auditor reporting on controls at service organizations
DESCRIPTION
TRANSCRIPT
Auditor Reporting on Controls at Service Organizations
S. 5970, CSAE 3416, SAS 70,SSAE 16, IAS 3402
ACC 626
Podcast brought to you by:Jessica Leung
Agenda
• Background• Introduction to Standards– Section 5970 and CSAE 3416– SAS 70 and SSAE 16– ISAE 3402
• Guidance on Use of Reports– Benefits and Limitations
• Transition to New Standard and Key Changes• Hot Topic: Cloud Computing • Key Take Away
Background• Practice of outsourcing has grown especially for IT related
services
• Service organizations operate, collect, transmit, store, organize, maintain or dispose information for user entities
o Data centers, claims process centers or application service providers (ASPs)
• Changes in regulatory landscape (SOX) and globalization of business process outsourcing also calls for more stringent audit requirement on internal controls reporting
Service Organization and Users
User OrganizationsService Organizations
Outsource
User AuditorsService Auditors
Users of Report: • User Auditor• Stakeholders• Regulators• Government• Board of Directors• Financial Statement
UsersAudit Report
Purpose of Audit Report: • Provide assurance on the effectiveness
of internal controls over financial reporting for user organization and their auditors
Introduction to StandardsSection 5970: Auditor’s report on controls at a service organization
Statement on Auditing Standards (SAS) No. 70: Service Organizations
Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization
International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization
Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization
Effective on December 15, 2011
Effective on June 15, 2011
Section 5970 and CSAE 3416
• Section 5970 is effective for engagements for the periods beginning on or after January 1, 2006
• Harmonized with SAS No. 70• CASE 3416 will superseded Section 5970 on
December 15, 2011• Both standards very similar to US standards
Section 5970: Auditor’s report on controls at a service organization
Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization
Effective on December 15, 2011
SAS 70Statement on Auditing Standards (SAS) No. 70: Service Organizations
Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization
Effective on June 15, 2011
• Service Organization Controls (SOC) 1 Report• Report on controls at a service organization relevant to
user entities’ internal control over financial reporting• Provides guidance for service auditors to issue an
opinion on service organization’s description of controls
ISAE 3402
• ISAE 3402 is a default standard for countries without existing standards and basis for updates to other countries standards
• SSAE 16 mirrors the global standard - ISAE 3402 • In Canada, CSAE 3416 is modeled after SSAE 16; Also aligns
with ISAE 3402 is most respects • All three new standards (SSAE 16, ISAE 3402, and CSAE
3416) are substantially the same
International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization
Guidance on Use of Reports• Reporting on controls is not a “checklist” audit
• Control objectives and activities at service organization vary
• Service auditor expresses an opinion on the presentation of the described controls and whether the controls included in the description are well designed and operating effectively to meet the control objectives
• The report is intended for user organizations and their auditors only
Guidance on Use of Reports
• The report encompasses:o opinion of service auditor (qualified/unqualified)o description of controlso description of observations and testing of control
(include nature, timing, and extent)o additional information provided by the service
organization
Guidance on Use of Reports• Two types of report: Type I and Type II
Type I Report Type II Report
Examine controls at a point in time Examine controls over a period of time, minimum 6 months
Controls are not tested for effectiveness Controls are tested for effectiveness
Help user auditor to understand controls necessary to plan the audit and to design tests on controls and substantive tests at user organization
Support user auditor’s assessment of the effectiveness of internal control over financial reporting
Example of a Type I Report
Example of a Type II Report
Benefits of Service Auditor Report
• Cost Savings for Userso Eliminate the need of having each client’s
auditors to perform same testing procedures at the service organization
• Service auditors could deal directly with user auditors for questions related to their reports
• Monitoring tool for regulatory compliance in service level agreements (SLAs)
Limitation of Reports• The term SAS 70 certified or SAS 70 compliant
is misused as a “data security rubber stamp” for marketing purposes
• Report is misinterpreted that it addresses non-financial subject matters, such as availability, processing integrity, privacy or confidentiality
Limitation of Reports
• Service organization predetermined the controls service auditors to examine on
• Service organizations might fail to disclose all related controls of user organization o Service auditors cannot provide absolute
assurance that internal control objectives have been achieved
Transition to New StandardsWhy?• Keep in pace with movement to global
standards, such as IFRS• Serve all sizes of user organizations, from local
to multinational• Option for service organizations to report
internationally
Key Changes in SSAE 16 and ISAE 3402SAS 70 SSAE 16 ISAE 3402
Management ‘s description of controls
Management written assertions of all controls related to the user’s organization and description of the system
Same as SSAE 16
- Service auditors need to disclose any reliance on the work of Internal Audit (or other independent management testing functions) within the report
Same as SSAE 16
Service auditors require to identify risks that threaten the achievement of control objectives
Service organizations require to identify risks that threaten the achievement of control objectives
Same as SSAE 16
How can Service Auditors help?
• Assess any changes necessary to comply with new standards– Understand impact of the change or review
system description• Level of effort and costs will vary depending
how prepared service organizations were, their experience with their service auditors, and internal control environment.
• Advise on selection of standards, such as selecting ISAE 3402 for international users
Hot Topic: Providing Assurance on Cloud Computing Services
• Outsourcing to a cloud service provider requires more assurance other than financial subject matters– reliability, privacy compliance, and the security of
the system and data
Hot Topic: Providing Assurance on Cloud Computing Services
• No recognized assurance standards in place to address the unique risk issues of cloud services
• No specific assessment procedures for evaluating controls in the cloud environment
• SSAE 16 and Trust Services likely to provide assurance of controls over financial reporting and security of the system.
Final Take Away
• New standards require a more comprehensive disclosure from management
• Provide higher level of assurance for users that controls are secured operating effectively to prevent or detect material misstatement in financial statements
Reference • SAS70.com. "06. How Do I Read a SAS 70 Audit Report?" SAS 70 Service Organization Auditing
Standards, Public Accounting Information. Web. 01 July 2011. <http://sas70.com/FAQRetrieve.aspx?ID=33284>.
• PWC. "Navigating the Transition to CSAE 3416." Web. 1 July 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/navigating-transition-csae-3416-2011-03-en.pdf>.
• SSAE16.org. "SSAE 16 | Description of the Service Organization's System." SSAE 16 Resource Guide | The Global Authority on SSAE 16. Web. 01 July 2011. <http://ssae16.org/important-elements-ssae16/description-of-the-service-organiations-qsystemq.html>.
• Gartner. "SAS 70 is not Proof of Security, Continuity or Privacy Compliance." Express Computer (2010).
• Reilly, S. "New assurance standard required for cloud confidence." Computer Weekly (2011).
• Fajardo, A, R. "Suits the C-suite; Meeting today's challenges of service organizations." BusinessWorld (2011).