ISAE 3402 abstract Some key concepts and the
ISAE 3402 - abstract Some key concepts and the major differences when compared to SAS 70 Drs. T. (Temme) Sikkema RA – t. sikkema@hutco. nl – – www. hutaudit. nl NL – September 2009
The importance of Third Party Reporting 1 n n n Outsourcing has become a strategic issue Cost reduction, return to core activities and increase of flexibility are drivers for “user organisations” to source certain activities to service organisations User organisations need assurance that the service organisation controls are properly designed, implemented and are working effectively www. hutaudit. nl
The importance of Third Party Reporting 2 n n The service organisation may receive multiple requests for annual audits from their clients The service organisation may instead choose to share a Third Party Assurance Report regarding controls it deems relevant with their clients www. hutaudit. nl
Third Party Reporting: enter SAS 70 n n n SAS 70 is the American standard for third party assurance that has been adopted around the globe SAS 70 enables the user organisation (and its auditors) to acquire assurance regarding the design and operating effectiveness of those controls they find relevant SAS 70 may enable the user organisation’s compliance to legal and internal requirements www. hutaudit. nl
SAS 70 – key features 1 n n n SAS 70 addresses the financial reporting requirements of users of service organisations and is thus limited to controls regarding the processing of financial transactions The actual SAS 70 report is generally divided into three or four sections, depending on the type of engagement There are two types of Service Auditor’s Reports: Type I and Type II www. hutaudit. nl
SAS 70 – key features 2 n n A Type I report describes the service organisation’s description of controls at a specific point in time A Type II report adds detailed testing of the service organisation’s controls over a minimum six month period www. hutaudit. nl
SAS 70 – key features 3 n n n SAS 70 is an auditing standard and not a pre-determined set of standards that a service organisation must meet to “pass” the test In a SAS 70 audit the service organisation is responsible for describing the controls that will be disclosed in the service auditor’s report The scoping of the audit is therefore a very essential phase www. hutaudit. nl
Generally tested types of processes n n n Control environment Control activities Risk assessment processes Information and communication processes Monitoring processes www. hutaudit. nl
Generally tested types of controls n n n n Organizational controls Application development and maintenance controls Logical access controls Application controls System maintenance controls Data processing controls [Business continuity controls] – in a separate section of the report, but no assurance given www. hutaudit. nl
SAS 70 audit renders an opinion on: n n Whether or not the service organisation’s description of controls is presented fairly Whether or not the service organisation’s controls are designed effectively Whether or not the service organisation’s controls are placed in operation as of a specified date Whether or not the service organisation’s controls are operating effectively over a specified period of time (Type II engagements only) www. hutaudit. nl
Third Party Reporting: enter ISAE 3402 1 n n ISA 402 – Audit Considerations Relating to Entities Using Service Organisations ISA 402 gives guidance to user organisations and their auditors regarding the impact that service organisations have on the audit of the financial statement of the user organisation However, ISA 402 does not give any guidance to service auditors Enter………ISAE 3402 www. hutaudit. nl
Third Party Reporting: enter ISAE 3402 2 n n ISAE 3402 – International Standard on Assurance Engagements 3402 – Assurance Reports on controls at a Third Party Service Organisation Goal: create an international alternative for the American SAS 70 standard, while increasing the usability of the report for a broader range of end users www. hutaudit. nl
ISAE 3402 – key features 1 n n ISAE 3402 does not limit the scope of the audit to control objectives for financial reporting requirements Like SAS 70, ISAE 3402 is assertion-based Like SAS 70, the ISAE 3402 standard has two types of reports (Type A and Type B) that have basically the same scope In addition to the auditor’s opinion, management of the service organisation needs to provide a formal assertion, affirming its responsibilities for the controls in the report. This is a major difference when compared to SAS 70 www. hutaudit. nl
ISAE 3402 – key features 2 n n n ISAE 3000 requires the service auditor to assess the suitability of criteria, and the appropriateness of the subject matter ISAE 3402 proposes a minimal set of such criteria Can the audit community make these criteria S. M. A. R. T. ? www. hutaudit. nl
- Slides: 14