Assurance for service organisations: contextualising accountability and trust

A number of organisations outsource their information systems and information technology infrastructure to a type of organisation called a “service organisation”. In the current business environment, where cyber risks are increasing, it is important to have a mechanism to ensure the credibility of these service organisations. This paper, therefore, aims to understand the contextualisation of accountability and trust of related organisations through the use of assurance engagements.

This paper is conceptual in nature; however, textual data sources are used to support the theorisation of accountability and trust in the context of companies using service organisations. It uses publicly available assurance reports and related assurance standards for observing the accountability mechanism in practice, to understand the purpose of the assurance.

Assurance statements for service organisations mainly provide reputation-based, not contract-based, accountability. Limited access to the assurance reports and limited responsibility of service auditors potentially decrease the degree of this reputation-based accountability. The findings reveal a potential accountability paradox regarding the role of assurance practice, as to whether it serves as a managerial tool to build trust or as an accountability mechanism for stakeholders.

This paper extends the understanding of accountability and trust in the context of this unconventional form of organisational relationship. It urges more transparency in terms of the accessibility of assurance reports to provide information to wider stakeholders. The findings add to the latent literature on organisational trust and voluntary assurance practice.