From supervisory body to trusted partner

Bruno Caviezel
Senior Manager, Digital Assurance in Financial Services, PwC Switzerland

Article overview

Disclose: In two sentences, what do you and your team do?
Bruno Caviezel: Our audit work involves assessing internal controls and processes and preparing customer-specific control reports in accordance with national and international standards. We provide an independent view of controls, whether or not they relate to financial reporting, thereby creating trust for all parties involved. 

How does that look in practice?
In the finance and insurance sectors – as well as in many other industries – companies outsource certain services that are not part of their core competencies, such as the operation of a core system, accounting or a CRM system. My team and I check whether legal, contractual, regulatory or self-regulatory requirements are being met. We also examine more exotic issues, such as equal pay within a company or flat-rate coding in hospitals. We record our assessments in an internationally recognised audit report in accordance with the International Standard on Assurance Engagements (ISAE). The US equivalents, issued by the American Institute of Certified Public Accountants (AICPA), are known as SOC reports. 

Audit, audit report – that sounds like another compliance obligation. Are you and your team the eyes of the law?
No. An ISAE or SOC audit is not required by law. However, it is a key criterion for self-regulation, especially in regulated industries such as finance and insurance. For example, such certification is almost mandatory for an outsourcing partner in the IT sector if it wants to host and operate core systems for banks. Not being able to provide such a report would be a significant competitive disadvantage. 

How are you perceived by your clients?
Most of the people we meet in companies we visit for the first time see us as a kind of supervisory authority. This scepticism almost always gives way to the realisation that we provide an independent and therefore very valuable opinion on the quality of their services.

To what extent is your view independent?
In the triangle between the outsourcing partner and its customers, we assume the role of a neutral third party. As such, we do not pursue any interests of our own. For example, we do not examine issues that we ourselves have initiated or implemented as a consulting firm, but rather create a win-win situation for the parties that is independent of us.

In what way?
Our report offers the service provider transparency regarding the quality of its services and internal processes. This helps them to identify weaknesses, refine certain processes or optimise new services right from the start. They also benefit from economies of scale, as they can demonstrate their reliability to a larger number of customers with just one report. Our verification gives the service recipient the security and confidence that their partner will handle the systems, orders and data provided in a trustworthy manner. 

How is the scope of the audit determined?
Depending on the order, this can usually be selected flexibly. The scope should cover the service to be audited adequately. To this end, the criteria must be quantifiable and measurable. We naturally support our clients in defining the scope of the audit and the respective criteria.

What distinguishes your audit report from an ISO certificate or a quality label?
ISO certificates and quality labels are usually easier and quicker to obtain than an ISAE or SOC audit report. The ISO 27001 standard for information security, for example, describes the requirements for an information security management system. It is a forward-looking assessment based on a specific date. Our audit report, on the other hand, contains a retrospective and comprehensive description of the control environment and design, the implementation of the controls and, depending on the type, their operational effectiveness. It contains, for example, statements on access rights, data back-up, approvals, documentation and much more. The main difference therefore lies in the audit assurance we provide with such a control report. ISO certificates or quality labels do not provide this assurance.

Who commissions an audit report from you and why?
Some decision-makers approach us because they have outsourced a process and want to be sure that their outsourcing partner is handling their data appropriately and in compliance with data protection regulations. In most cases, the need arises from regular financial audits. In other cases, a provider has a new service in the pipeline and wants to ensure that it meets the target industry’s quality standards. Our clients hold various management positions, from the board of directors to executive management or legal departments to IT or accounting.

What is particularly important to you when it comes to trust and transparency solutions?
Every new mandate marks the beginning of a new relationship. Sometimes we start this journey in a cool atmosphere, because those responsible label us as law enforcers. I can understand that, because nobody likes to be scrutinised. Over time, the relationship changes and we are increasingly perceived as sparring partners or trusted advisers. It is personally important to me that we succeed in building this trust.