Colum Roche, Risk Advisory
Organisations can take steps to ensure that annual assurance engagements continue to add value year-on-year.
The annual requirements for organisations to undergo audits has been steadily increasing for a number of years. The traditional statutory audit is now being added to by comprehensive and stringent assurance engagements required by regulators, clients and other interested third parties. In addition – depending on the organisation – internal audit, compliance or SOX programmes may then add further to the burden.
As a result, organisations have a significant challenge to complete these audits efficiently while not disrupting ‘business as usual’. This article outlines the common challenges faced by organisations in accommodating the ever-increasing assurance engagement requirements and provides some tips to ensure that these annual examinations provide ongoing benefit and added value.
Background and context to assurance reporting
Third-party assurance reporting is a broad-ranging activity that is being performed across the board in Irish companies in both industry and financial services, and more recently in public sector organisations. It is useful to firstly define the types of annual assurance engagements that organisations face, how this has increased in the past number of years, and how these requirements might be likely to increase in the future.
Third-party assurance reporting is traditionally rooted in SOC1 reporting where assurance is given to clients and user auditors of service organisations on controls relating to financial reporting. These assurance engagements are usually conducted under two specific assurance engagement auditing standards, namely the International Standard for Assurance Engagements 3402 (ISAE3402) or the Statement on Standard Attestation Engagements 18 (SSAE18).
In recent years, there has been a significant increase in the number of other assurance engagements being performed to provide assurance to regulators and other stakeholders – such as parent companies and boards of directors or audit committees – on a range of topics including regulatory requirements, the output of complex model calculations and on IT general controls. There is a number of standards open to auditors to provide this type of assurance depending on the jurisdiction. However, the international standard these assurance engagements are most commonly performed under is the International Standard for Assurance Engagement 3000: Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ISAE3000). The reformed client asset regulations and newly developed investor money regulations examinations are examples of increased regulatory reporting demand completed under this framework in the past number of years. MIFID II includes a provision for a client asset examination, so it likely that the number of organisations requiring these reports will increase in the coming year.
SOC2 provides a mechanism to seek assurance on broader service organisation controls where organisations can get assurance on one or more of the trust principles defined by the American Institute of Certified Public Accountants (AICPA), which include principles on security, availability, processing integrity, confidentiality and/or privacy. While the use of SOC2 has been slower off the mark in Ireland, it has become an important source of assurance for organisations throughout the world and it is only a matter of time before this happens locally. There is also a growing demand for organisations to obtain assurance in areas such as cybersecurity and cloud security, which can be catered for through a SOC2+ report. In addition to the General Data Protection Regulations (GDPR), which came into effect in May, it may not be a stretch that organisations may consider it important to obtain some formal annual assurance on their compliance with GDPR. This would fall into the assurance reporting category that can also be completed under a SOC2+ or ISAE3000-type report.
It is clear that regulation, or the requirement to get assurance on the control environment, is not going away. Organisations need to embrace it and ensure that they get maximum value from assurance engagements.
Challenges of assurance engagements
The annual requirement to conduct assurance engagements causes significant challenges to organisations. The main challenges include:
- Resources and timing: the scope of the work is generally quite significant and often requires auditors to complete both interim and final audit testing programmes. Depending on the scale of the work, auditors may be on site for three to eight weeks of the year for fieldwork and a further outlay of time is required to conclude and finalise the reports. Multiple key stakeholders in the organisation can be effected by having to provide time and resources for the provision of documentation and the answering of, follow-up and investigation of queries from the auditors. In addition, there can often be a significant outlay in senior management time to organise the logistics of the audit;
- Danger of becoming a box-ticking exercise: the nature of assurance reports is that they are generally conducted annually and the scope is defined and does not regularly increase or decrease. After a number of years, the engagement may become routine and stale, and a box-ticking exercise for the organisation. While the cost will remain the same, the value the organisation derives from the engagement is not the same as the early years in this scenario;
- Educating users: the reporting formats are generally technical in nature and there is a challenge for the organisations to educate the users of the report on the terminology and on how to best use the report. Terms such as qualified/unqualified opinions, management assertions and exceptions to control activities may be easily understood by auditors. However, there is a challenge to ensure the reports are understandable for all users, be that clients of the organisation, regulators or directors of organisations; and
- Benefits of the report may not be utilised in full: there are significant benefits to be achieved from the completion of annual assurance engagements. The engagements are carried out under internationally-recognised auditing standards and are a stringent test of the organisation’s control environment. A clean SOC1/SOC2 or ISAE3000 report can provide a lot of assurance about an entity’s control environment. However, after a number of years with a clean report, the value of this exercise may not be as transparent. The organisation must continue to ensure that the reports are being used to their full potential and adding value throughout the organisation.
Ensuring annual assurance engagements add value
Assurance engagements are a significant annual administrative cost and they take up a substantial amount of management time. The challenges outlined in the previous section are some of the main factors that cause assurance reporting to become stagnant and this can mean that organisations do not always extract the most value from them. It is essential for each organisation to obtain as much value as possible from their assurance engagements. Below are a number of ways in which management can ensure that assurance engagements continue to add value.
Assign a champion: as the scope of assurance reports can be unwieldy and touch many areas of the business, there may not be a single person who is responsible for coordinating the engagement. It is important that a member of the senior management team takes the lead and champions the report. This person should ensure that the assurance engagement is taken seriously throughout the organisation and also, guarantee that the report is an agenda item on a periodic basis for those charged with governance.
Interaction with internal audit and compliance functions: the users of assurance reports are generally third-parties such as regulators, clients or user external auditors. In some cases, internal audit may not necessarily be one of the direct users of the report. The significant assurance received in some of these reports, particularly for financial controls, should be taken into account when designing the annual internal audit plan. There is an opportunity for internal audit to rely on the contents of these reports and therefore, focus resources on areas of higher risk in the business. Assurance reports often go into significant detail to map out matrices of control objectives and activities, and there is an opportunity for these items to be mapped to risks identified in organisations’ risk registers. Those performing ‘second line of defence’ activities such as risk management and compliance should be aware of the contents of the assurance report, to ensure that they are able to rely on and/or use sections of the report where applicable.
Review the scope and benchmark: while the scope of assurance reports generally does not change dramatically from year to year, it should be regularly reviewed and challenged. In some instances, the scope can be consolidated or even cut back. It is also important to continually interact with the users of the report to ensure that the scope is adequate and there is appropriate coverage of the required processes.
Auditors can be asked to add value by benchmarking the scope and overall strength of the control activities against leading industry practices on a periodic basis. In most instances, auditors should have a repository of information on hand to assist them in this exercise. This process can help with the review of the report’s scope and ensure that the content remains relevant.
Challenge the auditors: the risk of an annual assurance engagement becoming a box-ticking exercise also exists on the auditor’s side. It can be easy for auditors to complete the testing programme each year and complete the engagement in an efficient manner. When this happens, auditors often fail to give additional insights and added value to clients. Management should continue to challenge the auditors in an effort to identify observations and enhancement opportunities in the control environment, and to add value each year of the engagement.
Audit committees and boards should also request that the auditors present their reports to ensure that the governance structures have an appropriate understanding of the work completed and can provide challenge where appropriate.
Fully develop the description of the system: section three, or the description of the system section in SOC1/SOC2 reports, can vary in detail depending on the organisation. This section is a good mechanism for organisations to develop and clearly outline – to both internal and external users – the detailed control activities in place to meet its financial reporting requirements. It also has the capacity to detail high-level controls such as governance, risk assessment processes, oversight and monitoring controls. This section can help management clearly define the complimentary user entity controls necessary for the service organisation to conduct its duties.
Management should continually seek guidance and assistance from the auditor in evaluating whether the description of the system is appropriately detailed. In addition, service organisations that conduct assurance engagements under the ISAE3402 standard should consider the need to migrate to the SSAE18 standard. SSAE18 came into effect on 1 May 2017, replacing SSAE16. The new standard adds more specific requirements for service organisations when presenting the description of the system. These details are not yet required under the comparable ISAE.
Colum Roche is a Manager specialising in assurance reporting in the Risk Advisory department at Deloitte.
This article first appeared in the June 2018 edition of Accountancy Ireland.