Which document provides assurance of the effectiveness of internal controls used by a third party?

The assurance of the effectiveness of internal controls used by a third party is best provided by a recent independent third-party audit report. This report, often referred to as a System and Organization Controls (SOC) report, evaluates and assesses the design and operational effectiveness of the internal controls established by the third party. It is conducted by an independent auditor who examines the third party's control processes and their adherence to industry standards and regulations.

Such an audit report typically includes detailed information about the scope of the audit, the tests performed, and the results, offering a reliable assessment of how well the third party manages its controls related to security, availability, processing integrity, confidentiality, and privacy. This independent validation is crucial for organizations that depend on third parties for services, as it provides confidence that adequate controls are in place and functioning effectively to mitigate risks.

In contrast, a service level agreement outlines the expectations regarding service delivery but does not provide direct evidence of control effectiveness. Business continuity plans focus on maintaining operations during disruptions but do not necessarily cover the effectiveness of internal controls. Similarly, disaster recovery plan test reports primarily demonstrate the ability to recover from specific incidents rather than comprehensively assess internal control effectiveness. Thus, the independent third-party audit report is the most authoritative source for this assurance