ISAE 3402 and SSAE 16 defined

Overview of service organisation control reports

Service organisation control reports are reports on the internal control structure for organisations that provide transaction processing services.

The objective of a service organisation control report is to provide clients of a service organisation and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements.

The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.

The client’s auditors use the report to understand controls related to a service that is likely to be relevant to clients' internal control, as it relates to financial reporting, and to reduce or eliminate audit procedures at the service organisation.

Service organisation control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards N° 70, Service Organisations (SAS 70) in 1992.

Replacing SAS70

The International Auditing and Assurance Standards Board (IAASB) issued a new international standard for engagements to report on controls at service organisations. At the same time, the American Institute of Certified Public Accountants (AICPA) also redrafted SAS 70.

The new standards have become effective for assurance reports covering periods ending on or after June 15 2011. These revisions of SAS 70 represent the first significant modifications to the standard since it was issued nearly two decades ago. While the standards issued by the IAASB and AICPA are not significantly different from each other, they do present some changes from SAS 70 that may prove challenging for some service organisations.

One reason for the change is that prior to the IAASB’s development of International Standard on Assurance Engagements 3402 (ISAE 3402), there was no global standard for engagements to report on controls at a service organisation. SAS 70 is a U.S. standard, and although it has been used for engagements outside the U.S., the IAASB saw a need to develop an internationally recognised standard.

The AICPA, as part of its efforts to converge its U.S. standards with those of the IAASB, followed suit and issued a new Statement on Standards for Attestation Engagements No. 16 (SSAE 16) that replaced SAS 70 and mirrored ISAE 3402.

The new standards by the IAASB and AICPA are not aimed at overhauling how an engagement to report on controls at a service organisation is performed. Rather, they have been issued to meet the demands of the current market environment and to fit into the modern framework of assurance standards.

A short history of audit requirements for service organisations:

• 1992 - Development of SAS 70 by the AICPA.
• 2002 - Passage of the Sarbanes-Oxley Act of 2002 leads to much wideruse of SAS 70.
• 2008/ 2009 - IAASB begins development of international standard on service organisations. AICPA SAS 70 task force begins redrafting SAS 70.
• 2010 - A global standard to be issued by the IAASB called ISAE 3402 and a new U.S. standard to be issued by the AICPA, called SSAE No. 16 to replace SAS 70.
• 2011 - For examination periods ending on or after June 15, 2011, service auditors are required to comply with either SSAE No. 16 or ISAE 3402.

Assessment of your internal control maturity

Contingent on to the maturity of a service organisation with their internal control framework, two types of ISAE 3402/ SSAE 16 reports can be issued, resulting from the independent assessment:

A Type 1 report covers controls placed in operation as of a point in time and is considered to be of limited use as it does not cover the operating effectiveness of the controls. Typically, service organisations undertake a Type 1 examination only in their first year of going through such an examination as they may lack the evidential documentation supporting the operating effectiveness of the controls.

Alternatively, a Type 2 report covers controls placed in operation and tests of operating effectiveness for a period of time (generally not less than 6 months and not more than 12 months). This type of report may be utilised by clients and client financial statement auditors for control reliance purposes for an audit, as the differentiating factor is that a Type 2 report includes tests of operating effectiveness and the corresponding results within the report.

A Type 2 report is most beneficial to an organisation since it tests the effectiveness of the controls over the period of time and it is most often requested and expected by a service organisation’s clients.

Type 1 ISAE 3402 or SSAE 16 report - Reports on controls placed in operation

• A report on controls placed in operation (as of a point in time)
• Looks at the existence and design of controls - not at their operating effectiveness
• Considered for information purposes only
• Not considered useful for purposes of reliance by user auditors
• Generally performed the first year a service organisation has a ISAE 3402/SSAE 16

Type 2 ISAE 3402 or SSAE 16 report Reports on controls placed in operation and tests of operating effectiveness

• A report on controls placed in operation and tests of operating effectiveness (for a period of time, not less than 6 months and not more than 12 months)
• Differentiating factor: includes tests of operating effectiveness
• More emphasis on evidential matter
• Requires more internal and external effort
• May provide the user auditor with a basis for reducing audit procedures at the service organisation

ISAE 3402/SSAE 16 report structure

Share