Shared Assessments Releases New Standards for Performing Standardized Control Assessments

Shared Assessments Releases New Standards for Performing Standardized Control Assessments

May 15, 2018 | Best Practices, Research And Publications

Shared Assessments has released new Standards for Performing a Standardized Control Assessment (SCA).  The Standards were developed during the past year by a task force comprised of Steering Committee members and staff, and were repeatedly vetted with senior practitioners to ensure they were both reasonable and accomplished the primary goal of improving the consistency of the SCA assessment process.

These new standards are intended for use by any third party risk assessor that utilizes the 2018 (and subsequent) Shared Assessments Standardized Control Assessment (SCA) procedures – formerly the Agreed Upon Procedures (AUP). The SCA is a carefully honed and objective set of testing procedures designed to validate the effectiveness of third party controls through onsite testing. SCA test procedures have been reviewed and updated annually since 2005 and align with the Shared Assessments Standardized Information Gathering (SIG) questionnaire.

The SCA Standards will be used by members of the Shared Assessments Program, tool purchasers and assessment firms (including Certified Public Accounting firms) who hold license to the SCA procedures. They cover: the purpose; objectives; participants; scope of work; assessor qualifications; limitations; assessment process; reporting; sharing of reports; and quality assurance practices to be followed when performing SCA procedures.

Highlights of the new standards include:

  • Participants: The Assessee and/or the Outsourcer must hold a license to use the SCA, and the Assessment Firm (Assessor) must be a member of the Shared Assessments Program and hold a license to the SCA.
  • Assessor Qualifications: The Lead Assessor for an SCA Engagement must hold a Shared Assessments Certified Third Party Risk Assessor (CTPRA) Certification and a Certified Third Party Risk Professional (CTPRP) Certification.
  • Reporting; The Assessor will utilize the SCA Report Template to document the results of the SCA Engagement
  • Sharing of Reports: Participants will agree upon any restrictions, limitations or requirements for sharing the SCA Report as part of the contract process.
  • Quality Assurance: The Outsourcer or Assessee will ensure that the Assessment Firm has performed the engagement in accordance with its own internal quality assurance practices and verified that the Assessment Firm is a current member of the Shared Assessments Program.


The compliance date for adherence to SCA Standards is December 31, 2019.


Sabine Zimmer

Sabine is Vice President of Marketing and Sales for Shared Assessments. Sabine enjoys collaborating across teams to build a stronger risk management community. When she's not at work, she is outdoors in the Southwest with her family.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics