Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

Similar documents
Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

18 April Re.: Exposure Draft, Improving the Structure of the Code of Ethics for Professional Accountants - Phase 1. Dear Mr.

Evaluating SOC Reports and NEW Reporting Requirements

Audit Considerations Relating to an Entity Using a Service Organization

Period from October 1, 2013 to September 30, 2014

Policy for Translating and Reproducing Standards Issued by the International Federation of Accountants

ISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

International Standard on Auditing (Ireland) 505 External Confirmations

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

International Standard on Auditing (UK) 505

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Making trust evident Reporting on controls at Service Organizations

ADVANCED AUDIT AND ASSURANCE

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

The Australian Accounting Standards Board (AASB) is pleased to provide its comments on the above named Consultation Paper (CP).

The Accreditation and Verification Regulation - Verification report

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

SOC Reporting / SSAE 18 Update July, 2017

Exam Questions IIA-CGAP

Comment on Exposure Draft, IFRS Practice Statement: Application of Materiality to Financial Statements

Information for entity management. April 2018

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

ISACA Cincinnati Chapter March Meeting

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

Adopting SSAE 18 for SOC 1 reports

Transitioning from SAS 70 to SSAE 16

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SAS70 Type II Reports Use and Interpretation for SOX

OPG Comments on REGDOC-1.1.5, Licence Application Guide: Small Modular Reactor Facilities

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Consultation questions

Lahore University of Management Sciences. ACCT 250 Auditing Spring Semester 2018

Error! No text of specified style in document.

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

Cyber Security Reliability Standards CIP V5 Transition Guidance:

SOC for cybersecurity

ICAEW REPRESENTATION 68/16

26 May Victoria Learmonth Prudential Supervision Department PO Box 2498 Wellington

General Data Localization Requirements in Indonesia

( ' ' (6-6 (6/%& A ' (6 -& (6 - & & (& %& (6-6 (6 $&&&

Project Posting 8 Frequently Asked Questions Guide

Financial Adviser Standards and Ethics Authority Ltd

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Stakeholder and community feedback. Trusted Digital Identity Framework (Component 2)

ADMIN 3.4. V e r s i o n 4. Paul Daly CEO RISSB

CSF to Support SOC 2 Repor(ng

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Biotechnology Industry Organization 1225 Eye Street NW, Suite 400 Washington, DC 20006

BACKGROUND NOTE ON ACTION PLANS

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

December 21, 1998 BY ELECTRONIC MAIL AND HAND DELIVERY

Re: PIPEDA s.11 complaint re: canada.com service - outsourcing to US-based service provider

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

ISAE 3402 and SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

EUROPEAN MEDICINES AGENCY (EMA) CONSULTATION

Revision of the Strategic Development Plan for the INTOSAI Framework of Professional Pronouncements

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

Chartered Member Assessment

IS Audit and Assurance Guideline 2002 Organisational Independence

Implementation of the NATS-only recommendations of the Independent Enquiry

Mega International Commercial bank (Canada)

Accreditation Process. Trusted Digital Identity Framework February 2018, version 1.0

Probe MMX Compilation

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Small Entities Audit Manual (SEAM)

This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ).

Demonstrating data privacy for GDPR and beyond

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

XBRL Accounts Taxonomies

ICORS Terms of Service

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

Independent Accountant s Report

Action Plan Developed by. Institute of Certified Public Accountants of Uganda BACKGROUND NOTE ON ACTION PLANS

IS Audit and Assurance Guideline 2001 Audit Charter

Guideline for Determining the TOE

EXAM PREPARATION GUIDE

Learning with the IIA Refreshing the profession: The New Internal Auditor. Jan Olivier 6 February 2019

Guidelines Concerning the Transmission, Etc. of Specified Electronic Mail

ABB Limited. Table of Content. Executive Summary

Audit and Assurance Overview

European Union comments CODEX COMMITTEE ON FOOD HYGIENE. Forty-ninth Session. Chicago, Illinois, United States of America, November 2017

Access Rights and Responsibilities. A guide for Individuals and Organisations

Prof.Dr. Sotiraq Dhamo Doc. Julian Naqellari The University of Tirana Accounting Department

BSI s BS 8878:2010 Web Accessibility Code of Practice

Transcription:

Date Le Président Fédération Avenue d Auderghem 22-28 des Experts 1040 Bruxelles 31 May 2008 Comptables Tél. 32 (0) 2 285 40 85 Européens Fax: 32 (0) 2 231 11 12 AISBL E-mail: secretariat@fee.be Mr. Jim Sylph Executive Director Professional Standards International Auditing and Assurance Standards Board (IAASB) 545 Fifth Avenue, 14 th Floor New York, New York 10017 USA Edcomments@ifac.org Dear Mr. Sylph, Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization As the representative organization of the European accountancy profession, FEE is pleased to comment on the Exposure Draft Proposed International Standard on Assurance Engagements ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization (Proposed ISAE 3402). FEE supports the application of the clarity drafting conventions to Proposed ISAE 3402. However, FEE strongly encourages IAASB to consider clarifying ISAE 3000 before issuing any further new standards in this category. It would be better to base new standards on a redrafted, clarified ISAE 3000 because to do otherwise is likely to cause confusion among practitioners and others. Our main comments are set out below followed by more detailed comments on the introduction, requirements and other comments. Main Comments Overlap with ISAE 3000 Our concerns noted above about the risks associated with clarifying standards such as ISAE 3402 based on an old-style ISAE 3000 are amplified by the overlap between ISAE 3402 and ISAE 3000. Many of the requirements of ISAE 3402 reflect specific requirements of other standards, particularly ISAE 3000. Duplication in ISAE 3402 is necessary in order to make the standard workable. However, while ISAE 3402 does include requirements aimed at reflecting many elements of ISAE 3000 and certain other relevant IAASB standards, it omits entirely others such as professional skepticism, engagement risk, the sufficiency and appropriateness of audit evidence, controls at the assertion level (as well as the financial statement level) and detailed IT controls (as well as the higher level control environment). Consistency and therefore completeness of coverage have not been achieved.

Scope Service entities offer increasingly complex and customized products to a wide range of customers with varying needs. The ISAE should therefore give greater emphasis to the individual needs of user auditors. Individual needs are recognized in paragraph 15 (b) in the requirements but further upfront recognition of these needs is warranted. The introductory paragraphs should refer to the limited capacity of the ISAE to meet the needs of individual user entities, expressed in full in the latter part of paragraph 15 (b). Paragraph 2 should not state that the ISAE may also be applied, adapted as necessary in the circumstances of the engagement, to report on engagements other than those relevant to financial reporting by user entities; this will create an expectation that auditors will adapt the standard to the circumstances described, but without providing practitioners with the necessary means to do so. The ISAE as currently drafted cannot serve all such needs. We therefore encourage IAASB to consider in more detail the auditing implications of more complex arrangements between sophisticated users and service organizations, whose specific needs fall outside the scope of the ISAE. We also addressed this issue in our comment letter on Proposed ISA 402 of 30 April 2008. Restricting the use of assurance reports The Explanatory Memorandum notes that the ISAE is drafted on the assumption that a service organization has many customers (user entities) but that, although each user entity and its auditor receive a copy of the description of the system and the service auditor s assurance report, the ISAE assumes no direct relationship between the service auditor and user entities or their auditors. In some jurisdictions, assurance reports on controls at third party service organizations are issued on a to whom it may concern basis. For such jurisdictions, it is important that the conditional nature of paragraph A28 is emphasised; only where criteria are restricted to intended users, or are relevant only to a specific purpose, should the use of the assurance report be restricted. It would help if the final phrase in A28 were more clearly and directly linked to the first sentence of that paragraph. Suggested revised wording is included below in our comment on Paragraph A28 under Application and Other Explanatory Material. In other jurisdictions, the use of such assurance reports is limited and reports would only be issued following a three party engagement arrangement between the service organization, the service auditor and the end user. In such jurisdictions, the wording in paragraph 15 (b) referring to meeting the common needs of a broad range of issuer entities and their auditors may be inappropriate unless caveated by the phrase, where permitted, or similar. The wording on Intended Users and Purpose in Appendix 2 should be similarly caveated. The development of control objectives FEE agrees with the proposal in the Explanatory Memorandum to exclude control objectives from the ISAE. However, the IAASB could encourage IFAC member bodies to develop such control objectives together with industry bodies, to help service auditors comply with the requirements of paragraph 12 (b) (iii). Type A engagements and reports Type A engagements appear to be rare and have limited value to users and their auditors. In order to avoid misunderstanding and misinterpretation of Type A reports, additional material on the very limited nature of the assurance provided would be helpful. For example, the fifth paragraph in Example 2 of a Type A report in Appendix 2 should emphasise to the reader that no

procedures on the effectiveness of controls were performed. We strongly recommend the inclusion of the sentence: We did not perform any procedures regarding the operating effectiveness of controls included in the description, and accordingly do not express an opinion thereon, in the scope paragraph of all example Type A reports, and again, either in the service auditor s responsibilities paragraph, or in the opinion paragraph (but not both) depending on what is acceptable in the relevant jurisdiction. Treatment of the impact of outsourcing on an entity s internal control The focus of the ISAE in paragraphs 1, 2 and elsewhere, is on controls at service organizations relevant to financial reporting by user entities. It is important that the ISAE makes it clear that this refers not only to those narrow components of internal control at the service organization that are directly relevant to financial reporting by the user entity, but also to wider aspects such as the high level control environment at the service organization, encompassing the tone at the top, for example. These components of the service organization s systems are highly relevant to any consideration of internal control as a whole, as well as to the auditors of user entities. References to relevant to financial reporting should be replaced by references to relevant to the audits of user organizations. This is important to ensure that auditors remain cognizant of the depth and breadth of controls relevant to audits of financial statements. Other Comments Comments on Introduction The focus of the ISAE is on controls at third party service organizations relevant to financial reporting by user entities. The auditor is required to make reference to the inherent limitations of these controls in the assurance report (paragraph 56 (e)). It is therefore appropriate to refer to these inherent limitations in the Introduction as follows: Internal control provides a third party service organization with reasonable, but not absolute assurance about achieving specific control objectives relevant to its user entities. Their achievement is affected by limitations inherent to internal control including human error. Inherent limitations of internal control are dealt with in more details in ISA 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment. Comments on Objectives Paragraph 8 ISAE 3402 has been written for application to assertion-based engagements, which is not reflected appropriately in the objective. The objective should be amended as follows: The objectives of the service auditor are to: (a) Obtain reasonable assurance, based on suitable criteria, that in all material respects management s assertion regarding the following matters are free of material misstatement: (i) the description of the system is fairly presented in accordance with the criteria presented; (ii) the controls are suitably designed to provide reasonable assurance that the stated control objectives will be achieved;

(iii) when included in the scope of the engagement, the controls operated effectively. (a) Report in accordance with the service auditor s findings. Comments on Requirements Paragraph 15 (a) (i): assessing the suitability of criteria We agree that suitable criteria should be developed to present how the service organization s system, made available to user entities, has been designed and implemented for different classes of transactions; however: many service organizations now offer a very wide variety of services to meet different user needs, beyond traditional specialized services such as payroll and management of pension plans; suitable criteria need to be sufficiently specific to meet the requirements of this ISAE and proposed ISA 402. This implies that any given set of criteria need to be applied to a homogeneous population of classes of transactions processed by the service organization; a set of criteria capable of covering heterogeneous classes is unlikely to be sufficiently specific; in a number of jurisdictions there is little experience with such assurance reports; this has on occasion given rise to misunderstandings between service and user auditors where generalized reports have been misinterpreted and/or mis-marketed as covering the individual needs of individual user auditors. The following wording should be added to paragraph 15 (a): Suitable criteria should be applied to homogeneous classes of transactions and related services, as determined by the characteristics of the transactions. Where service organizations provide a very wide variety of services covered by a single assurance report, the report should be structured in a manner which reflects this requirement, by including discrete descriptions of services which are not homogeneous, for example. Paragraphs 25 and 31: using the work of an internal audit function or external expert We are aware that it is not the intention of the IAASB to promote divided responsibility between the service organization auditor and the internal audit function or external expert. However, the references to the description of internal audit s work (paragraph 25), the service auditor s external expert s work (paragraph 31), and the service auditor s procedures with respect to that work as currently proposed in paragraphs 25 and 31 could be interpreted differently. In order to avoid any possible perception of such a division of responsibilities, paragraphs 25 and 31 should be clearly linked to paragraph 57, which states that the description of the work of the internal audit function or external expert is included in a separate section after the opinion paragraph. Paragraphs 40 and 41: obtaining evidence on the effectiveness of controls Paragraph 40 refers to deviations being within expected rates of deviation. There is a need for guidance on how this paragraph relates to automated controls and manual controls. No deviations might be expected for automated controls, as deviations would indicate that either the controls had been overridden or that there had been a failure in the design of the control. In either case the auditor could not conclude that controls are operating effectively throughout the period. Paragraph 40 should only apply to manual controls whereas paragraph 41 should be applicable to both automated and manual controls.

Paragraph 41 uses the phrases in extremely rare circumstances, and high degree of certainty. While we understand the IAASB s caution in determining when a deviation in a sample is truly an anomaly, the combination of these words seems excessive. Therefore, we suggest deleting the word extremely, and replacing the word high, with the word appropriate. Alternatively, the IAASB might consider distinguishing between deviations in automated and manual control systems. Comments on Application and Other Explanatory Material Paragraph A28 In line with the suggestion above under the heading Restricting the use of assurance reports, concerning the conditional nature of paragraph A28, we recommend the following wording: In those circumstances, the criteria used for engagements to report on controls at a service organization are relevant only for the purposes of providing information about the service organization s systems, including controls, to those who have an understanding of how the system is used for financial reporting by user entities; in such circumstances the service auditor s assurance report states that it is intended only for use by existing users and their financial statement auditors. Responses to Questions The IAASB would welcome views on the following: 1. The proposal that the ISAE be written for application to assertion-based engagements. In particular, the IAASB would welcome any views on whether there are situations in which it would not be possible or practicable for management of the service organization to provide an assertion. FEE is supportive of Proposed ISAE 3402 being written for application to assertion-based engagements. In situations where it is impossible, impractical or unreasonable for management to provide such assertions, the auditor would not accept the engagement, in accordance with ethical and other standards. 2. The inclusion in the proposed ISAE of a number of requirements based on ISAs dealing with matters such as using the work of the internal audit function, sampling, documentation, and using the work of a service auditor s expert. In particular, has the IAASB identified all such matters as are relevant? And should these matters be dealt with in proposed ISAE 3402 or in ISAE 3000? We refer to our comments made in the introductory remarks to this letter and to our main comment on the overlap with ISAE 3000. 3. Whether ISAE 3000 should be amended with respect to auditor s external experts as outlined above. Yes, consideration should be given to making appropriate amendments to ISAE 3000 with regard to external experts when that ISAE is clarified. 4. The proposed requirements regarding the minimum elements of suitable criteria. We refer to our Comments on Requirements on paragraph 15 (a) (i).

5. Whether the description of tests of controls included in a Type B report should include the disclosure of sample sizes determined by the service auditor only when a deviation from controls is found. Yes, Type B reports should only disclose sample sizes when deviations from controls are found. If you have any further questions about our views on these matters, please do not hesitate to contact us. Yours sincerely, Jacques Potdevin President Ref.:AUD/JP/HB-SH

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback