Background

International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board (IAASB), which is part of the International Federation of Accountants (IFAC). ISAE 3402 was developed to provide an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors) on the controls at a service organization that are likely to impact or be a part of the user organization’s system of internal control over financial reporting.

GET A FREE CONSULTATION

Areas where ISAE 3402 can apply

Although many businesses have been outsourcing portions of their work for years now, outsourcing is still becoming more popular by the day. This is especially driven by increased globalization, technological evolutions and the need for standardised business processes. Outsourcing is any task, operation, job or process that could be performed by employees within the user organisation, but is instead contracted to a third party (service organisation) or another group company for a period of time.

Some examples for the financial sector are:

• ●
• Asset managers that perform asset management services for different parties within the group company.

• ●
• Pension administrators who perform the administration for pension funds.

• ●
• Claim service companies that perform claim handling services for large insurers.

The widespread use of outsourcing requires organizations to better manage their risks associated with the outsourced services. More specifically, the user organisation requires a degree of assurance that the service organisation has a well established internal control framework that is operating effectively. New regulations, regulatory authorities and supervisory boards also ask for specific controls over outsourced procedures.

For Service Organisation Control (SOC) reporting a distinction has been made in three types of reports:

• ●
• SOC 1 – Reports on controls over processing that impacts the financial statements, typically produced using ISAE 3402 (issued by the International Auditing and Assurance Standards Board) or SSAE 16 (issued by the American Institute of Certified Public Accountants). Distribution would be restricted to users of the services. A ISAE 3402 or SSAE 16 engagement is an examination (similar to an audit) of a description produced by the service organisation of the system(s) they operate on your behalf which are relevant to your internal control processes.

• ●
• SOC 2 – Reports on non-financial processing based on one or more of the Trust Services criteria on security, privacy, availability, confidentially and processing integrity, and including the description on the services provided and the controls tested. Distribution would be restricted to users of the services.

• ●
• SOC 3 – Again, a report on non-financial processing based on the Trust Services criteria. A SOC 3 report can be distributed to anyone, but only contains management’s assertion that they have met the requirements of the chosen criteria and the auditor’s opinion on this assertion.

Implementing and maintaining ISAE 3402

ISAE 3402 deals with assurance engagements undertaken by an auditor to provide a report for use by user entities and their auditors on the controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control as it relates to financial reporting. The user organization is an entity that outsourced part of its business to a service organization. Formal agreements regarding the outsourced services are recorded in a contract and/or Service Level Agreement (SLA).

Under the ISAE 3402 standard the service organisation has five primary responsibilities:

• 1
• Prepare and present a complete an accurate description of the ‘system’ (i.e. the internal control framework).

• 2
• Specify the control objectives.

• 3
• Identify the risks that threaten the achievement of the control objectives.

• 4
• Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved.

• 5
• Provide a written assertion to accompany the description as to the completeness and accuracy of the information provided and state the criteria used as a basis for making the assertion.

The auditor of the service organisation (service auditor) shall subsequently determine if all relevant aspects of the ISAE 3402 standard are adequately addressed by the system description. In addition, the service auditor determines if mentioned controls exist, are adequately designed and operated effectively (only type II) during a certain period. The service auditor provides an opinion to the ISAE 3402 report. The auditor of the user organisation (user auditor) can subsequently rely on the service auditor opinion, when auditing the user organization financial statements.

Below is how Premier Brains can add value

Our approach to an existing ISAE 3402 process is focused on assisting you in effectively maintaining and optimizing the ISAE 3402 process. Each year we will thoroughly evaluate the complete project and process considering all relevant internal and external developments. We will input our industry knowledge and assess the impact on your processes and our audit work.

GET A FREE CONSULTATION

If you would like to discuss any matters relating to this, please drop us an email at info@premier-brains.com or call us at + 971 4 3542959.

“ALWAYS DOING THE RIGHT THING”