Reporting on Controls at a Service Organisation: The basics every Caribbean Auditor should know


Audit practitioners in the Caribbean are becoming increasingly aware of the need for assurance reports over the controls at service organisations. Unfortunately, we still have a long way to go. This is evident since most audit practitioners still refer to Statement on Auditing Standards (SAS) No. 70, “Service Organisations” when discussing controls at a service organisation. This is where I usually explain that SAS No. 70 is an outdated standard, which was replaced in 2011 by Statements on Standards for Attestation Engagements (SSAE) 16, “Reporting on Controls at a Service Organisation”. I also have to remind my fellow audit professionals that SAS No. 70 and the new SSAE 16 are American standards which are promulgated by the American Institute of Chartered Accountants (AICPA). Practitioners in the Caribbean are required to adhere to the International Standard on Assurance Engagements (ISAE) 3402, especially if the service organisation is not an American company.

The reason why most audit practitioners in the Caribbean are not familiar with these standards is because companies in the Caribbean are not traditionally big on outsourcing. However, a growing trend towards outsourcing is now being observed and as a result, more service organisations are popping up across the Caribbean. With these new developments, it will become increasingly important for all audit practitioners in the region to understand ISAE 3402 and SSAE 16 and know how to apply them.

For the remainder of this post I will focus on ISAE 3402, since it is the correct standard for regional audit practitioners to follow when reporting on controls at a local service organisation.

Before I identify the basics about ISAE 3402, it is necessary to define some key terms which tend to cause some confusion:

  • User entity – An entity that uses a service organisation.
  • User auditor – An auditor who audits and reports on the financial statements of a user entity.
  • Service organisation – A third-party organisation that provides services to user entities which are likely to be relevant to the user entities’ internal control as it relates to financial reporting.
  • Service auditor – The auditor who at the request of the service organisation provides an assurance report on the controls at a service organization.

Now that is out of the way, here are some of the basics every audit practitioner should know about ISAE 3402:

  1. It is an assurance standard and not an audit standard
  2. It attests to a service organization’s internal controls which affect their clients’ financial reporting
  3. ISAE 3402 compliments International Standards on Auditing (ISA) 402, “Audit Considerations Relating to Entities Using Service Organisations”.
  4. There are two types of ISAE 3402 reports
    • Type 1 – Reports on the description and design of controls at the service organisation
    • Type 2 – Reports on the description, design and operating effectiveness of controls at the service organisation
  5. An ISAE 3402 report contains the following basic elements:
    • An opinion on management’s assertions
    • The service organisation’s description of its systems
    • Management’s written assertions
    • List of management’s control objectives and the corresponding control activities
    • A description of the test of controls performed and the results of those tests (Type 2 Report only)

Now that we have covered the basics, I will examine the benefits of performing an ISAE 3402 in my next post.

Jason Ramsay is the Principal of Insight Risk & Technology Assurance a boutique assurance and consultancy practice based in Barbados.

Reporting on Controls at a Service Organisation: The basics every Caribbean Auditor should know

5 Reasons why IT Auditors are necessary during financial statement audits

Many small audit practitioners in the Caribbean typically question the merits of using an IT Auditor on their engagements. As a result of constantly having to convince small audit practitioners of the importance of information systems audits; I decided to write this post.

Before I go any further it is necessary to define what an IT audit is. An IT audit is an independent examination of the design and operating effectiveness of information system controls. The IT audit evaluates whether these controls maintain the confidentiality, integrity and availability of an organisation’s data and information systems.

The following are some key reasons why IT audits are critical to financial statement audits:

  1. It is actually a requirement in some instances. SAS (Statement of Auditing Standards) 108 (AU § 311.23) ‘Planning and Supervision’ implies that the auditor should engage an IT auditor to determine the effect of IT on the audit, gain an understanding of controls and design and perform tests of IT controls where the entity utilises complex IT systems, implements a new system, utilises emerging technologies or where significant audit evidence is only available in electronic form. ISA (International Standards on Auditing) 300, ‘Planning an Audit of Financial Statements’ is not as extensive as SAS 108 but it states that the auditor should consider the effect of information technology on the audit procedures, including the availability of data and the expected use of computer-assisted audit techniques (CAATs).
  2. Assist the auditor in assessing the entity’s risk of material misstatement. The auditor is required to identify and assess the risk of material misstatement through understanding the entity and its environment. Both SAS 109 (AU§ 314.83) and ISA 315 section 18 require the auditor to obtain an understanding of the entity’s information system and the related business processes relevant to financial reporting. The IT Auditor is the most suitable person to perform such tasks. An IT Auditor is even more critical when the auditee utilises complex information systems and business processes or emerging technologies.
  3. Increasing audit efficiency and effectiveness. If controls are operating effectively, the auditor can reduce the extent of substantive testing (i.e. test of details). Since IT processing is inherently consistent, an automated control should function consistently unless the underlying program is changed. As such, an IT auditor can limit testing to one or a few instances of the automated control. Consequently, a test of automated controls performed by an IT auditor can increase audit comfort and reduce the extent of substantive testing the auditor needs to perform. This is covered under SAS 110 (AU § 318) and ISA 330.
  4. Journal Entry Testing. Under SAS 99, and ISA 240 it is necessary for the auditor to test the appropriateness of journal entries recorded in the general ledger. As long as journal entries are stored electronically an IT auditor should employ the use of CAATs to test these entries. In order to effectively test journal entries, the auditor should gain comfort over the completeness of the entries received. It is practically impossible to perform this task manually, especially with millions of entries. An experienced IT auditor with a good knowledge of CAATs would be necessary in this instance.
  5. Add value by detecting internal control weaknesses. The IT Auditor can add significant value to the external audit by highlighting existing information system control weaknesses, such as weak password controls, default passwords, dormant accounts and inappropriate user access to name a few. Failure to identify and address the above-mentioned controls can result in losses due to fraud.

In summary, an information systems audit is critical to a financial statement audit. This is especially true when the entity utilises complex systems, processes a large volume of transactions or uses emerging technologies. As such, external auditors should use IT auditors when auditing financial services entities such as banks, investment management and insurance companies etc. or entities which utilise enterprise resource planning (ERP) systems such as SAP, Oracle or Microsoft Dynamics GP.

5 Reasons why IT Auditors are necessary during financial statement audits