Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Auditor Reporting on Controls at Service Organizations
1. Auditor Reporting on Controls at Service OrganizationsS. 5970, CSAE 3416, SAS 70,SSAE 16, IAS 3402 ACC 626 Podcast brought to you by: Jessica Leung
2. Agenda Background Introduction to Standards Section 5970 and CSAE 3416 SAS 70 and SSAE 16 ISAE 3402 Guidance on Use of Reports Benefits and Limitations Transition to New Standard and Key Changes Hot Topic: Cloud Computing Key Take Away
10. Introduction to Standards Section 5970: Auditor’s report on controls at a service organization Effective on December 15, 2011 Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization Statement on Auditing Standards (SAS) No. 70: Service Organizations Effective on June 15, 2011 Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization
11. Section 5970 and CSAE 3416 Section 5970: Auditor’s report on controls at a service organization Effective on December 15, 2011 Canadian Standard on Assurance Engagements (CSAE) 3416: Reporting on Controls at a Service Organization Section 5970 is effective for engagements for the periods beginning on or after January 1, 2006 Harmonized with SAS No. 70 CASE 3416 will superseded Section 5970 on December 15, 2011 Both standards very similar to US standards
12. SAS 70 Statement on Auditing Standards (SAS) No. 70: Service Organizations Effective on June 15, 2011 Statement on Standards for Attestation Engagements (SSAE) 16 : Reporting on Controls at a Service Organization Service Organization Controls (SOC) 1 Report Report on controls at a service organization relevant to user entities’ internal control over financial reporting Provides guidance for service auditors to issue an opinion on service organization’s description of controls
13. ISAE 3402 International Standard on Assurance Engagements (ISAE) 3402: Assurance Reports on Controls at a Service Organization ISAE 3402 is a default standard for countries without existing standards and basis for updates to other countries standards SSAE 16 mirrors the global standard - ISAE 3402 In Canada, CSAE 3416 is modeled after SSAE 16; Also aligns with ISAE 3402 is most respects All three new standards (SSAE 16, ISAE 3402, and CSAE 3416) are substantially the same
14. Guidance on Use of Reports Reporting on controls is not a “checklist” audit Control objectives and activities at service organization vary Service auditor expresses an opinion on the presentation of the described controls and whether the controls included in the description are well designed and operating effectively to meet the control objectives The report is intended for user organizations and their auditors only
22. Limitation of Reports The term SAS 70 certified or SAS 70 compliant is misused as a “data security rubber stamp” for marketing purposes Report is misinterpreted that it addresses non-financial subject matters, such as availability, processing integrity, privacy or confidentiality
25. How can Service Auditors help? Assess any changes necessary to comply with new standards Understand impact of the change or review system description Level of effort and costs will vary depending how prepared service organizations were, their experience with their service auditors, and internal control environment. Advise on selection of standards, such as selecting ISAE 3402 for international users
26. Hot Topic: Providing Assurance on Cloud Computing Services Outsourcing to a cloud service provider requires more assurance other than financial subject matters reliability, privacy compliance, and the security of the system and data
27. Hot Topic: Providing Assurance on Cloud Computing Services No recognized assurance standards in place to address the unique risk issues of cloud services No specific assessment procedures for evaluating controls in the cloud environment SSAE 16 and Trust Services likely to provide assurance of controls over financial reporting and security of the system.
28. Final Take Away New standards require a more comprehensive disclosure from management Provide higher level of assurance for users that controls are secured operating effectively to prevent or detect material misstatement in financial statements
29. Reference SAS70.com. "06. How Do I Read a SAS 70 Audit Report?" SAS 70 Service Organization Auditing Standards, Public Accounting Information. Web. 01 July 2011. <http://sas70.com/FAQRetrieve.aspx?ID=33284>. PWC. "Navigating the Transition to CSAE 3416." Web. 1 July 2011. <http://www.pwc.com/en_CA/ca/controls/business-process-controls/publications/navigating-transition-csae-3416-2011-03-en.pdf>. SSAE16.org. "SSAE 16 | Description of the Service Organization's System." SSAE 16 Resource Guide | The Global Authority on SSAE 16. Web. 01 July 2011. <http://ssae16.org/important-elements-ssae16/description-of-the-service-organiations-qsystemq.html>. Gartner. "SAS 70 is not Proof of Security, Continuity or Privacy Compliance." Express Computer (2010). Reilly, S. "New assurance standard required for cloud confidence." Computer Weekly (2011). Fajardo, A, R. "Suits the C-suite; Meeting today's challenges of service organizations." BusinessWorld (2011).