Transcript ISAE 3402 - abstract

ISAE 3402 - abstract
Some key concepts and the
major differences when
compared to SAS70
Drs. T. (Temme) Sikkema RA – [email protected] – – www.hutaudit.nl NL – September 2009
The importance of Third Party Reporting 1



Outsourcing has become a strategic issue
Cost reduction, return to core activities and increase of
flexibility are drivers for “user organisations” to source certain
activities to service organisations
User organisations need assurance that the service
organisation controls are properly designed, implemented
and are working effectively
www.hutaudit.nl
The importance of Third Party Reporting 2


The service organisation may receive multiple requests for
annual audits from their clients
The service organisation may instead choose to share a Third
Party Assurance Report regarding controls it deems relevant
with their clients
www.hutaudit.nl
Third Party Reporting: enter SAS70



SAS70 is the American standard for third party assurance that
has been adopted around the globe
SAS70 enables the user organisation (and its auditors) to
acquire assurance regarding the design and operating
effectiveness of those controls they find relevant
SAS70 may enable the user organisation’s compliance to legal
and internal requirements
www.hutaudit.nl
SAS70 – key features 1



SAS70 addresses the financial reporting requirements of users
of service organisations and is thus limited to controls
regarding the processing of financial transactions
The actual SAS70 report is generally divided into three or four
sections, depending on the type of engagement
There are two types of Service Auditor’s Reports: Type I and
Type II
www.hutaudit.nl
SAS70 – key features 2


A Type I report describes the service organisation’s
description of controls at a specific point in time
A Type II report adds detailed testing of the service
organisation’s controls over a minimum six month period
www.hutaudit.nl
SAS70 – key features 3



SAS70 is an auditing standard and not a pre-determined set of
standards that a service organisation must meet to “pass” the
test
In a SAS70 audit the service organisation is responsible for
describing the controls that will be disclosed in the service
auditor’s report
The scoping of the audit is therefore a very essential phase
www.hutaudit.nl
Generally tested types of processes





Control environment
Control activities
Risk assessment processes
Information and communication processes
Monitoring processes
www.hutaudit.nl
Generally tested types of controls







Organizational controls
Application development and maintenance controls
Logical access controls
Application controls
System maintenance controls
Data processing controls
[Business continuity controls] – in a separate section of the
report, but no assurance given
www.hutaudit.nl
SAS70 audit renders an opinion on:




Whether or not the service organisation’s description of
controls is presented fairly
Whether or not the service organisation’s controls are
designed effectively
Whether or not the service organisation’s controls are placed
in operation as of a specified date
Whether or not the service organisation’s controls are
operating effectively over a specified period of time (Type II
engagements only)
www.hutaudit.nl
Third Party Reporting: enter ISAE3402 1




ISA402 – Audit Considerations Relating to Entities Using
Service Organisations
ISA402 gives guidance to user organisations and their auditors
regarding the impact that service organisations have on the
audit of the financial statement of the user organisation
However, ISA402 does not give any guidance to service
auditors
Enter………ISAE3402
www.hutaudit.nl
Third Party Reporting: enter ISAE3402 2


ISAE3402 – International Standard on Assurance Engagements
3402 – Assurance Reports on controls at a Third Party Service
Organisation
Goal: create an international alternative for the American
SAS70 standard, while increasing the usability of the report
for a broader range of end users
www.hutaudit.nl
ISAE3402 – key features 1




ISAE3402 does not limit the scope of the audit to control
objectives for financial reporting requirements
Like SAS70, ISAE3402 is assertion-based
Like SAS70, the ISAE3402 standard has two types of reports
(Type A and Type B) that have basically the same scope
In addition to the auditor’s opinion, management of the
service organisation needs to provide a formal assertion,
affirming its responsibilities for the controls in the report.This
is a major difference when compared to SAS70
www.hutaudit.nl
ISAE3402 – key features 2



ISAE3000 requires the service auditor to assess the suitability
of criteria, and the appropriateness of the subject matter
ISAE3402 proposes a minimal set of such criteria
Can the audit community make these criteria S.M.A.R.T.?
www.hutaudit.nl