Auditor Reporting on Controls at Service Organizations

S. 5970, CSAE 3416, SAS 70,SSAE 16, IAS 3402

ACC 626

Podcast brought to you by:Jessica Leung

Agenda

• Background• Introduction to Standards– Section 5970 and CSAE 3416– SAS 70 and SSAE 16– ISAE 3402

• Guidance on Use of Reports– Benefits and Limitations

• Transition to New Standard and Key Changes• Hot Topic: Cloud Computing • Key Take Away

Background• Practice of outsourcing has grown especially for IT related

services

• Service organizations operate, collect, transmit, store, organize, maintain or dispose information for user entities

o Data centers, claims process centers or application service providers (ASPs)

• Changes in regulatory landscape (SOX) and globalization of business process outsourcing also calls for more stringent audit requirement on internal controls reporting

Service Organization and Users

User OrganizationsService Organizations

Outsource

User AuditorsService Auditors

Users of Report: • User Auditor• Stakeholders• Regulators• Government• Board of Directors• Financial Statement

UsersAudit Report

Purpose of Audit Report: • Provide assurance on the effectiveness

of internal controls over financial reporting for user organization and their auditors

Introduction to StandardsSection 5970: Auditor’s report on controls at a service organization

Statement on Auditing Standards (SAS) No. 70: Service Organizations

Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization

International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization

Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization

Effective on December 15, 2011

Effective on June 15, 2011

Section 5970 and CSAE 3416

• Section 5970 is effective for engagements for the periods beginning on or after January 1, 2006

• Harmonized with SAS No. 70• CASE 3416 will superseded Section 5970 on

December 15, 2011• Both standards very similar to US standards

Section 5970: Auditor’s report on controls at a service organization

Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization

Effective on December 15, 2011

SAS 70Statement on Auditing Standards (SAS) No. 70: Service Organizations

Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization

Effective on June 15, 2011

• Service Organization Controls (SOC) 1 Report• Report on controls at a service organization relevant to

user entities’ internal control over financial reporting• Provides guidance for service auditors to issue an

opinion on service organization’s description of controls

ISAE 3402

• ISAE 3402 is a default standard for countries without existing standards and basis for updates to other countries standards

• SSAE 16 mirrors the global standard - ISAE 3402 • In Canada, CSAE 3416 is modeled after SSAE 16; Also aligns

with ISAE 3402 is most respects • All three new standards (SSAE 16, ISAE 3402, and CSAE

3416) are substantially the same

International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization

Guidance on Use of Reports• Reporting on controls is not a “checklist” audit

• Control objectives and activities at service organization vary

• Service auditor expresses an opinion on the presentation of the described controls and whether the controls included in the description are well designed and operating effectively to meet the control objectives

• The report is intended for user organizations and their auditors only

Guidance on Use of Reports

• The report encompasses:o opinion of service auditor (qualified/unqualified)o description of controlso description of observations and testing of control

(include nature, timing, and extent)o additional information provided by the service

organization

Guidance on Use of Reports• Two types of report: Type I and Type II

Type I Report Type II Report

Examine controls at a point in time Examine controls over a period of time, minimum 6 months

Controls are not tested for effectiveness Controls are tested for effectiveness

Help user auditor to understand controls necessary to plan the audit and to design tests on controls and substantive tests at user organization

Support user auditor’s assessment of the effectiveness of internal control over financial reporting

Example of a Type I Report

Example of a Type II Report

Benefits of Service Auditor Report

• Cost Savings for Userso Eliminate the need of having each client’s

auditors to perform same testing procedures at the service organization

• Service auditors could deal directly with user auditors for questions related to their reports

• Monitoring tool for regulatory compliance in service level agreements (SLAs)

Limitation of Reports• The term SAS 70 certified or SAS 70 compliant

is misused as a “data security rubber stamp” for marketing purposes

• Report is misinterpreted that it addresses non-financial subject matters, such as availability, processing integrity, privacy or confidentiality

Limitation of Reports

• Service organization predetermined the controls service auditors to examine on

• Service organizations might fail to disclose all related controls of user organization o Service auditors cannot provide absolute

assurance that internal control objectives have been achieved

Transition to New StandardsWhy?• Keep in pace with movement to global

standards, such as IFRS• Serve all sizes of user organizations, from local

to multinational• Option for service organizations to report

internationally

Key Changes in SSAE 16 and ISAE 3402SAS 70 SSAE 16 ISAE 3402

Management ‘s description of controls

Management written assertions of all controls related to the user’s organization and description of the system

Same as SSAE 16

- Service auditors need to disclose any reliance on the work of Internal Audit (or other independent management testing functions) within the report

Same as SSAE 16

Service auditors require to identify risks that threaten the achievement of control objectives

Service organizations require to identify risks that threaten the achievement of control objectives

Same as SSAE 16

How can Service Auditors help?

• Assess any changes necessary to comply with new standards– Understand impact of the change or review

system description• Level of effort and costs will vary depending

how prepared service organizations were, their experience with their service auditors, and internal control environment.

• Advise on selection of standards, such as selecting ISAE 3402 for international users

Hot Topic: Providing Assurance on Cloud Computing Services

• Outsourcing to a cloud service provider requires more assurance other than financial subject matters– reliability, privacy compliance, and the security of

the system and data

Hot Topic: Providing Assurance on Cloud Computing Services

• No recognized assurance standards in place to address the unique risk issues of cloud services

• No specific assessment procedures for evaluating controls in the cloud environment

• SSAE 16 and Trust Services likely to provide assurance of controls over financial reporting and security of the system.

Final Take Away

• New standards require a more comprehensive disclosure from management

• Provide higher level of assurance for users that controls are secured operating effectively to prevent or detect material misstatement in financial statements

Reference • SAS70.com. "06. How Do I Read a SAS 70 Audit Report?" SAS 70 Service Organization Auditing

Standards, Public Accounting Information. Web. 01 July 2011. <http://sas70.com/FAQRetrieve.aspx?ID=33284>.

• PWC. "Navigating the Transition to CSAE 3416." Web. 1 July 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/navigating-transition-csae-3416-2011-03-en.pdf>.

• SSAE16.org. "SSAE 16 | Description of the Service Organization's System." SSAE 16 Resource Guide | The Global Authority on SSAE 16. Web. 01 July 2011. <http://ssae16.org/important-elements-ssae16/description-of-the-service-organiations-qsystemq.html>.

• Gartner. "SAS 70 is not Proof of Security, Continuity or Privacy Compliance." Express Computer (2010).

• Reilly, S. "New assurance standard required for cloud confidence." Computer Weekly (2011).

• Fajardo, A, R. "Suits the C-suite; Meeting today's challenges of service organizations." BusinessWorld (2011).