ISAE 3402 / SOC 1 examinations
Reinforcing confidence through demonstration of effective controls
Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Companies often depend on many providers to deliver any number of services, including Information technology, Finance and accounting, Customer care, Human resource and benefits management, Payment and administration, Depositary & Custody, Fund administration, Transfer agency, and Management companies. Consequently, outsourcing companies are looking for third-party assurance to provide their clients with comfort about their internal control environment.
In order to meet heightened expectations and to fit the modern frameworks of assurance standards, the International Auditing and Assurance Standards Board (IAASB) and the American Institute of Certified Public Accountants (AICPA) issued standards, namely the ISAE 3402 and SSAE 16 in 2010 for examination periods ending on or after June 15, 2011. Since their adoption in 2011, service auditor reports issued in accordance with ISAE 3402 or SSAE 16 have become increasingly common in the marketplace. In the spring 2016, the AICPA issued SSAE 18, Attestation Standards: Clarification and Recodification, which seeks to clarify and formalize the requirements and provide application guidance for performing and reporting on examinations, reviews and agreed-upon procedure engagements (attestation engagements). The main impacts of the new standard for service organization are the following:
- Monitoring the effect of controls at subservice organizations
- Identify complementary subservice organization controls (CSOCs)
- Clarification of complementary user entity control considerations (CUECCs)
- Evaluating reliability of information produced by the service organization
- Assessing risk of material misstatement
Changes are effective for service auditors’ reports dated on or after May 1, 2017.
It is important to note that the SSAE 16 standard was specific to service organizations control report and the SSAE 18 is for several attestation engagements. This means that the term SSAE 16 examination will not be replaced by the term SSAE 18 examination. Instead, it will simply be referred to as SOC 1.
ISAE 3402/SOC 1 reporting, in coordination with your internal control assessment activities, can help:
- Identify your company’s most business-critical, process-based relationships
- Pinpoint existing internal and outsourcing organization gaps in processes and controls that may increase risk
Enhance existing activities with a more encompassing framework for internal controls - one that achieves compliance with Sarbanes-Oxley financial reporting control requirements and helps improve internal risk management and business partner performance.
Benefits of the ISAE 3402/SOC 1 examination
Hiring an independent service auditor to perform the review allows the organization to be subjected to just one internal controls audit. Upon completion, the report is distributed to the service organization’s users so that their auditors may rely upon its opinion and findings and subsequently limit or eliminate additional substantive audit procedures. It can help reduce the impact on your resources by minimizing disruption from other outside parties, and reduce operating costs for your clients, as they will no longer have to send auditors to audit your organization.
Deloitte will put experienced industry professionals at your disposal, recognized as experts in their field, together with qualified auditors with in-depth experience in control reviews. We are convinced that the availability of industry experts is a key differentiating factor in our approach as it enables us to advise you in a proactive manner on how to align with leading market practices.
Our ISAE 3402/SOC 1 services can bring an organization value through improved third-party risk management and performance, and include:
- Determining the spectrum of ISAE 3402/SOC1 coverage required
- Executing ISAE 3402/SOC1 examinations for outsourcers and service providers
- Expanding the scope of ISAE 3402/SOC 1 reporting based on assessment
Service organization control report
In response to the market demand for enhanced risk oversight and transparency, service organization control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards No. 70, Service Organizations (SAS70) in 1992.
The benefits of service organization control reports are:
- Strengthening your organization’s reputation
- Assisting in fulfilling your customers’ and their independent auditors audit responsibilities
- Demonstrating that controls are designed and implemented based on an accepted internal control framework (e.g. COSO)
- Providing a control environment independent examination under a standard recognised internationally
Risk management tool
ISAE 3402/SOC 1 reports provide management with greater comfort over the organization environment and a basis for reliance on controls mitigating your (and your clients') risks with a focus on financial reporting.
Management can use ISAE 3402/SOC 1 reports to provide employees with key information about the organization and how transactions are processed as well as providing with a better understanding of the global objectives of the business and foster control discipline across organization over control environment soundness.
ISAE 3402/SOC 1 reports provide management with an independent assessment of the control procedures' adequacy and 'reasonable assurance' over the processing control environment operating effectiveness that impacts user entities' internal control over financial reporting.
It illustrates the positive effects of properly functioning and articulated control environment to an organization’s senior management and can assist to reduce the likelihood of unwanted surprises:
- Identifying and documenting your control objectives
- Analysing the effectiveness of your control activities
- Helping identify process and technology weaknesses
- Identifying opportunities for improvement throughout audited operational areas
- Determining the consistency with which your controls are applied throughout the organization
- Standardising the processes among multiple services
- Assessing the strength of your management oversight