OUTSOURCING AND SERVICE AUDITOR S REPORTS FREEDOM TO DO BUSINESS
Outsourcing and service Auditor s Reports 3 OUTSOURCING AND SERVICE AUDITOR S REPORTS SERVICE AUDITOR S REPORTS ARE GROWING IN IMPORTANCE, BUT WITH TECHNICAL TERMINOLOGY AND STRINGENT REQUIREMENTS, THEY CAN BE CONFUSING. BDO RISK ADVISORY SERVICES HAS PUT TOGETHER THIS GUIDE TO HELP YOU UNDERSTAND SERVICE AUDITOR S REPORTS AND ASSIST IN MATCHING THE NEEDS OF SERVICE ORGANIZATIONS. MORE KNOWLEDGE FOR YOU AND YOUR AUDITORS Our Service Auditor s Reports will give your clients and their auditors an in-depth understanding of the internal controls within the Service Organization. OUTSOURCING Internal controls are one of the core competencies of Service Organizations and external providers. Entrusting the effectiveness of a company s system of internal controls to an external service provider offers several benefits. By outsourcing certain functions, organizations can benefit from a much broader range of skill sets and access to specialty services that bring best practice knowledge to the client company and achieve economies of scale and economic efficiencies. An outsourced function generally has a broader perspective and is able to provide benchmarks that are not otherwise available in-house. Outsourcing firms have experience with many systems and situations and are able to provide more precise metrics. Outsourcing also allows management to stay focused on core business operations, rather than worry about managing and maintaining certain non-core business processes. Outsourcing can however, substantially increase the risk for an organization if the outsourcing relationship and the appropriate internal controls are not managed appropriately.
4 Outsourcing and service Auditor s Reports WHAT IS A SERVICE AUDITOR S REPORT? Service Auditor s Reports are designed to provide information and assurance about controls within a Service Organization to User Organizations (clients) and their auditors. The audit of a Service Auditor s Report is conducted in accordance with the standards issued by the International Federation of Accountants (IFAC). ISAE 3402 include the professional standards used by a Service Auditor to report on the processing of transactions by a Service Organization for use by management, clients, and other auditors. The Value of a Service Auditor s Report Service Auditor s Reports are primarily used by the Service Organization, their clients and the client s auditors. The client s auditors can use the report to gain an understanding of the internal controls in operation at the Service Organization. Depending on the type of report, the client s auditors may be able to consider the Service Organization s internal controls in planning and executing their internal audit plans. MORE TIME, LESS FEES With our Service Auditor s Reports, your exposure to client on-site auditors can be eliminated. The Service Auditor s Report may also be used by current clients, prospective clients, stakeholders and other interested parties to gain an understanding of the internal control environment of the Service Organization. A Service Auditor s Report will provide many benefits to the Service Organization and here are the main reasons for getting one: The business model of a Service Organization is to have multiple clients. If the activities outsourced are material, some or all of the client s auditors will visit the Service Organization. A properly developed Service Auditor s Report will minimize the need to deal with client auditors, which can be a very intrusive experience. Also the Service Auditor s Report can reduce client audit fees, and the cost of the process is normally passed to the client through service charges. A Service Auditor s Report can assist the Service Organization in demonstrating that they have processes and procedures in place to ensure that the services being outsourced are managed properly. This can be a key factor in obtaining new business. Most request for proposals nowadays require a Service Auditor s Report from the Service Organization. The current environment of compliance and governance for public companies, under the influence of Sarbanes Oxley and Code Tabaksblatt, requires that any outsourced services are managed effectively with the proper internal controls in place. The Service Auditor s Report is a vehicle by which the arrangement will be managed. The report has become mandatory for any material outsourcing arrangement if the User Organization is a public company, regardless of whether or not the Service Organization is a private company. Many organizations choose to focus on their core activities and are therefore outsourcing those activities which do not belong to the core activities. Because outsourcing doesn t relieve an User Organization of the responsibility over the outsourced activities, User Organizations want to keep control on these activities. They often rely on Service Level Agreements and Service Level Reports. A Service Auditor s Report can give more certainty and provide an objective and independent view whether the Service Organization is compliant with these Agreements. Additionally Service Auditor s Reports can be useful for the chartered accountant or regulatory authorities. The process of obtaining a Service Auditor s Report is also a very effective way of identifying efficiency issues as well as duplication of controls.
Outsourcing and service Auditor s Reports 5 BENEFITS OF A SERVICE AUDITOR S REPORT Satisfy client audit requirements Compliance with regulatory requirements Satisfy contract and service level agreement requirements Documentation and testing of internal control structure Streamline business process and controls Type 1 versus Type 2 A Type 1 report is a report on the controls placed in operation as at a specific date. A Type 2 report is a report on the controls placed in operation and tests of the operational effectiveness of controls during a specified period of time. The period of time for a Type 2 report is generally 6 months or 1 year. Since the Type 2 report is an extension of the Type 1 report, if you chose to do a Type 1 report and opted to switch to Type 2, the difference is the application of tests of the operational effectiveness of specific controls for the audit period. Some clients have opted for a Type 1 report for the first year and a Type 2 report in subsequent years. This has the advantage of allowing you to review and improve your controls before undergoing the testing in the Type 2 report. Service Auditor s Report Contents A Service Auditor s Report typically includes several sections. For type 1: I The service organization s description of its system; II A written assertion by the service organization that, in all material respects, and based on suitable criteria: a The description fairly presents the service organization s system as designed and implemented as at the specified date; b The controls related to the control objectives stated in the service organization s description of its system were suitably designed as at the specified date; and III A service auditor s assurance report that conveys reasonable assurance about the matters in (II)a-b above. For type 2: I The service organization s description of its system; II A written assertion by the service organization that, in all material respects, and based on suitable criteria: a The description fairly presents the service organization s system as designed and implemented throughout the specified period; b The controls related to the control objectives stated in the service organization s description of its system were suitably designed throughout the specified period; and c The controls related to the control objectives stated in the service organization s description of its system operated effectively throughout the specified period; and III A service auditor s assurance report that: a Conveys reasonable assurance about the matters in (II)a-c above; and b Includes a description of the tests of controls and the results thereof. The Service Organization is responsible for documenting: The service organization s description of its system; A written assertion by the service organization that, in all material respects, and based on suitable criteria: 1 The description fairly presents the service organization s system as designed and implemented throughout the specified period; 2 The controls related to the control objectives stated in the service organization s description of its system were suitably designed throughout the specified period; and 3 The controls related to the control objectives stated in the service organization s description of its system operated effectively throughout the specified period. The Service Auditor is responsible for: An opinion as to whether the Service Organization s description of its controls presents fairly those controls that have been placed in operation as of the end of the reporting period; An opinion as to whether the service organization has identified the risks that threaten achievement of the control objectives stated in the description of its system; and whether the controls identified in that description would, if operated as described, provide reasonable assurance that those risks do not prevent the stated control objectives from being achieved; Other information the Service Auditor may provide.
6 Outsourcing and service Auditor s Reports For a Type 2 Report An opinion that the controls that were tested are operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved for the audit period; Determining which controls are, in his or her judgment necessary to achieve the control objectives and the nature, timing, and extent of the tests of the selected controls; A description of the tests of operational effectiveness of controls and the results of those tests. BDO S APPROACH & FRAMEWORK BDO s approach to a Service Auditor s Report engagement includes providing a team of professionals who specialize in internal controls and technology risk and security. We believe this provides your organization with the highest quality and cost effective Service Auditor s Report. The Solution Our approach has always been to develop a unique solution for each client. Readiness Assessment A readiness assessment is an evaluation of client readiness in relation to a successful Type 1 or Type 2 Service Auditor s Report audit. This assessment will also determine the needs of the client and the road map to achieving a successful project. This type of engagement will answer the following type of questions: Does the client need a Service Auditor s Report? What are the major stumbling blocks to achieving a successful Service Auditor s Report? What are the costs of such an engagement and how can these costs be minimized? What other alternatives does the client have? When is the earliest that a Service Auditor s Report could be successfully executed? Who will draft the control objectives, control descriptions and other aspects of the report? Best practices Specified Audit Procedures Periodically the execution of a specified procedures report can be a less costly alternative. This report provides third party verification or comfort that procedures or processes at the organization are working as intended. The scope of these engagements can be limited. To achieve this, the engagement will focus on key risks or processes and might not cover all concerns of existing or potential clients as would a Service Auditor s Report. Type 1 or Type 2 Service Auditor s Report As outlined earlier, this provides an independent verification, either at a specific point in time or over a period of time, that internal controls are in place to achieve specific objectives. An Independent Review of Internal Controls This review is conducted in accordance with international standards set by IFAC and the Institute of Internal Auditors (IIA). This provides management with an assessment of the design and operational effectiveness of controls in meeting operating, reporting and compliance objectives set by the organization. SERVICE AUDITOR S REPORT TERMINOLOGY User Organization An entity that has engaged a Service Organization for a Service User Auditor The auditor who reports on the financial statements of the User Organization Service Organization An entity that provides services to a User Organization ISAE 3402 International Standard on Assurance Engagements number 3402 is an international accepted audit standard from the International Federation of Accountants (IFAC). The format of the report is fixed and gives detailed information about the internal controls. Service Auditor The auditor who reports on and tests the controls of a Service Organization Service Auditor s Report An independent report issued by a Service Auditor over the internal controls of a Service Organization TPM (Third Party Announcement) The format of a third party announcement is not prescribed like a SAS 70 report Third Party Certification Procedure by which a third party (independent Auditor) gives written assurance that a product, process or service conforms to specified requirements over a period in time.
Outsourcing and service Auditor s Reports 7 THE AUDIT PROCESS The general steps within a Service Auditor s Report process follows the traditional audit approach but may differ based on the Service Organization s current control environment. A typical engagement would include: 1 Consulting with management and involved parties to gain an understanding of the Service Organization s business processes, risks, control environment and control components. SUPPORTIVE IT STRATEGIES At BDO, you can rely on professionals who understand the information technology risks and rewards and understand the alignment of IT with business objectives. 2 Providing guidance to management on the adequacy of their risk assessment, control objectives and controls as it relates to their environments and their respective industries prior to testing. 3 Performing on-site testing at various points in time during the reporting period to determine the effectiveness of the controls placed in operation and the operational effectiveness of the controls for Type 2 reports. Testing typically includes inquiry, inspection of documents and records, and observation of activities. The extent of testing will vary depending on the scope of the report (including Type and the period covered). 4 Preparing a draft report to be reviewed by the Service Organization for accuracy and completeness of the details. 5 Delivering a management letter to senior management for any control deficiencies uncovered during the course of the audit. 6 Issuing the Service Auditor s Report in hardcopy and electronic format.
8 Outsourcing and service Auditor s Reports AUDIT FRAMEWORK With our experience in preparing Service Auditor s Reports, we have developed an efficient approach that reduces your time commitment. You receive a complete Service Auditor s Report that covers the requirements of your clients, their auditors, and other regulatory bodies. We can also provide you with observations to improve your internal controls and operational efficiencies. The following is the framework and approach followed by BDO in completing Service Auditor s Report engagements: BDO ADVANTAGE Boutique-level responsiveness We tailor our approach not just our deliverables Pragmatic methodology Our customized, flexible methodology enables us to step in at any stage Experienced professionals Our team includes experienced professional staff with a balanced mix of CA firm, IT and industry experience CA firm perspective As a Public Accountant, we have a deep understanding and sensitivity to your external auditor s requirements
Outsourcing and service Auditor s Reports 9 FREQUENTLY ASKED QUESTIONS What is Sarbanes-Oxley 404 and how does it relate to ISAE 3402 Reporting? In July 2002, the United States Congress passed the Sarbanes-Oxley Act ( the Act ) into law. The Act calls for the formation of a Public Company Accounting Oversight Board (PCAOB) and specifies several requirements that include management s annual assertion that internal controls over financial reporting are effective (Section 404). In the case of Section 404, the independent auditor of the organization is required to opine on management s assertion over internal control in addition to the auditor s opinion on the fair presentation of the organization s financial statements. REGISTERED TO SERVE YOU Public accountants like BDOs must register with the Autoriteit Financiële Markten (AFM) and the International Federation of Accountants (IFAC). Registered EDP Auditors from BDO are subject to the boards regulations and must submit to their inspection rules. In addition, they are registered with the NOREA (professional association for IT auditors in the Netherlands) and must comply with the NOREA Code of Ethics. In order for management to make its annual attestation on the effectiveness of its internal control, management is required to document and evaluate all controls. Management will look to the Service Organization for information on the design and operational effectiveness of its controls if the organization uses the service provider to process transactions, host data, or other significant services. Management can obtain a Service Auditor s Report from the Service Organization to gain an understanding of the Service Organization s controls and effectiveness of those controls and derive the required assurance. Who can perform a Service Auditor s Reports? Service Auditor s Reports can only be performed by independent registered auditors. Professional audit firms that issue Service Auditor s Reports must adhere to specific professional standards established by the IFAC or the American Institute of Certified Public Accountants (AICPA). Firms are required to follow specific guidance related to planning, execution, and supervision of the audit procedures. In addition, firms are required to undergo a peer review to ensure that the firm s audits are conducted in accordance with generally accepted auditing standards. Is there a list of standard risks, control objectives and controls? Since Service Organizations are responsible for assessing their risks, defining their control objectives and describing their controls, there is no published list of standard control objectives and controls. Generally, the control objectives are specific to the Service Organization and their customers. A Service Organization may consult with their Service Auditor for guidance on the control objectives. What are Type 1 and Type 2 ISAE 3402 audit differences? Type 1 ISAE 3402 audits opine on controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. In addition, the auditor assesses whether the service organization has identified the risks that threaten achievement of the control objectives stated in the description of its system. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type 2 ISAE 3402 audits opine on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time.
8 Outsourcing and service Auditor s Reports Does the entire organization have to be audited? No. The Service Auditor s Report is risk based and should focus on the control environment surrounding the services provided to customers. The Service Auditor s Report can be customized to specifically identify the applicable data centers, operating environments and applications that are covered in the audit. An organization may have many business units while only one may process transactions or provide data processing services for its customers. How are Service Auditor s Reports generally distributed? The result of an ISAE 3402 audit engagement is the issuance of a Service Auditor s Report. The Service Auditor s Report will then be provided to the Service Organization for distribution to their respective customers (User Organizations), User Auditors and other parties. The Service Auditor s Report is usually distributed via hard copy or electronically. Choose a partner who sees things differently. www.bdo.nl/ras MORE INFORMATION As part of our value-added service, BDO offers a complimentary needs and requirements assessment. This provides you with an opportunity to identify and review your risk advisory requirements with our team of professionals. BDO Audit & Assurance B.V. Central Office phone +31(0)88 BDO IT AC (088-236 48 22) CALL US, SEE WHAT WE CAN DO We encourage you to contact us to learn more about our services and to meet our team. BDO Profile 27 offices in the Netherlands BDO Member Firms have more than 1,000 offices in over 100 countries 5th largest accounting and advisory network worldwide e-mail it@bdo.nl
WWW.BDO.NL Colophon This publication has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact BDO Audit & Assurance B.V. or BDO Risk Advisory Services to discuss these matters in the context of your particular circumstances. BDO Audit & Assurance B.V. or BDO Risk Advisory Services, its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it. BDO is a registered trademark owned by Stichting BDO, a foundation established under Dutch law, having its registered office in Amsterdam (the Netherlands). In this publication BDO is used to indicate the organisation which provides professional services in the field of accountancy, tax and consultancy under the name BDO. BDO Risk Advisory Services is a registered trade name owned by BDO Consultants B.V. in Eindhoven, The Netherlands. BDO Audit & Assurance B.V. and BDO Consultants B.V. are members of BDO International Ltd, a UK company limited by guarantee, and forms part of the worldwide network of independent legal entities, each of which provides professional services under the name BDO. BDO is the brand name for the BDO network and for each of the BDO Member Firms. 04/2011 - IT1101