Assurance Report on Controls at Service Organizations SAE 3402

Slides:



Advertisements
Similar presentations
AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.
Advertisements

Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.
Audit and Assurance services
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
Discussion on SA-500 – AUDIT EVIDENCE
Chapter 20 Additional Assurance Services: Other Information
Third Party Reporting © 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients. Third Party Reporting.
Module A1 Other Public Accounting Services ACCT 4080.
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control in a Financial Statement Audit
Section 404 Audits of Internal Control and Control Risk
Mª ANGELA JIMENEZ 1 UNIT 4. EXTERNAL AUDIT BASIS CONCEPTS.
Learning Objectives LO1 Describe the association framework. LO2 Determine whether a PA is associated with financial statements. LO3 Describe the three.
Chapter Nine Conducting the IT Audit. Audit Standards AICPA — Statements of Auditing Standards (SASs) AICPA — Statements of Auditing Standards (SASs)
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Service Organization Control (SOC) Reporting Options and Information
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.
Considering Internal Control
Internal Control in a Financial Statement Audit
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
NO FRAUD LEFT BEHIND The Effect of New Risk Assessment Auditing Standards on Schools Runyon Kersteen Ouellette.
Internal Control in a Financial Statement Audit
International Auditing and Assurance Standards Board (IAASB) Issues:
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Learning Objectives LO1 Define the various financial presentations and levels of service involved in association with special reports and compliance reporting.
SA 700 (REVISED), SA 705 & 706 ASHOK SETH, Lucknow B. Sc, FCA, DISA (ICA)
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Part Eleven Reporting on Financial Statements 1. 2 Structure of Seminar 1.Standards of Reporting 2.Types of Audit Opinions 3.Other Reporting Considerations.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
Chapter 20 Additional Assurance Services: Other Information McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
ISSAI 400 Compliance Auditing
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
OVERVIEW THE AUDIT PROCESS Overview of the Audit Process.
Lecture 9 Audit Evidence
©2012 Prentice Hall Business Publishing, Auditing 14/e, Arens/Elder/Beasley Section 404 Audits of Internal Control and Control Risk Chapter.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder Section 404 Audits of Internal Control and Control Risk Chapter 10.
Field Work Laws and Regulations. Field Work Laws and Regulations This is one of a series of mini – modules designed to give the auditor guidance in the.
©©2012 Pearson Education, Auditing 14/e, Arens/Elder/Beasley Considering Internal Control Chapter 10.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall. Chapter
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
1 Presented by: Chris Pembrook, CPA, MBA, CGAP, Cr.FA Frank Crawford, CPA Crawford & Associates, P.C.
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
 Planning an audit of cost statements, records and other related documents is considered necessary to ensure achievement of audit objectives with available.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Internal Control and Control Risk Chapter 10.
Compliance with Technical Standards
Auditing Concepts.
Internal Control in a Financial Statement Audit
Auditing & Investigations II
PLANNING, MATERIALITY AND ASSESSING THE RISK OF MISSTATEMENT
Internal Control in a Financial Statement Audit
The ISSAIs for Financial Audit ISSAIs
Service Organization Control (SOC)
Chapter 20 Additional Assurance Services: Other Information
Understanding the entity
INTRODUCTION TO Compliance audit METHODOLGY and CAM
Other Assurance Services
Chapter 20 Additional Assurance Services: Other Information
Canadian Auditing Standards (CAS)
AUDIT TESTS.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
SOFE CDS – Monday, July 16th, 2018
Presentation transcript:

Assurance Report on Controls at Service Organizations SAE 3402 By P.SELVAMOORTHY, FCA,DISA,CISA,CISSP,CHE,AFCEH, ISO27001:LA

Assurance Report on Controls at Service Organizations SAE 3402 Standards SAE 3402 ISAE 3402 SSAE 16 (previously SAS 70)

A1. User Entity vs Service Organization

A1. User Entity vs Service Organization… User Organization—The entity that has engaged a service organization and whose financial statements are being audited.   User Auditor—The auditor who reports on the financial statements of the user organization Service Organization—The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system. Service Auditor—The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements.

A2. Terminologies UE – User entities SO – Service Organization SSO – Sub Service Organization Management of user entity Management of Service entity Management of Sub Service Entity UA – User entity auditor SA – Service Auditor reporting under Carve out method Controls at SSO will not be assessed by SA SA – Service Auditor reporting under inclusive method Controls at SSO will be assessed by SA

B. Need for SOC reports (Demand) Data Security & Privacy are increasing concerns for most organizations. This is especially important in cases where data is regulated and/or sensitive as in case of compliance requirements for HIPAA, PCI etc. Cloud environments are adding to the complexity of the issue where the actual location of the data stored may not be known. Privacy laws are being enforced that may lead to heavy fines or penalties.

C. Applicability  SAE 3402 reporting is applicable to the audit of the financial statements of the user organization that obtains services from a service organization that are part of its information system.

C. Applicability… A service organization's services are part of the user organizations’ information system if they affect any of the following: The classes of transactions in the user organization’s operations that are significant to the user organization’s financial statements The procedures, both automated and manual, by which the user organization’s transactions are initiated, authorized, recorded, processed, and reported from their occurrence to their inclusion in the financial statements The related accounting records, whether electronic or manual, supporting information and specific accounts in the entity's financial statements involved in initiating, recording, processing and reporting the user organizations’ transactions.  How the user organizations’ information system captures other events and conditions those are significant to the financial statements The financial reporting process used to prepare the user organizations’ financial statements, including significant accounting estimates and disclosures.

D. What is Type I report? In a Type I engagement , the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date. A Type I report can be for either a SOC 1, or SOC 2 depending on the objectives of controls and services being provided.

What is Type II report? In a Type II engagement , the service auditor will additionally express an opinion and report on the subject matter provided by the management of the service organization as to; (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives. A Type II report also can be for either a SOC 1, or SOC 2 depending on the objectives of controls and services being provided.

E1. Type 1 Vs Type 2 Reports SOC reporting Type 1 Type 2 Reports on Compliance Report is as of point in time (i.e., as of 2/31/200X) Looks at the design of controls – not operating effectiveness Limited use & considered for information purposes only Not considered useful for purposes of reliance by user auditors Not used as a basis for reducing the assessment of control risk below the maximum Generally performed in the first year that a service organization has a SSAE16 requirement. Report covers a period of time, generally not less than 6 months and not more than 12 months Differentiating factor: Includes tests of operating Effectiveness May provide the user auditor with a basis for reducing assessment of control risk below maximum Requires more internal and external effort Identifies instances of noncompliance of the stated control activity More emphasis on evidential matter

E2. Comparative Details – statement / report by SO – Carve out method Sl. No Type of Description / Report Management assertions about systems and controls of Service Organization About Sub Service Organization 1 Type 1 Description of system and comment on suitability of correct design of system in SO Not described in detail 2 Description of control objectives of systems in SO and description of design of controls in SO 3. Type 2 Description of the effectiveness of controls operated throughout the specified period to achieve those control objectives

E2. Comparative Details – statement / report by SO – inclusive method Sl. No Type of Description / Report Management assertions about systems and controls of Service Organization About Sub Service Organization 1 Type 1 Description of system and comment on suitability of correct design of system in SO System details described in detail 2 Description of control objectives of systems in SO and description of design of controls in SO Details of controls designed described in detail 3. Type 2 Description of the effectiveness of controls operated throughout the specified period to achieve those control objectives Effectiveness of controls described in detail

E3. Type II currently provides the Most Reasonable Assurance for the following reasons: SOC Type II can cover the entire year and the effectiveness of the controls in place can be reported It is a Third Party Period- of-Time assessment and so has Accountability   Since it is a period of time assessment, it is more like a continuous compliance with low risk and high reliability Most other assurance programs or audits are only, at a point in time

F. Statement of assertion by Management of Service Organization ???

G. Independence SA Assurance report. ???

Thank You… psmoorthyfca@gmail.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.