Service Organization Requirements for ISAE 3402 | Description of its "system"

ISAE 3402 will no doubt create new requirements and challenges for service organizations adopting the new globally accepted assurance reporting standard. A number of important issues will need to be readily understood by service organizations for ensuring they meet the requirement set forth by the ISAE 3402 standard.

Specifically, service organizations will need to undertake the following regarding ISAE 3402:

• Developing a comprehensive and in-depth service organization's description of its system, for ISAE 3402, which, at a minimum, will include the following attributes:

• A written description and explanation of specific services provided by the service organization, such as the types of transactions processed.
• A written description and explanation of the specific procedures for services provided, by way of technology systems or manual processes for initiating, recording, processing, and correcting of transactions.
• A written description and explanation of all records, accounts and any other supporting information that are used for initiating, recording, processing, reporting, and correcting of transactions.
• A written description and explanation of how the service organization identifies, captures, and deals with significant events and other issues and conditions as warranted, other than the transactions.
• A written description and explanation of the service organization's preparing of reports and/or other information that is being provided to user entities.
• A written description (itemized listing) of the control objectives to be utilized within the context of an ISAE 3402 assurance engagement along with a discussion (if any) of any complementary user entity controls that were included within the overall control objectives.
• A written description of the service organization's elements of internal control (which can be based on the COSO model, consisting of the following: 1. Control Environment. 2. Control Activities. 3. Information and Communication. 4. Risk Assessment. 5. Monitoring) that are relevant to the services being provided by service organization itself.

Additional Requirements for ISAE 3402 Include the Following:

• A written description and explanation of any changes to the system at the service organization during the specified test period (in the case of an ISAE 3402 Type II Report).

• A written description and explanation discussing any information related to the service organization's system that has been omitted or is incorrect.

• A written statement of assertion by the service organization related to the description of its system, and, in the case of an ISAE 3402 Type II Report, if the system operated effectively throughout the specified period.

• Identifying any risks that threaten the achievement of control objectives, which should be primarily discussed between the service organization and the service auditor.

Though the definition of a service organization's “system” is not explicitly stated within the ISAE 3402 standard, one can infer that it includes a wide range of items, as noted above. In summary, the service organization's written description of its “systems” will take considerable time and effort in crafting a complete and accurate document for which the service auditor can rely on. Thus, view the service organization's "system" as the following: The services provided, along with all supporting processes (technology or manual), policies, procedures, and operational activities that aid and facilitate the daily functioning of the service organization's core functions.

Of note is also the written statement of assertion by the service organization, which may very well be based on the service organization's monitoring activities.

Also, please note that the actual ISAE 3402 is geared towards practitioners, primarily service auditors, thus in reading the actual standard, it can seem difficult in extracting this timely and relevant information for service organizations.

NDB Accountants & Consultants hopes you find this information useful in preparing for the ISAE 3402 requirements.