Skip to the content

Third Party Communications (TPM): why and for whom?

A Third Party Memorandum (TPM) is an assurance report provided by an IT auditor (RE) and relates to the quality of a service organization's control of IT services.

Every organization has risks to achieving its goals and wants to control the causes and consequences of those risks as well as possible. It is therefore useful - and sometimes mandatory - to test the quality of the internal control of processes and systems and to have this established internally or externally by means of an IT audit.

But what does it really say about the control if that assessment is limited to the parts of a process or system that fall within the organization's responsibility and leaves out the outsourced items? For example, can you just assume that your IT service organization, such as a SaaS provider, has the control in place?

In short; no, you can't.

For auditors, something should never be assumed, but should always be able to be determined. It is therefore imperative that an IT audit is carried out at the supplier's premises.

Within our field we recognize two methods: the inclusive and the carve-out method.

Inclusive vs. Carve-out

In the inclusive method, the responsible IT auditor performs his own review of the IT service organization and gives his opinion based on that review. However, this brings with it some practical problems. If you have not stipulated the right to audit in the agreement with the supplier, the IT service organization simply cannot participate. Moreover, if it is an IT service organization with a particularly large number of customers, each auditor must conduct his or her own investigation and the supplier must free up capacity for interviews and the delivery of documents for each audit.

The carve-out method is therefore often seen as a more practical solution. As the name suggests, a particular carve-out is made from a framework of standards that fall within the responsibility of the IT service organization. The IT service organization itself chooses an IT auditor who performs his own review of these standards, resulting in a TPM assurance report.

Avoid high costs

Note that IT service organizations often ask for a fee for providing a TPM. It is therefore wise to make agreements about the amount of this fee when entering into an agreement, or even earlier in a tender.

The IT service organization can make a TPM for each customer that is essentially the same or provide a generic report to all its customers. It should be noted that the customers have to work in a standard system. Any difference in software, architecture, procedures, etc. must be tested before the IT auditor can issue a statement.

The IT auditor of the purchaser of the IT service (the user organization) only has to determine that the scope of the TPM matches the object of investigation. The tested norms in the TPM and the tested norms in the user organization fit together like two pieces of a puzzle and together cover the framework of norms.

More advantages of a TPM

A generic audit and a TPM ensure that the IT service organization can make huge savings on the audit costs of its customers, because the same audit does not have to be performed for each customer with the same web application or web environment.

A TPM also allows IT service organizations to demonstrate the quality of the control of the IT services for potential customers in advance. A TPM is even a requirement for some tenders, as it is often mandatory for public sector organizations to have a TPM for the IT services they purchase.

Need help with a Third Party Memorandum (TMP)?

The IT auditors of 2-Control can, as an independent party, prepare a TPM for IT service organizations to demonstrate the quality of control of IT services.

Our IT auditors have extensive experience in providing assurance reports. We can support you with a variety of audits on all known assessment frameworks. These include DigiD, ENSIA, SOC 2, ISAE 3402, NEN 7510, ISO27001, Privacy Control Framework (PCF) and support with the annual audit of accountants (auditing of General IT controls).

For more information about our assistance with a TPM statement, please contact us at 076-50 194 70 or fill in your contact details via our contact form. We will then contact you as soon as possible.


About the author

Alain van Vugt

CISA IT-auditor / Consultant
T: 076-5019470
Ask your question


Do you have a question? Get in touch with one of our IT audit professionals. We are pleased to help you.