isae3402 sas70 audit kenmerken en verschillen
DESCRIPTION
Kenmerken, overeenkomsten en verschillen ISAE 3402 met SAS 70 door T. Sikkema. www.hutaudit.nlTRANSCRIPT
ISAE 3402 - abstract
Some key concepts and the major differences when compared to SAS70Drs. T. (Temme) Sikkema RA – [email protected] – Netherlands – September 2009
The importance of Third Party Reporting 1
Outsourcing has become a strategic issue Cost reduction, return to core activities and increase of
flexibility are drivers for “user organisations” to source certain activities to service organisations
User organisations need assurance that the service organisation controls are properly designed, implemented and are working effectively
The importance of Third Party Reporting 2
The service organisation may receive multiple requests for annual audits from their clients
The service organisation may instead choose to share a Third Party Assurance Report regarding controls it deems relevant with their clients
Third Party Reporting: enter SAS70
SAS70 is the American standard for third party assurance that has been adopted around the globe
SAS70 enables the user organisation (and its auditors) to acquire assurance regarding the design and operating effectiveness of those controls they find relevant
SAS70 may enable the user organisation’s compliance to legal and internal requirements
SAS70 – key features 1
SAS70 addresses the financial reporting requirements of users of service organisations and is thus limited to controls regarding the processing of financial transactions
The actual SAS70 report is generally divided into three or four sections, depending on the type of engagement
There are two types of Service Auditor’s Reports: Type I and Type II
SAS70 – key features 2
A Type I report describes the service organisation’s description of controls at a specific point in time
A Type II report adds detailed testing of the service organisation’s controls over a minimum six month period
SAS70 – key features 3
SAS70 is an auditing standard and not a pre-determined set of standards that a service organisation must meet to “pass” the test
In a SAS70 audit the service organisation is responsible for describing the controls that will be disclosed in the service auditor’s report
The scoping of the audit is therefore a very essential phase
Generally tested types of processes
Control environment Control activities Risk assessment processes Information and communication processes Monitoring processes
Generally tested types of controls
Organizational controls Application development and maintenance controls Logical access controls Application controls System maintenance controls Data processing controls [Business continuity controls] – in a separate section of the
report, but no assurance given
SAS70 audit renders an opinion on:
Whether or not the service organisation’s description of controls is presented fairly
Whether or not the service organisation’s controls are designed effectively
Whether or not the service organisation’s controls are placed in operation as of a specified date
Whether or not the service organisation’s controls are operating effectively over a specified period of time (Type II engagements only)
Third Party Reporting: enter ISAE3402 1
ISA402 – Audit Considerations Relating to Entities Using Service Organisations
ISA402 gives guidance to user organisations and their auditors regarding the impact that service organisations have on the audit of the financial statement of the user organisation
However, ISA402 does not give any guidance to service auditors
Enter………ISAE3402
Third Party Reporting: enter ISAE3402 2
ISAE3402 – International Standard on Assurance Engagements 3402 – Assurance Reports on controls at a Third Party Service Organisation
Goal: create an international alternative for the American SAS70 standard, while increasing the usability of the report for a broader range of end users
ISAE3402 – key features 1
ISAE3402 does not limit the scope of the audit to control objectives for financial reporting requirements
Like SAS70, ISAE3402 is assertion-based Like SAS70, the ISAE3402 standard has two types of reports
(Type A and Type B) that have basically the same scope In addition to the auditor’s opinion, management of the
service organisation needs to provide a formal assertion, affirming its responsibilities for the controls in the report.This is a major difference when compared to SAS70
ISAE3402 – key features 2
ISAE3000 requires the service auditor to assess the suitability of criteria, and the appropriateness of the subject matter
ISAE3402 proposes a minimal set of such criteria Can the audit community make these criteria S.M.A.R.T.?