Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA). The Standards were developed during the past year by a task force comprised of Steering Committee members and staff, and were repeatedly vetted with senior practitioners to ensure they were both reasonable and accomplished the primary goal of improving the consistency of the SCA assessment process.
These new standards are intended for use by any third party risk assessor that utilizes the 2018 (and subsequent) Shared Assessments Standardized Control Assessment (SCA) procedures – formerly the Agreed Upon Procedures (AUP). The SCA is a carefully honed and objective set of testing procedures designed to validate the effectiveness of third party controls through onsite testing. SCA test procedures have been reviewed and updated annually since 2005 and align with the Shared Assessments Standardized Information Gathering (SIG) questionnaire.
The SCA Standards will be used by members of the Shared Assessments Program, tool purchasers and assessment firms (including Certified Public Accounting firms) who hold license to the SCA procedures. They cover: the purpose; objectives; participants; scope of work; assessor qualifications; limitations; assessment process; reporting; sharing of reports; and quality assurance practices to be followed when performing SCA procedures.
Highlights of the new standards include:
- Participants: The Assessee and/or the Outsourcer must hold a license to use the SCA, and the Assessment Firm (Assessor) must be a member of the Shared Assessments Program and hold a license to the SCA.
- Assessor Qualifications: The Lead Assessor for an SCA Engagement must hold a Shared Assessments Certified Third Party Risk Assessor (CTPRA) Certification and a Certified Third Party Risk Professional (CTPRP) Certification.
- Reporting; The Assessor will utilize the SCA Report Template to document the results of the SCA Engagement
- Sharing of Reports: Participants will agree upon any restrictions, limitations or requirements for sharing the SCA Report as part of the contract process.
- Quality Assurance: The Outsourcer or Assessee will ensure that the Assessment Firm has performed the engagement in accordance with its own internal quality assurance practices and verified that the Assessment Firm is a current member of the Shared Assessments Program.
The compliance date for adherence to SCA Standards is December 31, 2019.