|
NDB Accountants and Consultants will continue to update the list of commonly asked questions regarding the ISAE 3402 standard for assurance reporting on service organizations. In short, we will be providing all relevant parties with the most useful and current information available on the ISAE 3402 standard.
|
ISAE 3402 | Preparing Service Organizations for the Global Standard on Assurance Reporting
The ISAE 3402 standard will require service organizations to be proactive in meeting the requirements that will be placed on them by their service auditors. As such, service organizations would highly benefit from conducting an ISAE 3402 Readiness Assessment, which will assist in understanding the reporting requirements, which include the following:
- Preparing a description of the service organization's "system"
- Preparing a written statement of assertion to be included in the final ISAE 3402 report.
Additionally, the internal audit function within a service organization can potentially be involved in the overall process of the assurance engagement, if the service auditor deems its objectivity and professionalism to be acceptable.
Thus, conducting an ISAE 3402 Readiness Assessment will greatly assist service organizations in understanding the scope of the engagement along with the reporting requirements for the ISAE 3402 standard. |
|
Country & Region Specific Standards vs. ISAE 3402
The ISAE 3402 standard, issued in December of 2009 will become the new global standard on assurance reporting on service organizations. Thus, the chatter of late is what will become of the country & region specific standards, such as the AICPA SAS 70 (which is being superseded by SSAE 16), Canada's CICA 5970 and the UK's AAF 01/06 along with other reporting standards (Germany and Japan also have standards in place for reporting on service organizations).
It's important to note that the intent of the ISAE 3402 standard was not to eliminate country & region specific standards and replace it with a new global standard on assurance reporting. Rather, the ISAE 3402 provides an acceptable alternative to other standards that are being used by service auditors when engaging with service organizations for reporting on internal controls.
With that said, some standards are now migrating to one that is similar to that of ISAE 3402, such as the AICPA SAS 70, which will be superseded and effectively replaced by SSAE 16. It's too early to tell if other standards will follow a similar path, but having a global standard such as ISAE 3402 provides more transparency and clarity on the overall process of reporting on internal controls at service organizations.
The complex nature of service organizations and their ever-growing requirements from user entities, regulatory agencies, and other notable users of these reports created a need for a more universally accepted standard, for which ISAE 3402 is.
Service organizations can be found throughout all corners of the globe, thus the ISAE 3402 standard will provide an alternative for reporting, if needed. However, it's plausible to assume that many of the country & region specific standards will still be used to large a degree. |
Subservice Organization for Purposes of ISAE 3402
The ISAE 3402 standard also includes provisions regarding the use of a subservice organization. Many service organizations themselves actually outsource services to other service organizations, thus these are identified as subservice organizations. For purposes of the ISAE 3402 standard, a service organization has two reporting options for subservice organizations, if in fact they use one to outsource services to.
Inclusive Method | ISAE 3402 Standard
A service organization has the option of including the subservice organization's control objectives and related controls in the actual service organization's description of its system, and also in the scope of the service auditor's engagement.
Carve-out Method | ISAE 3402 Standard
The subservice organization's control objectives and related controls are excluded from the actual service organization's description of its system, resulting in this information not being a part of the scope of the service auditor's engagement.
The ISAE 3402 standard also states that if the inclusive method is used for reporting on subservice organizations, then the service auditor will have to obtain relevant information as needed along with performing procedures. The ISAE 3402 standard recommends using the inclusive method when the service organization and the subservice organization are related or explicit contractual documentation is in place between both parties.
It is plausible to assume that if a subservice organization is providing critical and/or material outsourcing services for a service organization, then it will likely garner the attention of having to undergo an assurance audit itself in accordance with the ISAE 3402 standard. |
|
Type 1 and Type 2 vs. Type A and Type B | ISAE 3402
Initially, the exposure draft (released in December of 2007), along with a number of white papers and executive briefs written by practitioners referenced the two ISAE 3402 reports as that being a Type A and a Type B. However, the IAASB decided that in finalizing the ISAE 3402 standard, it would be appropriate to change the terms from Type A and Type B reports to Type 1 and Type 2 reports.
However, to be consistent with the ED (Exposure Draft) ISAE 3402 that was initially released in December 2007, the phrase "Type A" and "Type B" were still used in their Basis for Conclusions: ISAE 3402, Assurance Reports on Controls at a Service Organization.
The three main reports released by the IAASB regarding ISAE 3402 are as follows:
- December 2007: ED (Exposure Draft) ISAE 3402, Assurance Reports on Controls at a Third Party Service Organization.
- December 2009: Basis for Conclusions: ISAE 3402, Assurance Reports on Controls at a Service Organization.
- December 2009: ISAE 3402, Assurance Reports on Controls at a Third Party Service Organization. (Final Draft)
|
The relationship between ISAE 3402 and ISA 402
The ISAE 3402 standard states that reports prepared according to ISAE 3402 itself provide appropriate evidence under ISA 402, Audit Considerations Relating to an Entity Using a Service Organization. Simply stated, the ISA 402 addresses the user auditor's responsibility to obtain sufficient and appropriate audit evidence when a user entity uses the services of one or more service organizations.
It is important to note that with many accounting standards, a number of supporting or adjunct standards also play a role in interpreting, understanding, and facilitating that standard itself, such is the case with the ISAE 3402 standard. |
|
|
|
|
<< Start < Prev 1 2 Next > End >>
|
|
Page 1 of 2 |
