The end of SAS70 what next for Performance Assurance?

Transcription

1 Enhancing Trust and Transparency The end of SAS70 what next for Performance Assurance? A perspective on transitioning from SAS 70 to ISAE 3402 pwc Enhancing Trust and Transparency 1

2 Contents What you need to know 2 Detailed assessment of key changes to the standard 3 Key action Items 7 Contacts 8 PricewaterhouseCoopers

3 The SAS70 standard is obsolete from 15th June 2011 The changes are subtle but our overall view is that organisations need to act now, to help minimise the impact on themselves and their customers. Enhancing Trust and Transparency 1

4 What you need to know Organisations that provide services to their customers are often subject to independent assessments of the processes executed on behalf of their customers. Statement on Auditing Standards (SAS) No. 70 has long been the most widespread and recognised standard globally for performing these assessments. It gave the service organisation a mechanism for providing an independent assurance report (and therefore comfort) to their customers. The requirements and guidance for auditors reporting under SAS 70 will be superseded for reporting periods ending on or after the 15th June 2011 by SSAE 16. However, given both SAS 70 and SSAE 16 are US based standards, and many countries did not have their own standard for performing such assessments, an international standard, ISAE 3402, was issued in December This new standard will provide a reporting option for service organisations that need a global attestation standard to deliver consistent reporting worldwide, or will form the basis for updating regional standards (such as AAF 01/06). Like SSAE 16, the new standard is effective for reports with periods ending on or after June 15, 2011 and will permit early adoption. The focus of this document is on the necessary changes to move from SAS 70 to ISAE It includes comments on the impact of those updates on service organisations and service auditors. Key similarities and differences between ISAE 3402 and SAS 70 Similarities Scope is focused on controls that are likely to be relevant to user entities internal control over financial reporting Type 1 and Type 2 reports may be issued by the service auditor. Reports may include (inclusive method) or exclude (carve-out method) services provided by subservice organisations Service organisation s description of controls under SAS 70 generally will provide a basis for the system description under ISAE 3402 Service auditor s report is restricted to use by the service organisations management, customers of the service organisation and the customers auditors Differences Management is required to provide a written assertion with respect to the service organisations responsibilities for systems and controls Subservice organisations are required to provide a similar assertion when they are included in the scope of the report In a Type 2 report, the service auditor opines on the suitability of the design of controls related to the control objectives throughout the entire period The service auditor is required to disclose any reliance on the work of Internal Audit (or other independent management testing functions) within the report Overall assessment of key changes to the standard The new standard is not designed to change how an engagement to report on controls is performed. Rather, it has been prepared to meet the demand for an internationally recognised standard and to fit into the current framework for assurance standards. The new standard does include some new requirements and changes to previous requirements of SAS 70. For each of the key changes discussed herein, we have provided an assessment of the difference from SAS 70 and the level of effort it will require of the service organisation to implement the change. Acronym Buster Statement on Standards for Attestation Engagements 16 (SSAE 16) is the US standard issued by the American Institute of Certified Public Accountants. The International Standard on Assurance Engagements 3402 (ISAE 3402) is issued by the International Auditing and Assurance Standards Board (IAASB). 2 PricewaterhouseCoopers

5 Detailed assessment of key changes to the standard Management assertion Difference from SAS 70 Different Level of effort to implement Medium Under the new standard, the service organisation has to acknowledge its responsibilities through a written assertion, which will state that the controls are fairly presented, suitably designed and operating effectively to achieve the specified control objectives. Management s assertion will be included in, or attached to, management s description of the system and documented within the report. Management s assertion should be based on suitable criteria. Management should select the criteria to be used to make their assertion and should state them within the assertion. A service auditor is precluded from issuing a report if management does not provide a written assertion. The standard provides outline guidance in this area, which should make this requirement straight-forward to implement. Management should have a reasonable basis for its assertion, which may be achieved through on-going monitoring activities that provide evidence of the design and operating effectiveness of controls. But there is no specific requirement for management testing as with Sarbanes Oxley. Management s representation letter signed at the completion of a SAS 70 engagement today covers the same ground as the required items within management s assertion. Therefore, provision of the assertion is not expected to incur costs at the service organisation. However, service organisations may wish to consider who will be responsible for making the assertion. Enhancing Trust and Transparency 3

6 Description of the system Difference from SAS 70 Similar Level of effort to implement Medium In addition to a written assertion, management is responsible for preparing its description of the service organisation s system ( the system ). The system is defined as the policies and procedures designed, implemented, and documented by management to provide customers with the services covered by the service auditor s report. Management s description should identify at a minimum, the following criteria (as applicable): Services covered, including as appropriate the classes of transactions processed; The procedures by which services are provided and details of the relevant records and supporting information; Period covered by the report; Relevant control objectives and related controls; Complementary user controls; Controls performed by the subservice organisation (inclusive reports); The process used to prepare reports provided to customers; Changes to the system during the period covered by the report; and Other aspects of the service organisation s control environment, risk assessment process, information and communication systems, and monitoring of controls, as defined by the Committee of Sponsoring Organisations (COSO) internal control framework that could be relevant to user entities. In many cases, a majority of the elements to be included in management s description of the system as required under ISAE 3402 have been included in existing SAS 70 reports. In such cases, there should not be a significant additional work effort required of the service organisation. 4 PricewaterhouseCoopers

7 Identification of risks to achieving control objectives Difference from SAS 70 Similar Level of effort to implement Low Similar to guidance under SAS 70, management s description of the system should specify control objectives and related controls. Management are expected to consider the risks that threaten the achievement of the control objectives, whether the controls do enough to mitigate those risks and whether the controls are consistently applied. ISAE 3402 allows for management to have a formal or informal process for identifying the relevant risks and does not require that management explicitly include such risks within the report. However, our perspective on leading practice is that management conduct and formally document their consideration of the relevant risks. As many companies have already performed this risk assessment as part of the creation of the control objectives and control activities for their historical SAS 70 efforts, identifying the relevant risks factors should not create significant additional work Subservice organisations Difference from SAS 70 Different Level of effort to implement Medium Consistent with SAS 70, ISAE 3402 allows the service organisation to describe the use of subservice organisations through either an inclusive or carve-out method of presentation. When using the inclusive method, management s description of the system should include a description of, and clearly distinguish, the services provided by the subservice organisation. Additionally, the subservice organisation is subject to the same requirements as the service organisation and should provide the following: A description of the related control objectives and controls at the subservice organisation; A written assertion, to be included in, or attached to, management s description of the service organisation s system; and A letter of representation. The requirement that the subservice organisation provide a written assertion, when employing the inclusive method, may present the greatest challenge, which management should proactively coordinate well in advance of a service auditor engagement. The representation letter signed at the completion of a SAS 70 engagement today, covers the same ground as the required items within the assertion. Enhancing Trust and Transparency 5

8 Using work of internal audit Difference from SAS 70 Moderate Level of effort to implement Medium The service auditor may use the work of internal audit or other independent controlrelated functions that has been performed independent of the service auditor s work to support their testing. However, there are often challenges in finding sufficient alignment of the scope and timing of work performed by internal audit or other independent control-related functions with that of the service auditor. If the service auditor is able to overcome such challenges and is able to use this work in performing their tests of controls, additional disclosure is required within the report to provide transparency on the use of internal audit. Such disclosure is not required when individual members of an internal audit or another control-related function are used in the more common direct assistance capacity (i.e. under the direction of the service auditor). 6 PricewaterhouseCoopers

9 Key Action Items The following are key action items for the service organisation to consider when implementing the new ISAE 3402 standard: Service auditor initiate discussions with service auditors to increase your understanding of the new standard and gain insight from the service auditor s perspective; Timing of adoption the standard is effective for reports with periods ending on or after June 15, For example, a twelve-month report period beginning July 1, 2010 would be issued under ISAE 3402; Management s assertion identify the risks that threaten achievement of control objectives, evaluate current control monitoring processes to determine if enhancements are necessary to support management s written assertion. Determine which members of management will be responsible for providing the assertion; System description re-visit existing descriptions of controls within current SAS 70 reports as a foundation for developing management s description of the service organisation s system, including control objectives, risks, and related controls; Subservice organisations if subservice organisations are to be included in management s description of the service organisation s system, determine whether to use the inclusive or carve-out method. If using the inclusive method, initiate discussions with the subservice organisation regarding their requirements under the new standard; and Communication plan establish a plan for communication of the new standard and for education of customer service teams, contract teams, sales teams, and customers. Re-visit and assess the impact on customer contracts, as necessary. Enhancing Trust and Transparency 7

10 Contacts Neil Hewitt Partner Tel: +44 (0) Richard Porter Partner Tel: +44 (0) Ian Armfield Partner Tel: +44 (0) Mark Garland Director Tel: +44 (0) David Woerndl Senior Manager Tel: +44 (0) PricewaterhouseCoopers

11

12 pwc.com This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.