ISAE 3402 / SSAE 16 examinations
Reinforcing confidence through demonstration of effective controls
Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Companies often depend on many providers to deliver any number of services, including Information technology, Finance and accounting, Customer care, Human resource and benefits management, Payment and administration, Custody, Fund administration, Transfer agency, and Management companies. Consequently, outsourcing companies are looking for third-party assurance to provide their clients with comfort about their internal control environment.
In order to meet heightened expectations and to fit the modern frameworks of assurance standards, the IAASB (International Auditing and Assurance Standards Board) and the AICPA (American Institute of Certified Public Accountants) issued new standards, namely the ISAE 3402 and SSAE 16, replacing the former SAS 70. The new standards have become effective for assurance reports covering periods ending on or after 15 June 2011.
ISAE 3402/SSAE 16 reporting, in coordination with your internal control assessment activities, can help:
- Identify your company’s most business-critical, process-based relationships
- Pinpoint existing internal and outsourcing organisation gaps in processes and controls that may increase risk
Enhance existing activities with a more encompassing framework for internal controls - one that achieves compliance with Sarbanes-Oxley financial reporting control requirements and helps improve internal risk management and business partner performance
Benefits of the ISAE 3402/SSAE 16 examination
Hiring an independent service auditor to perform the review allows the organisation to be subjected to just one internal controls audit. Upon completion, the report is distributed to the service organisation’s users so that their auditors may rely upon its opinion and findings and subsequently limit or eliminate additional substantive audit procedures. It can help reduce the impact on your resources by minimising disruption from other outside parties, and reduce operating costs for your clients, as they will no longer have to send auditors to audit your organisation.
Deloitte will put experienced industry professionals at your disposal, recognised as experts in their field, together with qualified auditors with in-depth experience in control reviews. We are convinced that the availability of industry experts is a key differentiating factor in our approach as it enables us to advise you in a proactive manner on how to align with leading market practices.
Our ISAE 3402/SSAE 16 services can bring an organisation value through improved third-party risk management and performance, and include:
- Determining the spectrum of ISAE 3402/SSAE 16 coverage required
- Executing ISAE 3402/SSAE 16 examinations for outsourcers and service providers
- Expanding the scope of ISAE 3402/SSAE 16 reporting based on assessment
Service organisation control report
In response to the market demand for enhanced risk oversight and transparency, service organisation control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards No. 70, Service Organizations (SAS70) in 1992.
The benefits of service organisation control reports are:
- Strengthening your organisation’s reputation
- Assisting in fulfilling your customers’ and their independent auditors audit responsibilities
- Demonstrating that controls are designed and implemented based on an accepted internal control framework (e.g. COSO)
- Providing a control environment independent examination under a standard recognised internationally
Risk management tool
ISAE 3402/SSAE 16 reports provide management with greater comfort over the organisation environment and a basis for reliance on controls mitigating your (and your clients') risks with a focus on financial reporting.
Management can use ISAE 3402/SSAE 16 reports to provide employees with key information about the organisation and how transactions are processed as well as providing with a better understanding of the global objectives of the business and foster control discipline across organisation over control environment soundness.
ISAE 3402/SSAE 16 reports provide management with an independent assessment of the control procedures' adequacy and 'reasonable assurance' over the processing control environment operating effectiveness that impacts user entities' internal control over financial reporting.
It illustrates the positive effects of properly functioning and articulated control environment to an organisation’s senior management and can assist to reduce the likelihood of unwanted surprises:
- Identifying and documenting your control objectives
- Analysing the effectiveness of your control activities
- Helping identify process and technology weaknesses
- Identifying opportunities for improvement throughout audited operational areas
- Determining the consistency with which your controls are applied throughout the organisation
- Standardising the processes among multiple services
- Assessing the strength of your management oversight