
  1. The processes used to prepare and deliver reports and other information to the Financial Institution (FI) Clients or other parties
  1. If information is provided to, or received from, [sub-contractors or][1]other parties, how such information is provided or received; the role of the [sub-contractors or]1 other parties; and the procedures performed to determine that such information and its processing, maintenance, and storage are subjected to appropriate controls.
  1. For each applicable ABS controls criteria and the related controls designed to meet those criteria [including controls at the sub-contractors[2]].
  1. [For sub-contractors presented using the carve-out method, the nature of the services provided by the sub-contractors; each of the applicable ABS controls criteria that are intended to be met by controls at the sub-contractors, alone or in combination with controls at the OSP, and the types of controls expected to be implemented at carved-out sub-contractors to meet those criteria]1
  1. Any applicable ABS controls criteria that are not addressed by a control at the OSP [or a sub-contractor]1 and the reasons therefore
  1. Other aspects of the OSP's control environment, risk assessment process, information and communication systems, and monitoring of controls that are relevant to the services provided and the applicable ABScontrols criteria
  1. Relevant details of changes to the OSP's services/system during the period covered by the Description
  1. The Description does not omit or distort information relevant to the OSP’s services while acknowledging that the Description is prepared to meet the common needs of a broad range of users and may not, therefore, include every aspect of the services that each individual user may consider important to his or her own particular needs
  1. The controls stated in Description were suitably designed and implemented throughout the period [dd Month yyyy]to[dd Month yyyy] to meet the applicable ABS controls criteria
  1. The controls stated in the Description operated effectively throughout the period [dd Month yyyy]to[dd Month yyyy] to meet the applicable ABScontrols criteria.

Section 2 –Independent Auditor’s Summary Report

ABS Comment to Auditors: The following section is for the engaged auditor to document the auditor's summary report. This should be used in conjunction with the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers, in reporting on controls at theOSP relevant to ABS controls criteria.

[Auditor’s Letterhead]

Report of Independent Service Auditors

To the Management of [Name of OSP]

Scope

ABS Comment to Auditors: The engaged auditors to use the respective clauses below based on the following method use for the control audit of the OSP:

Method 1 – the OSP does not use any sub-contractor.

Method 2 (Inclusive) – the OSP uses sub-contractor(s) and this control audit report includes the audit of OSP’s sub-contractor(s).

Method 3 (Carve-out) - the OSP uses sub-contractor(s) and this control audit report excludes the audit of OSP’s sub-contractor(s) relevant control objectives and controls from the Description and from the scope of the auditor’s engagement

ABS Comment to Auditors: Method 1 Clauses - when the OSP does not use any sub-contractor>

[We have examined the attached description titled "Description of [Name of OSP]'s[name or type of]ServicesThroughout the Period [dd Month yyyy] to [dd Month yyyy]"[3] (the “Description”) and the suitability of the design and operating effectiveness of controls to meet the controls criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers, throughout the period [dd Month yyyy] to [dd Month yyyy].]

< ABS Comment to Auditors: Method 2 (Inclusive) Clauses

[We have examined the attached description titled "Description of [Name of OSP]'s [andName of Sub-contractor]'s [name or type of]Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]"1 (the “Description”) and the suitability of the design and operating effectiveness of controls to meet the controls criteria set forth in the ABS Guidelines on Control Objectives & Procedure for Outsourced Service Providers, throughout the period [dd Month yyyy] to [dd Month yyyy].[Sub-contractor Name] is an independent Outsourced Service Provider that provides[type of services] to [Name of OSP]. [Name of OSP]'sDescription includes a Description of those elements of its service provided by [Name of Sub-contractor],thecontrols of which help meet certain applicable ABS controls criteria.

< ABS Comment to Auditors: Method 3 (Carve-out) Clauses

[We have examined the attached description titled "Description of [Name of OSP]'s[name or type of]ServicesThroughout the Period [dd Month yyyy] to [dd Month yyyy]"3(the “Description”) and the suitability of the design and operating effectiveness of controls to meet the controls criteria set forth in the ABS Guidelines on Control Objectives & Procedures for Outsourced Service Providers, throughout the period [dd Month yyyy] to [dd Month yyyy].

[Name of OSP]uses [a][type(s) of] sub-contractor organisation[s] for its [activities performed by the sub-contractor[s]][4]. The Description indicates that certain applicable ABS controls criteria can only be met if controls at the sub-contractor organisation[s] are suitably designed and operating effectively. The Description presents [Name of OSP]'s services; its controls relevant to the applicable ABS controls criteria; and the types of controls that the OSP expects to be suitably designed, implemented and operating effectively at the sub-contractor organisation[s] to meet certain applicable ABS controls criteria. The Description does not include any of the controls implemented at the sub-contractor [s]. Our examination did not extend to the services provided by the sub-contractor[s].]

Outsourced Service Provider's Responsibilities

[Name of OSP][and name of sub-contractor][5]has [have] provided the attached assertion[s] titled "Management of [Name of OSP]'s Assertion Regarding Its [name or type of]Services Throughout the Period [dd Month yyyy] to [dd Month yyyy],"[6][and "Management of [name of sub-contractor]'sAssertion Regarding Its [name or type of] Services Throughout the Period [dd Month yyyy] to [dd Month yyyy],"]3which is [are] based on the criteria identified in the [those] management assertion[s]. [Name of OSP][and Name of Sub-contractor]3is [are] responsible for (1) preparing the Description and assertion[s]; (2) the completeness, accuracy, and method of presentation of both the Description and assertion[s]; (3) providing the services covered by the Description; (4) specifying the controls that meet the applicable ABS controls criteria and stating them in the Description; (5) identifying any applicable ABS controls criteria being reported on that have been omitted from the Description and explaining the reason for the omission, and (6) designing, implementing, and documenting the controls to meet the applicable ABS controlscriteria.

Service Auditor's Responsibilities

Our responsibility is to express an opinion on the fairness of the presentation of the Description based on the Description criteria set forth in [Name of OSP]'s [and Name of Sub-contractor]'s3assertion[s] and on the suitability of the design and operating effectiveness of the controls to meet the applicable ABS controls criteria, based on our examination. We conducted our examination in accordance with attestation standards established by the [Name of the audit standards such as ISAE3000 or SSAE3000 selected by the engaged auditors]. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, (1) the Description is fairly presented based on the Description criteria, and (2) the controls were suitably designed and operating effectively to meet the applicable ABS controlscriteria throughout the period [dd Month yyyy] to [dd Month yyyy].

Our examination involved performing procedures to obtain evidence about the fairness of the presentation of the Description based on the Description criteria and the suitability of the design and operating effectiveness of those controls to meet the applicable ABS controls criteria. Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively to meet the applicable ABS controls criteria.

Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the applicable ABS controls criteria were met. Our examination also included evaluating the overall presentation of the Description. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Inherent limitations

Because of their nature and inherent limitations, controls at anOutsourced Service Provider [or a sub-contractor’s organisation]3may not always operate effectively to meet the applicable ABS controls criteria. Also, the projection to the future of any evaluation of the fairness of the presentation of the Description or conclusions about the suitability of the design or operating effectiveness of the controls to meet the applicable ABS controls criteria is subjected to the risks that the system may change or that controls at anOutsourced Service Provider [or a sub-contractor’s organisation]3 may become inadequate or fail.

Opinion

< ABS Comment to Auditors: Any adverse opinion should be summarised in the respective sections below (i.e. A, B and/or C) and the full details be reported in Section 4 of this report>

In our opinion, in all material respects, based on the Description criteria identified in [Name of OSP]'s [and Name of Sub-contractor] assertion[s] and the applicable ABS controls criteria:

  1. The Descriptionfairly presents [name or type of] services [and the elements of the services provided by [Name of Sub-contractor]]3that was [were] designed and implemented throughout the period [dd Month yyyy] to [dd Month yyyy].
  1. The controls of [Name of OSP] [and [Name of Sub-contractor]]3 stated in the Description were suitably designed to provide reasonable assurance that the applicable ABS controls criteria would be met if the controls operated effectively throughout the period [dd Month yyyy] to [dd Month yyyy].
  1. The controls [of [OSP Name] and [Name of Sub-contractor]]3tested, were those necessary to provide reasonable assurance that the applicable ABS controls criteria were met, operated effectively throughout the period [dd Month yyyy] to [dd Month yyyy].

Description of Tests of Controls

The specific controls we tested and the nature, timing, and results of our tests are presented in the section of our report titled “[insert the title of the Description from the scope paragraph]”.

Restricted Use

This report and the Description of tests of controls and results thereof are intended solely for the information and use of [Name of OSP]; the FI client(s) of the [Name of OSP]'s [name or type of]services during some or all of the period [dd Month yyyy] to [dd Month yyyy]; and prospective FI Client(s) , independent auditors and practitioners providing services to theFI Clients, and regulators (collectively referred to as "specified parties") who have sufficient knowledge and understanding of the following:

  1. The nature of the services provided by the OSP
  2. How the OSP's services/systems interact with FI Clients,sub-contractororganisations, or other parties
  3. Internal control and its limitations
  4. The applicable ABS controls criteria
  5. The risks that may threaten the achievement of the applicable ABS controls criteria and how controls address those risks

This report is not intended to be and should not be used by anyone other than these specified parties. If a report recipient is not a specified party as defined above and has obtained this report, or has access to it, use of this report is the non-specified user's sole responsibility and at the non-specified user's sole and exclusive risk. Non-specified users may not rely on this report and do not acquire any rights against the [Name of Audit Firm]as a result of such access. Further, the auditor does not assume any duties or obligations to any non-specified user who obtains this report and/or has access to it.

[Lead Auditor’s (signature)]

[City, Country][7]

[Date]

Section 3 – Description of OSP’s Services Throughout the Period [dd Month yyyy] to [dd Month yyyy]

<ABS Comment: This section is for the OSP to provide a detailed Description of its services and service controls covered under this report.>

Overview and Background

<Description>

Financial Institution (FI) Clients’ Responsibilities

<Description>

Components of the Services Provided:

a.Process

<Description>

b.People

<Description>

c.Technology

<Description>

Components of the Technology Related Services:

  1. Infrastructure

Description

  1. Software

Description

  1. People

Description

  1. Procedures

Description

  1. Data

Description

I.ENTITY LEVEL CONTROLS

  1. Control Environment

Description

  1. Risk Assessment

Description

  1. Information and Communication

Description

  1. Monitoring

Description

  1. Information Security Policies

Description

  1. Human Resource Policies and Practices

<Description>

  1. Practices related to Sub-Contracting

Description

II.GENERAL INFORMATION TECHNOLOGY (IT) CONTROLS