Aalborg Universitet. ISA 402 & ISAE 3402 Lessons Learned Berthing, Hans Henrik Aabenhus. Publication date: 2013

Similar documents
Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Aalborg Universitet. Cloud Governance Berthing, Hans Henrik Aabenhus. Publication date: Document Version Preprint (usually an early version)

G24 - SAS 70 Practices and Developments Todd Bishop

Strategic IT audit. Develop an IT Strategic IT Assurance Plan

Hans Henrik Berthing, CPA, CISA, CGEIT, CRISC, CIA

Goodbye, SAS 70! Hello, SSAE 16!

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS (ISAE) 3402 ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANIZATION

TIS Section 9520, SSAE No. 16, Reporting on Controls at a Service Organization

Service Organization Control Reports

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3

Here comes SSAE 16 SAS 70 EVOLUTION: How will the new standard affect my business? How do I prepare to meet the new requirements?

FAQs New Service Organization Standards and Implementation Guidance

G24: Audits of Controls at a Service Organization: New Standards SSAE 16 and ISAE 3402 Duff Donnelly and Jeffrey Spivack, Grant Thornton LLP

The end of SAS70 what next for Performance Assurance?

Aalborg Universitet. Data Security, Data Breaches and Security Alerts Berthing, Hans Henrik Aabenhus. Publication date: 2012

MHM S PERSPECTIVE: CHANGES COMING TO SAS 70.KNOW THE FACTS

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

At a glance. A provision to require a written assertion from company management is the most notable difference between the two standards.

Reporting on Controls at a Service Organization

INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION CONTENTS

The Changing SAS 70 Landscape Dan Hirstein Director Rebecca Goodpasture Senior Manager Deloitte & Touche LLP January 13, 2011

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Frequently asked questions: SOC 2 and 3

Comparison of ISA 330 with AS-402 Objectives and Requirements Only

ISSAI Planning an Audit of Financial Statements. Financial Audit Guideline

About the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives

INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS CONTENTS

Farewell to SAS 70. What you need to know about the New Standard for Service Organization Reporting

End of the SAS 70 Era

Feeley & Driscoll, P.C. Certified Public Accountants / Business Consultants Visit us on the web: Or Call:

Shared Service System Audits: What User Management and Auditors Need to Know

SECTION I INDEPENDENT SERVICE AUDITOR S REPORT

Governance and Management of Information Security

Documentation of Use of a Type 2 Service Auditor s Report In an Audit of an Employee Benefit Plan s Financial Statements

Information for Management of a Service Organization

Tectonic Thinking Beim, Anne; Bech-Danielsen, Claus; Bundgaard, Charlotte; Madsen, Ulrik Stylsvig

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

Data Analytics Working Group Update

Service Organizations: Auditing Interpretations of Section 324

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

THE OFFICE OF THE INTERNAL AUDITOR STATUS UPDATE MARCH 11, 2014

INTERNATIONAL STANDARD ON REVIEW ENGAGEMENTS 2410 REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED BY THE INDEPENDENT AUDITOR OF THE ENTITY CONTENTS

Data Analytics Working Group Update

Reports on Service Organizations Where we ve been?

Ref: ED Responding to Non-Compliance or Suspected Non-Compliance with Laws and Regulations

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

Massachusetts Bay Transportation Authority

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Asset Manager Guide to SAS 70. Issue Date: October 7, Asset

How mature is the internal control framework at your service organisation? ISAE 3402 and SSAE 16: Reinforcing confidence through demonstration of

IESBA Technical Director Mr. Ken Siong. By 2 September, 2015

Aalborg Universitet. Energy upgrading measures improve also indoor climate Foldbjerg, Peter; Knudsen, Henrik Nellemose. Published in: REHVA Journal

Reporting on Control Procedures at Outsourcing Entities

Aalborg Universitet. Publication date: Document Version Også kaldet Forlagets PDF. Link to publication from Aalborg University

3.B METHODOLOGY SERVICE PROVIDER

ISA 200, Overall Objective of the Independent Auditor, and the Conduct of an Audit in Accordance with International Standards on Auditing

ISA 620, Using the Work of an Auditor s Expert. Proposed ISA 500 (Redrafted), Considering the Relevance and Reliability of Audit Evidence

Office Hours: By Appointment COURSE DESCRIPTION AND LEARNING GOALS

Please feel free to call on our organizations if we can be of assistance in any way on further deliberations, task forces or committees.

SSAE 16 and ISAE 3402: Preparing for New Service Company Control Standards Mastering Requirements Governing Your Next Controls Report

COSO Internal Control Integrated Framework (2013)

Vendor Management Best Practices

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Management s Discussion and Analysis

WELCOME TO SECURE

G13 USE OF RISK ASSESSMENT IN AUDIT PLANNING

Internal Control Integrated Framework. May 2013

U & D COAL LIMITED A.C.N BOARD CHARTER

Addressing Disclosures in the Audit of Financial Statements

Internal Auditing Guidelines

New Audit Standards: How Will They Impact the Audit

Service Organization Control (SOC) Reports

ALLEGIANT TRAVEL COMPANY AUDIT COMMITTEE CHARTER

Risk Management Advisory Services, LLC Capital markets audit and control

Sarbanes-Oxley Section 404: Management s Assessment Process

Service Organizations and the Internal Audit function conference Institute of Internal Auditors in Israel

Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions

Guidance Statement GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services

STAFF QUESTIONS AND ANSWERS

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

Impact of New Internal Control Frameworks

The auditors responsibility to consider fraud in an audit of financial statements

OUTSOURCING AND SERVICE AUDITOR S REPORTS

Planning an Audit 255

COBIT 5 Introduction. 28 February 2012

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Background. Audit Quality and Public Interest vs. Cost

Understanding ISO and Preparing for the Modern Era of Cloud Security

Information Security Management Systems

EPCS Third party audits the CPA perspective. 13 September 2012

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

RISK AdvISoRy SeRvIceS MINING CREDENTIALS

Questions from GAQC Conference Call The Impact of SAS 112 on Governmental Financial Statement Audits January 4, 2007

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

California ISO Audit of the Financial Statements for the Year Ending December 31, 2015 December 18, 2015

Transcription:

Aalborg Universitet ISA 402 & ISAE 3402 Lessons Learned Berthing, Hans Henrik Aabenhus Publication date: 2013 Document Version Early version, also known as pre-print Link to publication from Aalborg University Citation for published version (APA): Berthing, H. H. (2013). ISA 402 & ISAE 3402 Lessons Learned. Abstract from Nordisk ISACA Conference 2013, Stockholm, Sweden. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.? Users may download and print one copy of any publication from the public portal for the purpose of private study or research.? You may not further distribute the material or use it for any profit-making activity or commercial gain? You may freely distribute the URL identifying the publication in the public portal? Take down policy If you believe that this document breaches copyright please contact us at vbn@aub.aau.dk providing details, and we will remove access to the work immediately and investigate your claim. Downloaded from vbn.aau.dk on: January 16, 2017

ISAE 3402/ISA 402 Lessons Learned Partner Hans Henrik Berthing, Statsautoriseret Revisor, CIA, CGEIT, CRISC, CISA

Agenda Background ISA 402 & ISAE 3402 ISA 402 Entity Users Auditor Period covered by audit report and period after the audit report Service auditors responsibilities Internal Audit Management of service organizations System description & Control objectives Subservice organizations ISAE 3402 >< ISAE 3000 and ISRS 4400 2

Hans Henrik Berthing Married with Louise and dad for Dagmar and Johannes CPA, CRISC, CGEIT, CISA and CIA ISO 9000 Lead Auditor Partner and owner for Verifica Financial Audit, since 1994 and IT Assurance since 1996 Member of FSR IT Advisory Board Instructor, facilitator and speaker Senior Advisor & Associated professor Aalborg University (Auditing, Risk & Compliance) 3

Why service audit reports Many business events have altered the landscape since the issuance of Service Audit Reports Increased outsourcing including usage of shared service centers Continued globalization and global processing models Increased regulation and enhanced risk management requiring service organization customers to obtain controls comfort related to outsourced activities impacting their financial statements, regulatory requirements and overall business risk management SAS No. 70 has served as the de facto standard on reporting on controls at a service organization on a global basis. In DK RS3411 Other territories have steadily sought to adopt their own service Absence of a global standard(s) complicates engagements that cross borders Potential to take advantage of differing provisions within various third party control standards 4

User entity and service organization User entity Service orgnazation Customer service EDI Back-up Payroll Order/CRM system Sales Accounting system Bank Accountant Operator ISA 700, ISA 315, ISA 330 & ISA 402 ISAE 3000, ISAE 3402 & ISRS 4400 5

ISA 402 and ISAE 3402 A single service provided by a service organization can have direct relevance to the quality of financial reports prepared by entities around the globe. Effective controls for delivering the service are therefore essential. This new standard sets a global benchmark for reporting on controls at a service organization, thereby helping to fulfill the needs of those who use such services and their auditors under International Standards on Auditing. IAASB Chair Arnold Schilder A service auditor s standard A new standard that will guide service organization auditors in the conduct of an examination of, and the resultant reporting on, controls at a service organization A user auditor s standard An auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization 6

Background In auditing a user entity s financial statements, the user auditor needs to obtain evidence to support assertions in the user entity s financial statements that are affected by information provided by the service organization. User entity is able to implement controls at the user entity over the service performed by the service organization. User entity relies on the service organization to initiate, execute, and record the transactions. Visit the service organization and test the service organization s controls that are relevant to the user entity s internal control over financial reporting. Another alternative is for the service organization to give a ISAE3402 Audit Report, which report on the fairness of the presentation of the description, the suitability of the design of the controls, and in certain engagements, the operating effectiveness of the controls. 7

Perspective of the User Entity Whether driven by regulatory requirement or by the board of directors focusing on corporate governance, the design and implementation of internal control over financial reporting have become key responsibilities for management. This trend toward strong internal control has occurred simultaneously with a continuing trend to outsource functions that may be significant to an organization s operations. As a result, many enterprises have found that they have transferred the performance of many of their key controls to third-party service organizations. However, while the execution of these controls can be outsourced, management s responsibility for maintaining an effective system of internal control cannot be outsourced. 8

User Auditor Standard (ISA 402) International Standard on Auditing No. 402 (ISA 402), Audit Considerations Relating to an Entity Using a Service Organization. This ISA deals with the user auditor s responsibility to obtain sufficient, appropriate audit evidence when a user entity uses the services of one or more service organizations. Expands on how the user auditor obtains an understanding of the user entity, including internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks. The use of a report on the controls of a service organization should provide the user auditor with an understanding of the nature and significance of the services provided and the relevant impact to the audit in identifying and assessing the risks of material misstatement. 9

Two Types of Engagements Two types of engagements by service auditor: A type 2 engagement in which the service auditor reports on the fairness of the presentation of management s description of the service organization s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period. A type 1 engagement in which the service auditor reports on the fairness of the presentation of management s description of the service organization s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. 10

Type 1 or Type 2 Report The user entity should note whether the ISAE 3402 report is a Type 1 report or a Type 2 report. Type 2: Controls operated effectively during the specified period of time. Type 1: Do not address the operating effectiveness of controls, nor do they provide an opinion throughout a period of time. Type 2 report is generally preferable (unless the user entity wants only to understand the nature of the controls at the service organization and whether they are adequately designed). Type 2 report is necessary if the user auditor plans to use the report for reliance on internal control or the report is to be used by user entity management or the user entity s auditor for the assessment of internal control over financial reporting. 11

Period of Coverage The Type 2 report opinion clearly identifies the period of coverage. Less than six months of the fiscal year: Likely need to obtain an updated report or perform additional testing to complete the user entity s assessment of internal control over financial reporting. Period of coverage is not near the user entity s year end: Consider additional testing of controls at the service organization. Elapsed time between the end of the period of coverage and the user entity s year end: Consider a representation letter ( bridge letter ) from the service provider. Significantly changed since the most recent ISAE 3402 report, Management is aware of any design or operational control deficiencies during the interim period, Any other changes or matters that may affect the conclusions within the ISAE 3402 report. 12

Complementary user entity controls An ISAE 3402 report identifies the controls designed to achieve the control objectives, including potential controls that the service organization intends for the user entity to implement (referred to as complementary user entity controls ). While the specified controls should address the risks that threaten the achievement of the control objective for most user entities, individual user entity needs may vary. As a result, user entities should consider the risks that would threaten the achievement of the control objectives from the perspective of the user entities and consider whether the controls identified adequately address those risks. If the user entity believes that any risks are not addressed by the service organization s controls, the user entity should discuss those risks with the service organization. 13

Evaluate the Service Auditor Tests of Controls The service auditor designs tests of controls to meet the needs of the typical user entity Professional opinions may vary on the sufficiency of tests of controls Focus on the key controls that achieve the control objectives and consider whether the tests performed by the service auditor are sufficient to evaluate the effectiveness of the controls Evaluate service auditor s professional competence and independence from the service organization Certain control testing techniques inherently provide more assurance. Reperformance of a control generally > inquiry and observation. Independent tests of controls by the service auditor > than tests performed by internal audit 14

Contracts User entities may need or choose to, modify their contracts with the service organizations as the standards that are being reported undergo change. Question to ask is whether the current contract requires that a specific type of Audit report is required, eg. RS3411 (DK) report be provided at least annually. If so, user entities may want to discuss this with their legal counsel and others to determine whether a new contract is needed or whether an addendum to the current contract is possible to modify the terms to accommodate the new reporting requirements 15

Requirements for a service auditors engagement Obtain a written assertion from management of the service organization about the subject matter of the engagement. Type 2 engagement obtain a written assertion by management about whether in all material respects, and based on suitable criteria Management s description of the service organization s system fairly presents the service organization s system that was designed and implemented throughout the specified period, The controls related to the control objectives stated in management s description of the service organization s system were suitably designed throughout the specified period to achieve those control objectives, and The controls related to the control objectives stated in management s description of the service organization s system operated effectively throughout the specified period to achieve those control objectives. Not use evidence obtained in prior engagements The service auditor s examination report must contain specific elements 16

Service Auditor use of Internal Audit Service auditor permitted to use the work of an internal audit function. Must comply with the requirements in the Standards that provide guidance to the service auditor. Type 2 reports required to describe the work performed by the internal audit function, and procedures used to test that work. Narrative description summarizing the processes tested by internal audit, the nature of the work performed and the procedures performed by the service auditor to test that work. This description can be provided in the introduction to the service auditor test section Attribution of individual tests in the service auditor s testing section of the report to internal audit, along with a description of the specific procedures performed by the service auditor to test the work of internal audit Internal auditors direct assistance to the service auditor, planned and supervised by the service auditor, need not to be disclosed. 17

Service organization responsibilities Service organizations have five primary responsibilities: 1. Prepare and present a complete an accurate description of the system 2. Specify the control objectives of the system and state those control objectives in the description of the system 3. Identify the risks that threaten the achievement of the control objectives (although these risks are not included in the service organization report) 4. Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved 5. Provide a written assertion to accompany the description as to the completeness and accuracy of the information provided and state the criteria used as a basis for making the assertion 18

Describing the service organization s system The service organization s description of its system includes: Description of the services provided, including classes of transactions processed. Description of the procedures by which services are provided, including transaction initiation, authorization, recording, processing and correction.. Description of the capturing of significant events and conditions other than transactions. Description of the process used to prepare reports or information provided to user entities. Description of control objectives and related controls, including complementary user entity controls. Description of aspects of the service organization s control environment, risk assessment process, information and communications systems, control activities and monitoring controls. (known from ISA 315) 19

ERM - COSO 20

Other responsibilities Management s written assertion in the report. The assertion is a separate component of the report, signed by management. The assertion communicates: Service organization management s responsibility for the description of the system Achievement of the evaluation criteria of the description of the system Identifying risks that threaten the achievement of the control objectives. The New Standards require the service organization to support its assertion by: Identifying the risks that threaten the achievement of the control objectives Determining whether the controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives from being achieved 21

Management Assertion Assertion would accompany description of service organizations description of controls Management is responsible for selecting criteria, for determining whether it is appropriate, and it muse be available to the intended users Nature, timing and extent of service auditor procedures would be expected to be the same IAASB believes assertion-based engagements are more appropriate because of the explicit acknowledgement by management of its responsibility for the matters contained within the assertion IAASB specifically sought perspective where situations may arise where it isn t possible or practicable for management to provide an assertion 22

Subservice organizations A subservicer is a service organization used by another service organization Carve-out or inclusive methods are available for dealing with services provided by subservice organizations in the report. Identify all subservice organizations that affect user entities financial statements. Does subservice organizations have existing service organization reports or would be willing to provide one to your customers. (Cheaper and easier to provide your customers with a copy and limit your report to only your processes). Discuss reporting strategy with subservice organization. Assistance and cooperation with the subservice organization Obtain agreement with your subservice organization regarding strategy, and get this agreement in writing. If you are a subservice organization, discuss with the primary service organization how the needs of their clients will be met. 23

Inclusive subservice organizations If a service organization wishes to include a description in the report of a subservice organization s role and controls (inclusive method), the subservice organization must prepare a management assertion report similar to the assertion report prepared by the service organization s management Getting subservice organization management to agree to provide this assertion may be more difficult than obtaining a letter of representations. 24

Carve out method Nature and functions of the subservice organization are described, Control activities performed by the subservice organization are not included in the description of controls of the system. Use of the carve-out method of reporting is common, With the standards requiring an assertion when using the inclusive method, might be an increased use of the carve-out method User entities should give thorough deliberation to the types of services that are being carved out and how they relate to the user entity. Extent of interaction between the subservice organization and the service organization Subservice organization has a service auditor report performed, User entity is able to obtain the service auditor report Additional procedures/oversight is needed related to the services being provided by the subservice organization 25

Other audit reports ISAE 3402 ISAE 3000 ISRS 4400 26

Summary Plan the audit both user entity and Service Organization Timing of the audit report Description of system including control objectives and controls Complimentary controls Subservice organizations Service auditors competence and independence Standards used by service organizations and Service Auditor 27

Questions Hans Henrik Berthing, Statsautoriseret revisor CGEIT CRISC CISA CIA Phone +45 35 36 33 56 Mobile 22 20 28 21 E-mail hhberthing@verifica.dk Verifica Statsautoriseret Revisionsvirksomhed 28

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information