1 / 14

ISAE 3402 - abstract

ISAE 3402 - abstract. Some key concepts and the major differences when compared to SAS70 Drs. T. (Temme) Sikkema RA – t.sikkema@hutco.nl – – www.hutaudit.nl NL – September 2009. The importance of Third Party Reporting 1. Outsourcing has become a strategic issue

arnold
Download Presentation

ISAE 3402 - abstract

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISAE 3402 - abstract Some key concepts and the major differences when compared to SAS70Drs. T. (Temme) Sikkema RA – t.sikkema@hutco.nl – – www.hutaudit.nl NL – September 2009

  2. The importance of Third Party Reporting 1 • Outsourcing has become a strategic issue • Cost reduction, return to core activities and increase of flexibility are drivers for “user organisations” to source certain activities to service organisations • User organisations need assurance that the service organisation controls are properly designed, implemented and are working effectively www.hutaudit.nl

  3. The importance of Third Party Reporting 2 • The service organisation may receive multiple requests for annual audits from their clients • The service organisation may instead choose to share a Third Party Assurance Report regarding controls it deems relevant with their clients www.hutaudit.nl

  4. Third Party Reporting: enter SAS70 • SAS70 is the American standard for third party assurance that has been adopted around the globe • SAS70 enables the user organisation (and its auditors) to acquire assurance regarding the design and operating effectiveness of those controls they find relevant • SAS70 may enable the user organisation’s compliance to legal and internal requirements www.hutaudit.nl

  5. SAS70 – key features 1 • SAS70 addresses the financial reporting requirements of users of service organisations and is thus limited to controls regarding the processing of financial transactions • The actual SAS70 report is generally divided into three or four sections, depending on the type of engagement • There are two types of Service Auditor’s Reports: Type I and Type II www.hutaudit.nl

  6. SAS70 – key features 2 • A Type I report describes the service organisation’s description of controls at a specific point in time • A Type II report adds detailed testing of the service organisation’s controls over a minimum six month period www.hutaudit.nl

  7. SAS70 – key features 3 • SAS70 is an auditing standard and not a pre-determined set of standards that a service organisation must meet to “pass” the test • In a SAS70 audit the service organisation is responsible for describing the controls that will be disclosed in the service auditor’s report • The scoping of the audit is therefore a very essential phase www.hutaudit.nl

  8. Generally tested types of processes • Control environment • Control activities • Risk assessment processes • Information and communication processes • Monitoring processes www.hutaudit.nl

  9. Generally tested types of controls • Organizational controls • Application development and maintenance controls • Logical access controls • Application controls • System maintenance controls • Data processing controls • [Business continuity controls] – in a separate section of the report, but no assurance given www.hutaudit.nl

  10. SAS70 audit renders an opinion on: • Whether or not the service organisation’s description of controls is presented fairly • Whether or not the service organisation’s controls are designed effectively • Whether or not the service organisation’s controls are placed in operation as of a specified date • Whether or not the service organisation’s controls are operating effectively over a specified period of time (Type II engagements only) www.hutaudit.nl

  11. Third Party Reporting: enter ISAE3402 1 • ISA402 – Audit Considerations Relating to Entities Using Service Organisations • ISA402 gives guidance to user organisations and their auditors regarding the impact that service organisations have on the audit of the financial statement of the user organisation • However, ISA402 does not give any guidance to service auditors • Enter………ISAE3402 www.hutaudit.nl

  12. Third Party Reporting: enter ISAE3402 2 • ISAE3402 – International Standard on Assurance Engagements 3402 – Assurance Reports on controls at a Third Party Service Organisation • Goal: create an international alternative for the American SAS70 standard, while increasing the usability of the report for a broader range of end users www.hutaudit.nl

  13. ISAE3402 – key features 1 • ISAE3402 does not limit the scope of the audit to control objectives for financial reporting requirements • Like SAS70, ISAE3402 is assertion-based • Like SAS70, the ISAE3402 standard has two types of reports (Type A and Type B) that have basically the same scope • In addition to the auditor’s opinion, management of the service organisation needs to provide a formal assertion, affirming its responsibilities for the controls in the report.This is a major difference when compared to SAS70 www.hutaudit.nl

  14. ISAE3402 – key features 2 • ISAE3000 requires the service auditor to assess the suitability of criteria, and the appropriateness of the subject matter • ISAE3402 proposes a minimal set of such criteria • Can the audit community make these criteria S.M.A.R.T.? www.hutaudit.nl

More Related