130 likes | 397 Views
Third Party Reporting. New International Audit Standard for Service Auditor’s Reports – ISAE 3402 James Merrill – Ernst & Young LLP. Agenda. Background Comparison of ISAE 3402 to SAS 70 Planning Considerations. Historical Perspective. AICPA set initial standard with SAS No. 70 in 1990s
E N D
Third Party Reporting New International Audit Standard for Service Auditor’s Reports – ISAE 3402 James Merrill – Ernst & Young LLP
Agenda • Background • Comparison of ISAE 3402 to SAS 70 • Planning Considerations
Historical Perspective • AICPA set initial standard with SAS No. 70 in 1990s • Other countries have issued similar standards • Japan – ASCR 18 • UK – FRAG 21/94 • Others – Australia, Hong Kong • US Congress’ Sarbanes-Oxley Act in 2002 significantly increased demand for SAS 70 reports • International Federation of Accountants (IFAC) issued user’s guide to service auditor’s reports in 2004
New Standard – Timeline of IFAC • IFAC’s International Accounting and Auditing Standards Board (IAASB) recognized a need for consistent service auditor’s reports on an international basis in 2006 • IAASB developed ISAE 3402 in 2007 • Started with SAS 70 standard • Exposure draft issued January 2008 • Coordinating with local country standards setting organizations • Effective in late 2009
Similarities Between ISAE 3402 & SAS 70 • Major elements of SAS 70 adopted by the IAASB • Type 1 and Type 2 reports (now Type A and Type B) • Description of controls prepared by service organization • List of controls specified and tested • Provision for carve-out and inclusive sub-servicers • Use of internal audit is permitted • Helps to minimize transition efforts • Easier training for service organization staff, auditors, and users of such reports
Differences Between ISAE 3402 & SAS 70 • Change to an attestation standard • Service organization attests to the existence and operating effectiveness of controls in the report • Auditor opines on the subject matter supporting the assertions • Service auditor required to assess the reasonableness of management’s criteria used to develop the control objectives and controls • Criteria must be specific, measurable, and relevant to users’ intended reliance on the report
Planning Considerations – ISAE 3402 • Assertions • Included in the report after the service auditor’s opinion • In addition to the letter of representations between the auditor and the service organization • Examples provided by IAASB in ISAE 3402 Appendices
Assertions by Management – ISAE 3402 • Focus on existing systems and user organizations • Confirms to user of the report: • Description of controls is fairly presented • Does not distort or omit information relevant to intended users • Controls were suitably designed and operated effectively • The criteria used to make the assertion are appropriate. • Signed by business process owners
Distribution of the Report – ISAE 3402 Intended Users and Purpose This report and the description of tests of controls on pages [yy-zz] are intended only for existing customers of XYZ Service Organization’s [type or name of] system, and their auditors, who have a sufficient understanding to consider it, along with other information including information about controls operated by customers themselves, when assessing the risks of material misstatements of customers’ financial statements. [Service auditor’s signature] [Date of the service auditor’s assurance report]
Planning Considerations – ISAE 3402 • Planning objectives: • Developing relevant assertions • Identifying relevant criteria for control objectives • Identifying other changes to report content • Project management for transition is necessary • Designated service organization staff for best results
Awareness of new AICPA attest standard Replaces SAS 70 with two new standards ISA 402 ISAE 3402 Expected implementation year is 2010 Similar in scope and content to ISAE 3402 Parallel planning effort necessary by service organizations Planning Considerations – AICPA Standards
IAASB welcomes feedback during “comment period” Encourages industry reaction and feedback ISA 402 (user auditor’s use of the report) feedback due April 30, 2008 ISAE 3402 (reporting standard) feedback due May 31, 2008 Respond directly to IAASB in New York City Document Address: http://www.ifac.org/Guidance/EXD-Details.php?EDID=0099 IAASB Feedback Period