Service organisation control reports are reports on the internal control structure for organisations that provide transaction processing services.
The objective of a service organisation control report is to provide clients of a service organisation and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements.
The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.
The client’s auditors use the report to understand controls related to a service that is likely to be relevant to clients' internal control, as it relates to financial reporting, and to reduce or eliminate audit procedures at the service organisation.
Service organisation control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards N° 70, Service Organisations (SAS 70) in 1992.
The International Auditing and Assurance Standards Board (IAASB) issued a new international standard for engagements to report on controls at service organisations. At the same time, the American Institute of Certified Public Accountants (AICPA) also redrafted SAS 70.
The new standards have become effective for assurance reports covering periods ending on or after June 15 2011. These revisions of SAS 70 represent the first significant modifications to the standard since it was issued nearly two decades ago. While the standards issued by the IAASB and AICPA are not significantly different from each other, they do present some changes from SAS 70 that may prove challenging for some service organisations.
One reason for the change is that prior to the IAASB’s development of International Standard on Assurance Engagements 3402 (ISAE 3402), there was no global standard for engagements to report on controls at a service organisation. SAS 70 is a U.S. standard, and although it has been used for engagements outside the U.S., the IAASB saw a need to develop an internationally recognised standard.
The AICPA, as part of its efforts to converge its U.S. standards with those of the IAASB, followed suit and issued a new Statement on Standards for Attestation Engagements No. 16 (SSAE 16) that replaced SAS 70 and mirrored ISAE 3402.
The new standards by the IAASB and AICPA are not aimed at overhauling how an engagement to report on controls at a service organisation is performed. Rather, they have been issued to meet the demands of the current market environment and to fit into the modern framework of assurance standards.
A short history of audit requirements for service organisations:
Contingent on to the maturity of a service organisation with their internal control framework, two types of ISAE 3402/ SSAE 16 reports can be issued, resulting from the independent assessment:
A Type 1 report covers controls placed in operation as of a point in time and is considered to be of limited use as it does not cover the operating effectiveness of the controls. Typically, service organisations undertake a Type 1 examination only in their first year of going through such an examination as they may lack the evidential documentation supporting the operating effectiveness of the controls.
Alternatively, a Type 2 report covers controls placed in operation and tests of operating effectiveness for a period of time (generally not less than 6 months and not more than 12 months). This type of report may be utilised by clients and client financial statement auditors for control reliance purposes for an audit, as the differentiating factor is that a Type 2 report includes tests of operating effectiveness and the corresponding results within the report.
A Type 2 report is most beneficial to an organisation since it tests the effectiveness of the controls over the period of time and it is most often requested and expected by a service organisation’s clients.
|Section one||Independent service auditor's report (the 'Opinion')|
|Section two||Written assertion provided by the service organisation|
|Section three||Description of internal controls and control objectives (provided by the service organisation)|
|Section four||Information provided by the independent service auditor (includes tests of operating effectiveness and testing results for a Type 2 report)|
|Section five||Other information provided by the service organisation (optional)|