Reinforcing Confidence through Demonstration of Effective Controls
Overview of Service Organisation Control Reports
Service organisation control reports are reports on the internal control structure for organisations that provide transaction processing services. The objective of a service organisation control report is to provide clients of a service organisation and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements. The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.
The client’s auditors use the report to understand controls related to a service that is likely to be relevant to clients' internal control, as it relates to financial reporting, and to reduce or eliminate audit procedures at the service organisation.
Assessment of Your Internal Control Maturity
Contingent on to the maturity of a service organisation with their internal control framework, two types of ISAE 3402 reports can be issued, resulting from the independent assessment:
- A Type 1 report covers controls placed in operation as of a point in time and is considered to be of limited use as it does not cover the operating effectiveness of the controls. Typically, service organisations undertake a Type 1 examination only in their first year of going through such an examination as they may lack the evidential documentation supporting the operating effectiveness of the controls.
- Alternatively, a Type 2 report covers controls placed in operation and tests of operating effectiveness for a period of time (generally not less than 6 months and not more than 12 months). This type of report may be utilised by clients and client financial statement auditors for control reliance purposes for an audit, as the differentiating factor is that a Type 2 report includes tests of operating effectiveness and the corresponding results within the report.
A Type 2 report is most beneficial to an organisation since it tests the effectiveness of the controls over the period of time and it is most often requested and expected by a service organisation’s clients.
ISAE 3402/SSAE 16 Report Structure
|Section I||Independent service auditor’s Section one report (the `Opinion´)|
|Section II||Written assertion provided by the service organisation|
|Section III||Description of internal controls and control objectives (provided by the service organisation)|
|Secion IV||Information provided by the independent service auditor (includes tests ofoperating effectiveness and testing results for a Type 2 report)|
|Section V||Other information provided by the service organisation (optional)|
Key Considerations of ISAE 3402
The ISAE 3402 standard require that management of the service organisation provide a written assertion attesting to the fair presentation and design of controls (in a Type 1 report) or the fair presentation, design, and operating effectiveness of controls (in a Type 2 report). This written assertion is separate from the written representations obtained from management.
Under the standard, engagements are considered `assertion-based´: management is required to provide a written assertion, even though the auditor will continue to report on the subject matter (i.e. whether controls are fairly presented, suitably designed, and [in a Type 2 report] operating effectively).
In order to provide a written assertion, management will need to have a reasonable basis for making the assertion, which may include developing their own processes to support the assertion if such processes are not already in place. ISAE 3402 provides specific requirements that management must meet in order to provide a written assertion.
If the service organisation relies on controls at a subservice organisation and management elects to use the inclusive method (that is, management’s description of the service organisation’s system includes controls at the subservice organisation), management will also need to determine whether controls at the subservice organisation are suitably designed or suitably designed and operating effectively, depending on whether they are executing a Type 1 or Type 2 report. In order to make this determination and to support their own assertion, management of the service organisation would need to obtain a written assertion from management of the subservice organisation. If the management of a service organisation does not provide an assertion, the service auditor will not be able to accept the engagement.
ISAE 3402 – Your Outsourcing Solution
Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Companies that just ten years ago may have used only one or two major third-party services providers often depend on many providers to deliver any number of services, including:
- Information technology
- Finance and accounting
- Customer care
- Human resource and benefits management
- Payment and administration
- Fund administration
- Transfer agency
Consequently, outsourcing companies are looking for third-party assurance to provide their clients with comfort about their internal control environment. ISAE 3402 standard will remain the most widely employed approach to demonstrate third-party assurance, providing coverage to users of outsourced services. ISAE 3402 reporting, in coordination with your internal control assessment activities, can help:
- Identify your company’s most business-critical, process-based relationships;
- Pinpoint existing internal and outsourcing organisation gaps in processes and controls that may increase risk;
- Enhance existing activities with a more encompassing framework for internal controls - one that achieves compliance with Sarbanes-Oxley financial reporting control requirements and helps improve internal risk management and business partner performance.