ISAE3402 SAS70 audit kenmerken en verschillen

ISAE 3402 - abstract Some key concepts and the major differences when compared to SAS70 Drs. T. (Temme) Sikkema RA – [email_address] – Netherlands – September 2009

The importance of Third Party Reporting 1
Outsourcing has become a strategic issue
Cost reduction, return to core activities and increase of flexibility are drivers for “user organisations” to source certain activities to service organisations
User organisations need assurance that the service organisation controls are properly designed, implemented and are working effectively

The importance of Third Party Reporting 2
The service organisation may receive multiple requests for annual audits from their clients
The service organisation may instead choose to share a Third Party Assurance Report regarding controls it deems relevant with their clients

Third Party Reporting: enter SAS70
SAS70 is the American standard for third party assurance that has been adopted around the globe
SAS70 enables the user organisation (and its auditors) to acquire assurance regarding the design and operating effectiveness of those controls they find relevant
SAS70 may enable the user organisation’s compliance to legal and internal requirements

SAS70 – key features 1
SAS70 addresses the financial reporting requirements of users of service organisations and is thus limited to controls regarding the processing of financial transactions
The actual SAS70 report is generally divided into three or four sections, depending on the type of engagement
There are two types of Service Auditor’s Reports: Type I and Type II

A Type I report describes the service organisation’s description of controls at a specific point in time
A Type II report adds detailed testing of the service organisation’s controls over a minimum six month period

SAS70 is an auditing standard and not a pre-determined set of standards that a service organisation must meet to “pass” the test
In a SAS70 audit the service organisation is responsible for describing the controls that will be disclosed in the service auditor’s report
The scoping of the audit is therefore a very essential phase

Generally tested types of processes
Control environment
Control activities
Risk assessment processes
Information and communication processes
Monitoring processes

Generally tested types of controls
Organizational controls
Application development and maintenance controls
Logical access controls
Application controls
System maintenance controls
Data processing controls
[Business continuity controls] – in a separate section of the report, but no assurance given

SAS70 audit renders an opinion on:
Whether or not the service organisation’s description of controls is presented fairly
Whether or not the service organisation’s controls are designed effectively
Whether or not the service organisation’s controls are placed in operation as of a specified date
Whether or not the service organisation’s controls are operating effectively over a specified period of time (Type II engagements only)

Third Party Reporting: enter ISAE3402 1
ISA402 – Audit Considerations Relating to Entities Using Service Organisations
ISA402 gives guidance to user organisations and their auditors regarding the impact that service organisations have on the audit of the financial statement of the user organisation
However, ISA402 does not give any guidance to service auditors
Enter………ISAE3402

Third Party Reporting: enter ISAE3402 2
ISAE3402 – International Standard on Assurance Engagements 3402 – Assurance Reports on controls at a Third Party Service Organisation
Goal: create an international alternative for the American SAS70 standard, while increasing the usability of the report for a broader range of end users

ISAE3402 – key features 1
ISAE3402 does not limit the scope of the audit to control objectives for financial reporting requirements
Like SAS70, ISAE3402 is assertion-based
Like SAS70, the ISAE3402 standard has two types of reports (Type A and Type B) that have basically the same scope
In addition to the auditor’s opinion, management of the service organisation needs to provide a formal assertion, affirming its responsibilities for the controls in the report. This is a major difference when compared to SAS70

ISAE3402 – key features 2
ISAE3000 requires the service auditor to assess the suitability of criteria, and the appropriateness of the subject matter
ISAE3402 proposes a minimal set of such criteria
Can the audit community make these criteria S.M.A.R.T. ?

http://www.hutaudit.nl	1670
url_unknown	10
http://www.slideshare.net	3
http://metaware01.metaware.nl	2
http://webcache.googleusercontent.com	1

ISAE3402 SAS70 audit kenmerken en verschillen

by ad_voets on Sep 07, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 1,686

Statistics

ISAE3402 SAS70 audit kenmerken en verschillen — Presentation Transcript