In 2005, the Shared Assessments program was born to serve the financial services industry and its major service providers. The intent was to achieve economies of scale by sharing the expense and time in conducting on-site assessments. A group representing six major banks and the Big Four accounting firms met to draft an on-site assessment tool built to the AICPA’s Agreed Upon Procedures attestation standards. While developing that tool, the group discussed many control questions that didn’t fit into an on-site assessment framework, so they built a “parking lot” for control questions that didn’t make it into the Agreed Upon Procedures. By 2007, in its third iteration, the parking lot of questions had developed into an assessment tool in its own right, and was named the Standardized Information Gathering (“SIG”) questionnaire and was presented as a free, closed-question questionnaire covering ISO-based control domains for use by outsourcing financial institutions to send to their third-party service providers. The SIG represents the “trust” in the Shared Assessments Program’s “trust-but-verify” model and the AUP represents the “verify”.
Over the intervening years, SIG users have found it to have far greater utility than its original purpose.
Many outsourcers use the abbreviated version of the SIG, the SIG Lite, as a gating tool to assess potential new providers and determine if a more thorough assessment is necessary. They also use the SIG in a modular fashion, selecting the domains relevant to the particular services provided by a vendor. And, depending on the sensitivity of the services provides or the data shared, the SIG serves as either a standalone assessment tool (where “trust” is sufficient), or as a precursor for an on-site assessment to verify the answers to the SIG’s questions.
Service providers have also found the SIG to be a useful artifact to include in their RFP fulfillment packages. The completed SIG can speed the vendor selection process because it describes to the potential customer the prospective provider‘s security and control environment. Service providers also use it to vet their downstream partners.
And, participants on all sides of the outsourcing process have also found the SIG to be an effective self-assessment tool.
So, like the trusty, red, multi-function pocket knife, the SIG has made itself a handy tool.
Santa Fe Group Consultant Bob Jones has led financial institution fraud risk management programs for more than 40 years. A well-known thought leader in the financial services industry and a sought-after expert in risk management strategy, Bob has devoted his career to innovative financial services fraud reduction and risk management. Today, Bob is a consultant, educator and expert witness, and serves as the principal of RW Jones Associates LLC.