ISAE 3402 - abstract Some key concepts and the major differences when compared to SAS70 Drs. T. (Temme) Sikkema RA – [email_address] – Netherlands – September 2009

The importance of Third Party Reporting 1 Outsourcing has become a strategic issue Cost reduction, return to core activities and increase of flexibility are drivers for “user organisations” to source certain activities to service organisations User organisations need assurance that the service organisation controls are properly designed, implemented and are working effectively

Outsourcing has become a strategic issue

Cost reduction, return to core activities and increase of flexibility are drivers for “user organisations” to source certain activities to service organisations

User organisations need assurance that the service organisation controls are properly designed, implemented and are working effectively

The importance of Third Party Reporting 2 The service organisation may receive multiple requests for annual audits from their clients The service organisation may instead choose to share a Third Party Assurance Report regarding controls it deems relevant with their clients

The service organisation may receive multiple requests for annual audits from their clients

The service organisation may instead choose to share a Third Party Assurance Report regarding controls it deems relevant with their clients

Third Party Reporting: enter SAS70 SAS70 is the American standard for third party assurance that has been adopted around the globe SAS70 enables the user organisation (and its auditors) to acquire assurance regarding the design and operating effectiveness of those controls they find relevant SAS70 may enable the user organisation’s compliance to legal and internal requirements

SAS70 is the American standard for third party assurance that has been adopted around the globe

SAS70 enables the user organisation (and its auditors) to acquire assurance regarding the design and operating effectiveness of those controls they find relevant

SAS70 may enable the user organisation’s compliance to legal and internal requirements

SAS70 – key features 1 SAS70 addresses the financial reporting requirements of users of service organisations and is thus limited to controls regarding the processing of financial transactions The actual SAS70 report is generally divided into three or four sections, depending on the type of engagement There are two types of Service Auditor’s Reports: Type I and Type II

SAS70 addresses the financial reporting requirements of users of service organisations and is thus limited to controls regarding the processing of financial transactions

The actual SAS70 report is generally divided into three or four sections, depending on the type of engagement

There are two types of Service Auditor’s Reports: Type I and Type II

SAS70 – key features 2 A Type I report describes the service organisation’s description of controls at a specific point in time A Type II report adds detailed testing of the service organisation’s controls over a minimum six month period

A Type I report describes the service organisation’s description of controls at a specific point in time

A Type II report adds detailed testing of the service organisation’s controls over a minimum six month period

SAS70 – key features 3 SAS70 is an auditing standard and not a pre-determined set of standards that a service organisation must meet to “pass” the test In a SAS70 audit the service organisation is responsible for describing the controls that will be disclosed in the service auditor’s report The scoping of the audit is therefore a very essential phase

SAS70 is an auditing standard and not a pre-determined set of standards that a service organisation must meet to “pass” the test

In a SAS70 audit the service organisation is responsible for describing the controls that will be disclosed in the service auditor’s report

The scoping of the audit is therefore a very essential phase

Generally tested types of processes Control environment Control activities Risk assessment processes Information and communication processes Monitoring processes

Control environment

Control activities

Risk assessment processes

Information and communication processes

Monitoring processes

Generally tested types of controls Organizational controls Application development and maintenance controls Logical access controls Application controls System maintenance controls Data processing controls [Business continuity controls] – in a separate section of the report, but no assurance given

Organizational controls

Application development and maintenance controls

Logical access controls

Application controls

System maintenance controls

Data processing controls

[Business continuity controls] – in a separate section of the report, but no assurance given

SAS70 audit renders an opinion on: Whether or not the service organisation’s description of controls is presented fairly Whether or not the service organisation’s controls are designed effectively Whether or not the service organisation’s controls are placed in operation as of a specified date Whether or not the service organisation’s controls are operating effectively over a specified period of time (Type II engagements only)

Whether or not the service organisation’s description of controls is presented fairly

Whether or not the service organisation’s controls are designed effectively

Whether or not the service organisation’s controls are placed in operation as of a specified date

Whether or not the service organisation’s controls are operating effectively over a specified period of time (Type II engagements only)

Third Party Reporting: enter ISAE3402 1 ISA402 – Audit Considerations Relating to Entities Using Service Organisations ISA402 gives guidance to user organisations and their auditors regarding the impact that service organisations have on the audit of the financial statement of the user organisation However, ISA402 does not give any guidance to service auditors Enter………ISAE3402

ISA402 – Audit Considerations Relating to Entities Using Service Organisations

ISA402 gives guidance to user organisations and their auditors regarding the impact that service organisations have on the audit of the financial statement of the user organisation

However, ISA402 does not give any guidance to service auditors

Enter………ISAE3402

Third Party Reporting: enter ISAE3402 2 ISAE3402 – International Standard on Assurance Engagements 3402 – Assurance Reports on controls at a Third Party Service Organisation Goal: create an international alternative for the American SAS70 standard, while increasing the usability of the report for a broader range of end users

ISAE3402 – International Standard on Assurance Engagements 3402 – Assurance Reports on controls at a Third Party Service Organisation

Goal: create an international alternative for the American SAS70 standard, while increasing the usability of the report for a broader range of end users

ISAE3402 – key features 1 ISAE3402 does not limit the scope of the audit to control objectives for financial reporting requirements Like SAS70, ISAE3402 is assertion-based Like SAS70, the ISAE3402 standard has two types of reports (Type A and Type B) that have basically the same scope In addition to the auditor’s opinion, management of the service organisation needs to provide a formal assertion, affirming its responsibilities for the controls in the report. This is a major difference when compared to SAS70

ISAE3402 does not limit the scope of the audit to control objectives for financial reporting requirements

Like SAS70, ISAE3402 is assertion-based

Like SAS70, the ISAE3402 standard has two types of reports (Type A and Type B) that have basically the same scope

In addition to the auditor’s opinion, management of the service organisation needs to provide a formal assertion, affirming its responsibilities for the controls in the report. This is a major difference when compared to SAS70

ISAE3402 – key features 2 ISAE3000 requires the service auditor to assess the suitability of criteria, and the appropriateness of the subject matter ISAE3402 proposes a minimal set of such criteria Can the audit community make these criteria S.M.A.R.T. ?

ISAE3000 requires the service auditor to assess the suitability of criteria, and the appropriateness of the subject matter

ISAE3402 proposes a minimal set of such criteria

Can the audit community make these criteria S.M.A.R.T. ?