PDF Print E-mail

The Written Statement of Assertion | ISAE 3402

The ISAE 3402 standard, which requires service organizations to include a "written statement of assertion", is grounded in the assumption that management of a service organization effectively utilizes "monitoring" as a key principle in assessing the effectiveness of controls. More simply stated, a service organization's ability to properly monitor their internal control framework with adequate safeguards, controls and oversight provides the actual basis for presenting a "written statement of assertion" to the service auditor for inclusion into the final ISAE 3402 report, be it a Type 1 or a Type 2.

This is a fundamental key difference between the AICPA SAS 70 and the ISAE 3402 standard. SAS 70 audits, an AICPA standard put forth in 1992, (which is being superseded by SSAE 16) do not include management assertions from service organizations, thus organizations will now have to take a fundamentally different approach in meeting the need of ISAE 3402 assurance engagements.

A large and growing question on the minds of service organizations will be: How do we effectively implement a monitoring program to meet the needs of the ISAE 3402 standard?

Most service organizations undertake monitoring actions on a daily basis throughout their organization, as witnessed by the safeguards, controls and oversight being performed by personnel and systems.Monitoring can and does include a wide variety of activities, such as the following:

  • Evaluations of daily operations
  • Management and supervisory activities
  • Internal audit functions
  • System checks and balances (batch processing, quality controls, system error checks)
  • Manual checks and balances (documented approvals, manual overrides, quality control checks)
  • Communication with third party entities (regulatory agencies, customers, vendors)
  • Any other safeguards, controls, and oversight activities, either system oriented or manual, that aid and facilitate in monitoring a service organization's system.

As designated by the Committee of Sponsoring Organizations, known throughout the world as COSO, "monitoring" is defined as the following:

Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties

Source: COSO: http://www.coso.org/IC-IntegratedFramework-summary.htm

 
3 Reasons to Choose NDB, LLP
  • Cost-effective, fixed fee audits
  • Nationally and Globally Recognized CPA Firm
  • Years of Experience Performing Assurance and Attestation Reporting

Fill out the following form to inquire about NDB's ISAE 3402 Services:
  or Reset
 
Copyright © 2010 The ISAE 3402 Resource Guide. All Rights Reserved.