Reporting on Controls at a Service Organisation: The basics every Caribbean Auditor should know

Werkplek_ISAE3402

Audit practitioners in the Caribbean are becoming increasingly aware of the need for assurance reports over the controls at service organisations. Unfortunately, we still have a long way to go. This is evident since most audit practitioners still refer to Statement on Auditing Standards (SAS) No. 70, “Service Organisations” when discussing controls at a service organisation. This is where I usually explain that SAS No. 70 is an outdated standard, which was replaced in 2011 by Statements on Standards for Attestation Engagements (SSAE) 16, “Reporting on Controls at a Service Organisation”. I also have to remind my fellow audit professionals that SAS No. 70 and the new SSAE 16 are American standards which are promulgated by the American Institute of Chartered Accountants (AICPA). Practitioners in the Caribbean are required to adhere to the International Standard on Assurance Engagements (ISAE) 3402, especially if the service organisation is not an American company.

The reason why most audit practitioners in the Caribbean are not familiar with these standards is because companies in the Caribbean are not traditionally big on outsourcing. However, a growing trend towards outsourcing is now being observed and as a result, more service organisations are popping up across the Caribbean. With these new developments, it will become increasingly important for all audit practitioners in the region to understand ISAE 3402 and SSAE 16 and know how to apply them.

For the remainder of this post I will focus on ISAE 3402, since it is the correct standard for regional audit practitioners to follow when reporting on controls at a local service organisation.

Before I identify the basics about ISAE 3402, it is necessary to define some key terms which tend to cause some confusion:

  • User entity – An entity that uses a service organisation.
  • User auditor – An auditor who audits and reports on the financial statements of a user entity.
  • Service organisation – A third-party organisation that provides services to user entities which are likely to be relevant to the user entities’ internal control as it relates to financial reporting.
  • Service auditor – The auditor who at the request of the service organisation provides an assurance report on the controls at a service organization.

Now that is out of the way, here are some of the basics every audit practitioner should know about ISAE 3402:

  1. It is an assurance standard and not an audit standard
  2. It attests to a service organization’s internal controls which affect their clients’ financial reporting
  3. ISAE 3402 compliments International Standards on Auditing (ISA) 402, “Audit Considerations Relating to Entities Using Service Organisations”.
  4. There are two types of ISAE 3402 reports
    • Type 1 – Reports on the description and design of controls at the service organisation
    • Type 2 – Reports on the description, design and operating effectiveness of controls at the service organisation
  5. An ISAE 3402 report contains the following basic elements:
    • An opinion on management’s assertions
    • The service organisation’s description of its systems
    • Management’s written assertions
    • List of management’s control objectives and the corresponding control activities
    • A description of the test of controls performed and the results of those tests (Type 2 Report only)

Now that we have covered the basics, I will examine the benefits of performing an ISAE 3402 in my next post.

Jason Ramsay is the Principal of Insight Risk & Technology Assurance a boutique assurance and consultancy practice based in Barbados. www.insightra.com

Reporting on Controls at a Service Organisation: The basics every Caribbean Auditor should know