Trust & Transparency Solutions

Traditional and modern control reporting solutions to build trust with stakeholders – All Eyes on Trust

Featured - 4 items

Making sense of control reporting standards

Got lost in the wide variety of control reporting standards?

GDPR and data privacy controls

How to adopt a data privacy control framework to comply with GDPR?

HITRUST and patient health information

How to leverage the HITRUST framework to control patient information?

EBA outsourcing guidelines

How to use control reports to address EBA monitoring requirements?

Provide transparency and build trust to address compliance requirements, remain competitive and sustain long-term growth

In an environment where organisations rely on a complex network of third parties and their subcontractors, increased regulatory scrutiny, data privacy expectations and an overall demand for greater transparency are driving the need for assurance beyond ‘just’ traditional reporting on financial controls.

Transparency can provide organisations with the trust they are looking for in this complex web of third parties, subcontractors or fourth parties and their end consumers. As a result, delivering such transparency can translate into a significant competitive advantage in terms of being aware of and responding to process and control weaknesses and improving overall operating efficiency, and it can create an opportunity to reduce costs by avoiding the duplication of operational and compliance efforts.

Our services

Assurance of Compliance Management System or Software certification?

Compliance Management System
Software Certification

SAS 980 Compliance Management System

Elements of a Compliance Management System (CMS)

1. Compliance Culture
- Principles for an adequate and effective CMS
- Management's attitude and behaviour
2. Compliance Objectives
- Determination of key objectives to be achieved
- Specification of compliance domains and rules to comply with
3. Compliance Risks
- Identification of significant compliance risks
- Systematic risk identification and evaluation process
4. Compliance Program
Implementation of core principles and measures to minimize the identified risks
5. Compliance Organisation
- Roles and responsibilities
- Organizational structure and processes
- Resource planning
6. Compliance Communication
Inform involved employees and third-parties about the compliance program and roles / responsibilities
7. Compliance Monitoring & Improvement
- Monitor adequacy and effectiveness
- Key requirement is an adequate documentation
- Responsibility resides with management

Criteria, e.g.:
(against which assessment criteria are the processes, risks and controls assessed)

Competition and antitrust law
Anti-bribery law
Stock exchange law (e.g. provisions on insider trading or ad hoc reporting obligations)
Corporate governance requirements (e.g. Swiss Code of Best Practice for Corporate Governance, OECD Principles of Corporate Governance)
Anti-money laundering law
Environmental law
Foreign trade law and export control
Legislation on external tax relations
Data protection and data security law
Labor law and personal rights (e.g., general anti-discrimination laws)
Industrial safety law

Your Benefit
(what is the benefit for your company)

Assurance that the CMS is adequately designed, implemented and / or operated

Assurance that the CMS is effective and that resources are being used efficiently

Increases the confidence in your organization

Liability reduction for the board of directors and the company

Maturity assessment of your compliance management

Strengthening of the internal and external perception of your efforts in the area(s) of compliance

SAS 870 Software Certification

Subject Matter, e.g.: (which processes, risks and controls are assessed)	Information Technology General Controls, particularly the software development cycle Business Process Controls Any other processes and controls related to the specific purpose of the software
Criteria, e.g.: (against which assessment criteria are the processes, risks and controls assessed)	Control Objectives for Information and Related Technologies (CobiT) Committee of Sponsoring Organizations of the Treadway Commission (COSO) ISO 27002:2013 Any other measurable criteria related to the specific purpose of the software
Your Benefit (what is the benefit for your company)	Software certificate, which can be distributed to prospective as well as current customers. Certificate confirms that software adheres to defined criteria, e.g. in the area of electronic archiving systems to the Ordinance on the Maintenance and Retention of Accounts (Accounts Ordinance; AccO - SR 221.431)
Potential Challenges	Certificate only confirms that software is able to meet the defined criteria in a certain version as well as in certain configuration / customizations if adequately implemented and operated Subsequent versions, in case of changes, may need to be recertified.

Third-Party Assurance – Controls over Financial Reporting

(ISAE 3402, SOC 1®, SSAE 18)

Through the use of controls reports (i.e. US-related SOC 1® (in the past according to SAS 70 and later SSAE 16, currently SSAE 18), or internationally accepted ISAE 3402) we provide transparency into organisations’ functions, processes, technology and controls that impact clients’ financial transactions and financial reporting processes. Typically, the traditional user audience of such reports are accounting departments and internal and external audit stakeholders.

Third-Party Assurance – Beyond Controls over Financial Reporting

(ISAE 3000, SAS 950, SOC 2®)

Emerging technology and regulatory developments such as block chain, cloud, electronic patient health information, GDPR, and outsourcing regulation require organisations to look beyond the risks related to financial reporting.

Through the use of controls reports (referred to as SOC 2® or ISAE 3000 / SAS 950 using relevant and applicable industry controls standards, e.g. Trust Service Criteria or COSO/CoBiT Frameworks), we provide organisations and (internal and external) stakeholders with comfort when it comes to operational risk areas focusing on, for example, information security, (data) privacy, service availability, integrity and confidentiality. The typical (end) user audience of our reports is broad and ranges from internal / intra-group service recipients (e.g. IT shared service centres), recipients of outsourced services (e.g. data centre co-location services, cloud service providers, managed technology / IT services), regulators, customers and sometimes even the public in general.

Other Specific Vendor Controls Attestations – Assurance

(SOC 2+, SOC 3, HITRUST)

As the demand for trust and transparency in specific industry domains increases, we provide organisations with attestation solutions (e.g. SOC 2+ or SOC 3®) based on the latest control frameworks.
For example, we deliver attestation services in the health / pharma sector. Supported by PwC US, we deliver readiness, remediation and certification as a Certified HITRUST Assessor. We assist in the implementation of the HITRUST Controls Standard Framework (CSF) as the foundation of an organisation’s security and privacy controls / compliance programme for controlling risks related to patient health information (PHI).

Attestations of Compliance Management Systems

(SAS 980)

With the issuing of the Swiss Audit Standard 980 standards and guidelines regarding compliance management systems (CMS), we are able to assist organisations with addressing the different principles outlined in this standard. Our readiness, gap analysis and attestation activities tackle the required compliance culture, objective, risk, overall programme and organisation aspects of an organisation's legal, tax, corporate social responsibility (CSR) oversight or other compliance management systems.

An increased demand for trust is highlighting the significance of having robust and reportable governance, risk, compliance, operational and IT controls in place.

Ralf HofstetterTrust and Transparency Solutions, PwC Switzerland

What are we doing for our clients?

We understand that our clients want a business partner who can help them establish a robust and reportable internal control framework. An internal control framework that meets the expectation of their customers, regulatory bodies and other stakeholders. Our team independently assesses and concludes on the effectiveness of our client's internal control framework in line with Swiss and/or international assurance standards.

For both situations, we have developed leading methodologies that minimise the impact on our clients' businesses. By applying our proven methodologies, we're able to meet our client's expectations and issue high-quality state-of-the-art controls reports within a short time. Would you like to know more about how we approach an independent assessment of our clients' control frameworks in line with Swiss and/or international assurance standards?

Learn more