A New Standard on the Horizon
Since 15 June this year, a new standard - the International Standard on Assurance Engagements (ISAE) 3402 issued by the International Auditing and Assurance Standards Board (IAASB) - has come into force as the global standard for service organisation controls reporting. This is in tandem with the move to harmonise US and international accounting and auditing standards to enhance the consistency of assurance reporting across jurisdictions, and specifically for reporting on controls at third party service organisations in this case. With this, AICPA's SAS70 will also be replaced with SSAE 16, which is very much aligned to ISAE 3402.
The ISAE 3402 and SSAE 16 are fundamentally similar to SAS 70, with a number of key changes where the service organisation needs to include the following information in its reporting.
System description - In addition to providing descriptions on the controls in place, the service organisation is also required to describe its system, which should cover the procedures, people, software, data and infrastructure.
Management's assertion - The written assertion should communicate the service organisation management's responsibility for the description of the system and how they have met the evaluation criteria.
Risk assessment - The management assertions should be supported by a risk assessment that identifies the risks that threaten the achievement of the control objectives and determines whether the controls will provide reasonable assurance that the identified risks will not hinder the achievement of those control objectives.
Similar to SAS70, under the new ISAE 3402, there are two types of reporting options, namely Type 1 report, which covers the description and design of controls at a service organisation; and Type 2 report, which covers the description, design and operating effectiveness of controls at a service organisation.
Meanwhile, in line with the introduction of SSAE 16, the AICPA is also taking the opportunity to introduce a framework with the following three options, known as Service Organisation Controls (SOC), for auditor reports on the controls of service providers, which companies can request for:
- SOC 1 is a restricted-use report to be shared only with the service organisation's customers and their auditors. The service organisation provides detailed description of its outsourced processes and controls that impact their customers' financial reporting. SSAE16 is considered an SOC 1 report under this framework.
- SOC 2 is also a restricted-use report to be shared only with the service organisation's customers and their auditors. The subject matter of the examination can be expanded to include the service organisation's controls over security, confidentiality, processing integrity, availability and privacy.
- SOC 3 is similar to SOC 2 except that the report can be made public and used for marketing purposes.
Sign up for CIO Asia eNewsletters.