19:27:49 - 13.07.2024

Download Brochure


Security Partners


ISO 27001 Certified


ISO 9001 Certified


Home Expertise
Third Party Reporting PDF Print E-mail
Article Index
Third Party Reporting
Standards and Guidelines
Examples of TPR Reports
All Pages


TPR Services provide our clients with a means of enhancing trust, communication and relationships with their supervising authorities, business partners and stakeholders by providing independent assurance as to the fairness of management statements and representations or effectiveness of internal controls. There are three types of reporting services provided by us within Third Party Reporting:

  • General Third Party Reporting - provides either positive or limited assurance on subject matter as evaluated against suitable criteria;
  • Service Organization Reports - refers to engagements to provide assurance on controls in place at service organizations as they relate to the management assertions of an user organization;
  • Agreed-Upon Procedure - executing procedures agreed to by the report recipients and report on the results of our procedures. We are engaged by a client to issue a report of findings based on specific procedures performed on subject matter.

Specifically, Third Party Reporting Services help a client:

  • Establish trust in its processes and practices with current business partners and convert potential business partners to new partners;
  • Re-establish trust when a relationship has been damaged by failure to meet authorities or business partner expectations regarding business processes and practices;
  • Improve transparency of business processes, thereby reducing or eliminating the need for authorities and business partners audits and inspections by the auditors of the supervising authorities or business partners;
  • Comply with requirements of specified laws, regulations, rules,contracts, or grants and assist business partners to comply with regulations;
  • Ensure the effectiveness of the entity's internal control over compliance with specified requirements.

Attestation or assurance reporting engagement is an engagement where an audit and assurance professional either examines management's assertions regarding a particular subject matter or the subject matter directly. The audit and assurance professional's report consists of an opinion on the following:

  • Compliance with laws, regulations, rules, contracts, or grants (e.g. Norm ASF 4/2018);
  • The Subject Matter - Direct Reporting Engagement;
  • Management's Assertion - Attest Reporting Engagement (e.g. ISAE 3402 required by Norm ASF 4/2018);
  • Particular subject matter - Examination Reporting Engagement;
  • Specific tests and audit procedures - AUP - Agreed-Upon Procedure.

Blue Lab Consulting audit professionals provide Third Party Reporting services that are designed to help our clients address specific issues. These include prospective reporting and other forms of attestation, reviews or reporting.

We provide attestation service as an audit / attestation service in which an auditor (certified as CISA, CIA, ACCA, Chamber of Financial Auditors of Romania) expresses a conclusion about the reliability of a subject matter or written statement that is the responsibility of someone else.


There are some significant Third Party Reporting applicable standards, procedures and guidelines used for attestation or assurance audits or reviews, and it includes:

  • ISACA - Information Systems Audit and Control Association - Standards;
  • IAASB - International Auditing and Assurance Standards Board:
    • ISAE 3000 - Assurance Engagements Other Than Audits or Reviews of Historical Financial Information;
    • ISAE 3402 - SAS 70 Examinations, CICA 5970 - Service Organization Reports, for outsourced services.
  • IFAC - International Federation of Accountants - ISRS 4400 - Engagements to Perform Agreed Upon Procedures Regarding Financial Information;
  • ISACA - ITAF - Information Technology Assurance Framework;
  • ISO/IEC - Series - 27001 (17799), 9001, 15408, 14001...most notable:
    • 27001 - Information technology, Security techniques, Information security management systems, Requirements;
    • 9001 - Quality Management System;
    • 15408 - The Common Criteria for Information Technology Security Evaluation;
  • PCI-DSS - PCI Security Standards Council - Data Security Standard for payment card systems;
  • COBIT / ITGI (IT Governance Institute) - Framework for IT Governance and Control:
  • AICPA - American Institute of Certified Public Accountants
    • SSAE - Statements on Standards for Attestation Engagements, SSAE No. 10, 11 - designated to issue pronouncements on attestation matters;
    • SOC (Service Organization Control) 1, 2, 3 - internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service;
    • SysTrust, WebTrust (focuses on risk areas related to e-commerce activities).


The following provides examples of different TPR reports and the standards under which they are issued:

  1. General Third Party Reporting:
    • Compliance Audit:
      • FINANCIAL SUPERVISORY AUTHORITY - Compliance and Information Systems Audit;
      • Rule no. 4/2018 on the management of operational risks generated by information systems used by authorized /
        licensed / registered entities, regulated and / or supervised by the Financial Supervisory Authority (ASF) - Compliance and Information Systems Audit;
      • EU Funds/Grants Projects Attestation - Technical IT and Security audit;
      • ISO/IEC - 27001 series (Information Security Management System) certification audit;
      • ISO/IEC - 9001 series (Quality Management System) certification audit
      • PCI - DSS payment card data security precertification audit;
      • TIA-942 Audit and Certification (Telecommunications Infrastructure Standard for Data Centers).
      • Cyber security audit for the compliance with the European NIS Directive
    • Reasonable Assurance:
      • SysTrust, WebTrust;
      • National Bank of Romania - Electronic Payments System;
      • Romanian Ministry of Communications and Informational Society:
        • electronic banking (internet-banking, home-banking and mobile-banking);
        • electronic archive;
        • electronic invoice.
      • Systems and process assurance;
      • AAF 01/06 (UK), AUS 810 (Australia), AT101 (US).
    • Limited Assurance (review or negative assurance)
      • IT applications security certification;
      • AUS 810 Australia, AT101 (US).
  2. Service Organization Report - ISAE 3402 (SAS 70) Audit
    • Type I report - describes the service organization's description of controls at a specific point in time;
    • Type II report - not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period.
  3. Agreed-Upon Procedures:
    • Financial Institution Shared Assessments Program (FISAP);
    • AUS 810 Special Purpose Reports on the Effectiveness of Control Procedures.