Presentation is loading. Please wait.

Presentation is loading. Please wait.

Assurance Report on Controls at Service Organizations SAE 3402

Published byIrma Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "Assurance Report on Controls at Service Organizations SAE 3402"— Presentation transcript:

1 Assurance Report on Controls at Service Organizations SAE 3402
By P.SELVAMOORTHY, FCA,DISA,CISA,CISSP,CHE,AFCEH, ISO27001:LA

2 Assurance Report on Controls at Service Organizations SAE 3402
Standards SAE 3402 ISAE 3402 SSAE 16 (previously SAS 70)

3 A1. User Entity vs Service Organization

4 A1. User Entity vs Service Organization…
User Organization—The entity that has engaged a service organization and whose financial statements are being audited. User Auditor—The auditor who reports on the financial statements of the user organization Service Organization—The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system. Service Auditor—The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements.

5 A2. Terminologies UE – User entities SO – Service Organization
SSO – Sub Service Organization Management of user entity Management of Service entity Management of Sub Service Entity UA – User entity auditor SA – Service Auditor reporting under Carve out method Controls at SSO will not be assessed by SA SA – Service Auditor reporting under inclusive method Controls at SSO will be assessed by SA

6 B. Need for SOC reports (Demand)
Data Security & Privacy are increasing concerns for most organizations. This is especially important in cases where data is regulated and/or sensitive as in case of compliance requirements for HIPAA, PCI etc. Cloud environments are adding to the complexity of the issue where the actual location of the data stored may not be known. Privacy laws are being enforced that may lead to heavy fines or penalties.

7 C. Applicability  SAE 3402 reporting is applicable to the audit of the financial statements of the user organization that obtains services from a service organization that are part of its information system.

8 C. Applicability… A service organization's services are part of the user organizations’ information system if they affect any of the following: The classes of transactions in the user organization’s operations that are significant to the user organization’s financial statements The procedures, both automated and manual, by which the user organization’s transactions are initiated, authorized, recorded, processed, and reported from their occurrence to their inclusion in the financial statements The related accounting records, whether electronic or manual, supporting information and specific accounts in the entity's financial statements involved in initiating, recording, processing and reporting the user organizations’ transactions.  How the user organizations’ information system captures other events and conditions those are significant to the financial statements The financial reporting process used to prepare the user organizations’ financial statements, including significant accounting estimates and disclosures.

9 D. What is Type I report? In a Type I engagement , the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date. A Type I report can be for either a SOC 1, or SOC 2 depending on the objectives of controls and services being provided.

10 What is Type II report? In a Type II engagement , the service auditor will additionally express an opinion and report on the subject matter provided by the management of the service organization as to; (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives. A Type II report also can be for either a SOC 1, or SOC 2 depending on the objectives of controls and services being provided.

11 E1. Type 1 Vs Type 2 Reports SOC reporting Type 1 Type 2 Reports on
Compliance Report is as of point in time (i.e., as of 2/31/200X) Looks at the design of controls – not operating effectiveness Limited use & considered for information purposes only Not considered useful for purposes of reliance by user auditors Not used as a basis for reducing the assessment of control risk below the maximum Generally performed in the first year that a service organization has a SSAE16 requirement. Report covers a period of time, generally not less than 6 months and not more than 12 months Differentiating factor: Includes tests of operating Effectiveness May provide the user auditor with a basis for reducing assessment of control risk below maximum Requires more internal and external effort Identifies instances of noncompliance of the stated control activity More emphasis on evidential matter

12 E2. Comparative Details – statement / report by SO – Carve out method
Sl. No Type of Description / Report Management assertions about systems and controls of Service Organization About Sub Service Organization 1 Type 1 Description of system and comment on suitability of correct design of system in SO Not described in detail 2 Description of control objectives of systems in SO and description of design of controls in SO 3. Type 2 Description of the effectiveness of controls operated throughout the specified period to achieve those control objectives

13 E2. Comparative Details – statement / report by SO – inclusive method
Sl. No Type of Description / Report Management assertions about systems and controls of Service Organization About Sub Service Organization 1 Type 1 Description of system and comment on suitability of correct design of system in SO System details described in detail 2 Description of control objectives of systems in SO and description of design of controls in SO Details of controls designed described in detail 3. Type 2 Description of the effectiveness of controls operated throughout the specified period to achieve those control objectives Effectiveness of controls described in detail

14 E3. Type II currently provides the Most Reasonable Assurance for the following reasons:
SOC Type II can cover the entire year and the effectiveness of the controls in place can be reported It is a Third Party Period- of-Time assessment and so has Accountability Since it is a period of time assessment, it is more like a continuous compliance with low risk and high reliability Most other assurance programs or audits are only, at a point in time

15 F. Statement of assertion by Management of Service Organization
???

16 G. Independence SA Assurance report.
???

17 Thank You… psmoorthyfca@gmail.com

Download ppt "Assurance Report on Controls at Service Organizations SAE 3402"

Similar presentations

AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.

AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.
Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.

Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.
Audit and Assurance services

Audit and Assurance services
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.

SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
Discussion on SA-500 – AUDIT EVIDENCE

Discussion on SA-500 – AUDIT EVIDENCE
Chapter 20 Additional Assurance Services: Other Information

Chapter 20 Additional Assurance Services: Other Information
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.

Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.

Module A1 Other Public Accounting Services ACCT 4080.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of Internal Control and Control Risk
Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.

Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.
Learning Objectives LO1 Describe the association framework. LO2 Determine whether a PA is associated with financial statements. LO3 Describe the three.

Learning Objectives LO1 Describe the association framework. LO2 Determine whether a PA is associated with financial statements. LO3 Describe the three.
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)

Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.

New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.

Similar presentations

Ads by Google