Outsourced Service Provider's Audit Report (OSPAR v2.0)

Facts, Thoughts and BDO's Capabilities

Facts:

OSPAR V2.0

Published Date: 25 March 2024
Effective Date: 1 January 2025
Audit frequency: Annual

OSPAR V2.0 was issued by The Association of Banks in Singapore (ABS)

With the revised guidelines, ABS has enhanced the list of control requirements that the Outsourced Service Providers who wish to service the financial institutions, to comply with the Monetary Authority of Singapore (MAS) regulatory changes, namely the following:
  • Notice on Cyber Hygiene (Published: 6 August 2019; Effective: 6 August 2020)
  • Guidelines on Technology Risk Management (Published:18 January 2021)
  • MAS/TCRS/2021/03: Advisory on Addressing the Technology and Cyber Security Risks Associated with Public Cloud Adoption (Published:1 June 2021)
  • Guidelines on Business Continuity Management (Published: 6 June 2022)
  • Notice 658 Management of Outsourced Relevant Services for Banks (Published: 11 December 2023; Effective: 11 December 2024)

The components of the controls are categorised as follows:

Entity Level Controls
(a) Control Environment
(b) Risk Assessment
(c) Information and Communication
(d) Monitoring
(e) Information Security Policies
(f) Human Resource Policies and Procedures
(g) Practices related to Sub-Contracting/Third Parties related to the delivery of the service
   
I General Information Technology (IT) Controls  
(a) Logical Security
(b) Physical Security
(c) Change Management
(d) Incident Management
(e) Backup and Disaster Recover
(f) Network and Security Management
(g) Security Incident Response
(h) System Vulnerabity Assessments
(i) Technology Refresh Management
(j) Data Security
(j) Cryptography
(l) Software Application Development and Management
 
I Service Level Controls
(a) Setting-up of New Clients Accounts/Processes
(b) Authorising and Processing Transactions
(c) Maintaining Records
(d) Safeguarding Assets
(e) Service Reporting and Monitoring
Thoughts:

New Controls:
The new controls arising from the OSPAR V2.0 is to uplift on the risk management resulting from the technological advances of the service providers since the launch of OSPAR in 2017.

The OSPAR v2.0 framework has seen a significant expansion in the number of control criteria, with the addition of approximately forty new criteria from OSPAR v1.1.

As such, controls arising from cloud specific controls - CSPs and OSPs offering PaaS/IaaS/SaaS solutions are designed to address adherence to the MAS Cloud Advisory.

The General IT Controls have been expanded with the inclusion of three new domains, each encompassing specific control criteria as follows:

  1. Data security domain, which consists of approximately five control criteria.
  2. Cryptography domain, comprising five control criteria.
  3. Software application development and management domain, containing eight control criteria.

Additionally, a new domain, Business Continuity Management, has been introduced under the Service Level Controls, which includes six control criteria.

Furthermore, new control criteria have been incorporated into existing domains, including:

  1. Entity Level Controls/Risk Assessment domain
  2. General IT Controls domain, specifically in the areas of Logical Security, Physical Security, Change Management, Incident Management, Backup and Disaster Recovery, Network and Security Management, and Security Incident Response.
  3. Service Level Controls domain, particularly in the Maintaining Records section.

Applicability:
The revised OSPAR V2.0 is meant to allow outsourcing providers and third-party providers to financial institutions to have a pooled baseline compliance for Outsourcing, Business Continuity Management, Technology Risk Management, Cyber Hygiene and MAS Cloud Advisory. The applicability and the extent of applicability varies across the respective service providers. Each service provider would have to examine individually, and also, collectively as a service provider group to the extent that is applicable. 

Audit Frequency:
The audit frequency remains as annual.

This allows the ability for the financial institutions to perform their function of independent assessment and due diligence. The annual frequency allows the financial institutions to fulfil the “once every 3 years” requirement under MAS Notice 658. For due diligence, it allows the financial institutions to perform their pre-onboarding, initial and periodic due diligence at the appropriate timing, including the following up on exceptions/findings from the prior year and covering any significant changes in the current year. 

Furthermore, the annual audit frequency allows for continuity in audit period coverage year-on-year, without a gap in-between. As such, it allows audit knowledge continuity to gain efficiency in assessment.

Lastly, the frequency is in line with other industry standard reports such as SOC2 2, SOC 1, ISAE 3402, among others.

Outsourcing: Attestation Drives Comfort
The revised Notice 658 Management of Outsourced Relevant Services for Banks has had minimal impact on the development of the OSPAR V2.0 uplift from OSPAR V1.1. That said, the work for the Banks’ compliance with the notice is a tremendous task. OSPAR V2.0 allows the banks to establish a baseline compliance to the service providers’ scope of service to the notice. Additionally, the process allows the service providers to address the key considerations such as how the client information is managed by the service providers and the downstream subcontractors.

Technology Risk Management: Sound Technology Risk Governance and Cyber Resilience Regarding the Service Providers

The guideline sets the expectation to the financial sector to establish sound and robust Technology Risk Governance and Oversight, as well as maintain Cyber Resilience. The OSPAR V2.0 report addresses the concerns regarding the service providers’ approach to the governance of Technology Risk and Cyber Resilience.
Cloud/Cyber-Considerations:

The OSPAR framework has been enhanced with the incorporation of supplementary control criteria specifically tailored for cloud service providers and OSPs offering SaaS, PaaS, or IaaS solutions. With the integration of these additional criteria into several General IT Control domains, the OSPAR framework has a total of seventeen new control criteria in a comprehensive approach as follows:

  1. The Logical Security domain has been enriched with ten control criteria.
  2. The Change Management domain now includes one additional control criterion.
  3. The Backup and Disaster Recovery domain has been augmented with one control criterion.
  4. The Network and Security Management domain has been strengthened with the inclusion of two control criteria.
  5. The Security Incident Response domain now encompasses two additional control criteria.
  6. The Software Application Development and Management domain has been supplemented with one control criterion.

These enhancements aim to address the specific security and operational requirements associated with cloud-based services and solutions. 

BDO Singapore’s Capabilities:

BDO Singapore can perform the following:

  • Determine applicability of the controls of OSPAR V2.0 to your organisation
  • Conduct a gap analysis, based on the review of policies and procedures
  • Conduct a gap analysis on the controls (design and implementation) with OSPAR V2.0
  • Review remediation performed on the gaps analysed
  • Perform control effectiveness testing for controls and issuance of OSPAR V2.0 report
Conclusion:

The best time to do something is yesterday. The second-best time to do it is now.

Do have the conversation with your stakeholders on the following:

  • Is the business model strategy to be part of the bank’s business partner as a trusted outsourcing and third-party service provider integral to the bank’s business?
  • What are the gaps that need to be addressed for compliance to OSPAR V2.0?
  • How does being a trusted outsourcing and third-party service provider align with your company's mission, vision, and values?
  • What are the key benefits of being recognised as a compliant and dependable partner to banks?
  • How can compliance with OSPAR v2.0 differentiate your company from competitors and strengthen your market position?
  • What are the key areas where your company's current practices may not fully align with the requirements of OSPAR v2.0?
  • What resources, expertise, or support do you need to effectively address the identified compliance gaps?
  • How can you prioritise and implement the necessary changes to achieve compliance within a reasonable timeframe?
  • What are the potential risks and consequences of not addressing the compliance gaps, both for your company and for your relationships with banks?


We are here to help. Do reach out to us if you have any questions.