Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through.

Similar documents
Re: Exposure Draft Proposed ISAE 3402 on Assurance Reports on Controls at a Third Party Service Organization

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Audit Considerations Relating to an Entity Using a Service Organization

ISA 800/805. Proposed changes to ISA 800/ 805 were limited in nature

Exposure Draft The Auditor s Responsibility to Consider Fraud in an Audit of Financial Statements

International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017

Making trust evident Reporting on controls at Service Organizations

Period from October 1, 2013 to September 30, 2014

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

International Standard on Auditing (Ireland) 505 External Confirmations

INTERNATIONAL STANDARD ON AUDITING 505 EXTERNAL CONFIRMATIONS CONTENTS

Information for entity management. April 2018

Issue for Consideration: Appropriateness of the Drafting of Paragraph A17

ADVANCED AUDIT AND ASSURANCE

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

Evaluating SOC Reports and NEW Reporting Requirements

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Hong Kong Institute of Certified Public Accountants Practising Certificate ("PC") Business Assurance

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

International Standard on Auditing (UK) 505

EXTERNAL CONFIRMATIONS SRI LANKA AUDITING STANDARD 505 EXTERNAL CONFIRMATIONS

Transitioning from SAS 70 to SSAE 16

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

SOC Reports The 2017 Update: What s new, What s not, and What you should be doing with the SOC Reports you receive! Presented by Jeff Pershing

ISACA Cincinnati Chapter March Meeting

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

Adopting SSAE 18 for SOC 1 reports

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

Exam Questions IIA-CGAP

18 April Re.: Exposure Draft, Improving the Structure of the Code of Ethics for Professional Accountants - Phase 1. Dear Mr.

Policy for Translating and Reproducing Standards Issued by the International Federation of Accountants

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

SOC for cybersecurity

NASD NOTICE TO MEMBERS 97-58

ISA 540 (Revised): Update. May 2018 ASB meeting Dan Montgomery May 17, 2018

Learning Objectives. External confirmations procedures as per SA330 and SA 500 requirements

Error! No text of specified style in document.

SAS 70 revised. ISAE 3402 will focus on financial reporting control procedures. Compact_ IT Advisory 41. Introduction

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

The Accreditation and Verification Regulation - Verification report

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

UNCONTROLLED IF PRINTED

Summary of Changes in ISO 9001:2008

SAS70 Type II Reports Use and Interpretation for SOX

Demonstrating data privacy for GDPR and beyond

Lahore University of Management Sciences. ACCT 250 Auditing Spring Semester 2018

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

General Information Technology Controls Follow-up Review

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

CASA External Peer Review Program Guidelines. Table of Contents

MARPA DOCUMENT MARPA Revision 1.1

Data Protection Policy

Minimum Requirements For The Operation of Management System Certification Bodies

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Institute of Certified Forensic Accountants. Certificate in Internal Auditing

SOC Reporting / SSAE 18 Update July, 2017

ISO/IEC Information technology Security techniques Code of practice for information security controls

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

26 May Victoria Learmonth Prudential Supervision Department PO Box 2498 Wellington

OPG Comments on REGDOC-1.1.5, Licence Application Guide: Small Modular Reactor Facilities

CERTIFICATE SCHEME THE MATERIAL HEALTH CERTIFICATE PROGRAM. Version 1.1. April 2015

Action Plan Developed by The Iranian Institute of Certified Accountants (IICA) BACKGROUND NOTE ON ACTION PLANS

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Policy for Accrediting Assessment Bodies Operating within the Cradle to Cradle Certified Product Certification Scheme. Version 1.2

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

PRIVACY POLICY Let us summarize this for you...

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Whistleblower Submission Form

UWC International Data Protection Policy

DFARS Cyber Rule Considerations For Contractors In 2018

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

This document is a preview generated by EVS

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

WECC Internal Controls Evaluation Process WECC Compliance Oversight Effective date: October 15, 2017

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Comment on Exposure Draft, IFRS Practice Statement: Application of Materiality to Financial Statements

ISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Article II - Standards Section V - Continuing Education Requirements

CSF to Support SOC 2 Repor(ng

Starflow Token Sale Privacy Policy

Policy for Certification of Private Label Products Within the Cradle to Cradle Certified Certification Scheme. Version 1.0.

DATA PROTECTION POLICY

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

IS Audit and Assurance Guideline 2001 Audit Charter

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

IT Attestation in the Cloud Era

Enterprise resilience and the role of Standards

BACKGROUND NOTE ON ACTION PLANS

DATA PROTECTION AND PRIVACY POLICY

Development Authority of the North Country Governance Policies

1. In relation to the Jon Faine Smith/Baker broadcast interviews on 23 November 2012 via 774 ABC Melbourne:

Auditing and assurance

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems

UNIVERSITY OF NORTH CAROLINA CHARLOTTE

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Transcription:

1633 Broadway New York, NY 10019-6754 Mr. Jim Sylph Executive Director, Professional Standards International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, NY 10017 Dear Mr. Sylph: We appreciate this opportunity to comment on proposed International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Third Party Service Organization (the proposed standard ) and the proposed conforming amendment to Preface to the International Standards on Quality Control, Auditing, Review, Other Assurance and Related Services, as developed by the International Auditing and Assurance Standards Board (IAASB). Within our recommendations for editorial changes, additions are noted in bold underline and deletions in strike-through. RESPONSES TO SPECIFIC QUESTIONS: 1. Do you support the proposal that the ISAE be written for application to assertion-based engagements? Are there situations in which it would not be possible or practicable for management of the service organization to provide an assertion? Yes, we support the application of the ISAE only to assertion-based engagements. 2. Do you support the inclusion in the proposed standard of a number of requirements based on ISAs dealing with matters such as using the work of the internal audit function, sampling, documentation, and using the work of a service auditor s expert? Has the IAASB identified all such matters as are relevant? Should these matters be dealt with in proposed ISAE 3402 or in ISAE 3000? We believe it would be more appropriate to amend ISAE 3000, as these types of requirements would be equivalent to most assurance engagements covered by ISAE 3000. We understand that this is not the highest priority of the IAASB at this point.

Page 2 Accordingly, we suggest that once ISAE 3000 is revised, that the irrelevant material be deleted from ISAE 3402 at that point. 3. Should ISAE 3000 be amended with respect to the auditor s external experts as outlined in the question above? Yes. Similar to our answer to question 2 above, we believe that ISAE 3000 should be ultimately amended to include guidance on the auditor s external experts. 4. What are your views on the proposed requirements regarding the minimum elements of suitable criteria? While we agree with having minimum elements of suitable criteria, we do not believe that the items listed in paragraph 15 are criteria for fair presentation. Rather, we believe that they are a list of content of the description of the system. It seems that the evaluation of whether the description of the system is fairly presented is contained in paragraph 33, which states that the auditor shall obtain and read the description, and evaluate whether the aspects of the description are presented fairly. Because of this, we believe the introduction to paragraph 15 should be revised as noted below, to be clear that paragraph 15 relates more to completeness of the description as opposed to fairness of the description (paragraph 33): 15. Suitable criteria for evaluating whether the description of the system is fairly presented provides sufficient information for a broad range of user entities and their auditors shall encompass at a minimum whether the description: (a) Presents how the system has been designed and implemented to process relevant transaction, including as appropriate: (i) through (vii)... (b) Does not omit or distort information relevant to the scope of the service organization's system being described, while acknowledging that the description is presented to meet the common needs of a broad range of user entities and their auditors and may not, therefore, include every aspect of the service organization's system that each individual user entity and its auditor may consider important in its particular environment. 5. Should the description of tests of control included in a Type B report include the disclosure of sample sizes determined by the service auditor only when a deviation from controls is found? Yes, we agree with the IAASB proposal to disclose sample sizes only when a deviation from controls is found. This is the same approach used when issuing SAS 70 reports.

Page 3 COMMENTS BY PARAGRAPH: Sub-service Organizations The proposed standard includes guidance on sub-service organizations, which we believe is important, due to the growing number of sub-service organizations being used. However, we recommend that additional guidance be added for situations when the inclusive method is used, especially related to the responsibilities of the management of the sub-service organization. For example, obtaining an assertion and a written representation from the management of the sub-service organization. Understanding the Service Organization s Risk Assessment Process As part of an audit of the financial statements, user auditor s are required to obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements, whether due to error or fraud. To assist user auditors in accomplishing that goal, a service auditor should perform procedures to obtain information about the risk that the description of the system is not fairly presented or that stated control objectives would not be achieved due to fraud, illegal acts or intentional misconduct by service organization personnel. Accordingly, we recommend that the proposed standard include a requirement for the service auditor to make inquiries of service organization management about their assessment of the risk of fraud and their process for identifying and responding to the risks of fraud. There should also be a requirement to inquire of management and internal audit, if present, about their knowledge of any actual, suspected or alleged fraud affecting the service organization. However, the application material related to these requirements should clarify that, due to the inherent limitations of an assurance engagement (for example, the nature of the procedures performed and the need for the engagement to be conducted within a reasonable period of time and at a reasonable cost), the service auditor cannot reduce assurance engagement risk to zero. The service auditor, therefore, cannot obtain absolute assurance about the absence of fraud, illegal acts or intentional misconduct by service organization personnel. Paragraph A13 In order to be clear that the outside parties referred to in the first bullet of paragraph A13 (the ones which may have designated the stated control objectives) are outside parties that have established processes which are more likely to lead to generally accepted control objectives, we recommend the following editorial change: A13. Paragraph 33(a) requires the service auditor to evaluate whether the stated control objectives are reasonable in the circumstances. Considering the following questions may assist the service auditor in this evaluation:

Page 4 Have the stated control objectives been designated by the service organization or by outside parties which develop and publish control objectives for specified activities, such as regulatory authorities, a user group, a professional body or others? Where the stated control objectives have been specified by management, do they relate to the types of assertions commonly embodied in the broad range of user entities financial statements to which controls at the service organization could reasonably be expected to relate? Although the service auditor ordinarily will not be able to determine how controls at a service organization specifically relate to the assertions embodied in individual user entities financial statements, the service auditor s understanding of the nature of the service organization s system, including controls, and services being provided is used to identify the types of assertions to which those controls are likely to relate. Where the stated control objectives have been specified by management, are they complete? A complete set of control objectives can provide a broad range of user auditors with a framework to assess the effect of controls at the service organization on the assertions commonly embodied in user entities financial statements. Paragraphs 39, A23(b) and (c) and A24 The three references related to sampling in paragraph A23 (b) and (c) and A24 erroneously use the term attribute sampling instead of sampling alone We believe that the use of attribute sampling is an error because related paragraphs 22(c), 26 and 27 in extant ISA 530 use the term audit sampling in equivalent circumstances. However, as this is not an audit standard, it would not be appropriate to use the term audit sampling. Accordingly, we recommend that all references to attribute be deleted in the proposed standard. Paragraph 56(c)(iii) Bullet(c)(iii) of paragraph 56 states that if the description of the system refers to the need for complementary user entity controls, the service auditor s report should include a statement that: The service auditor has not evaluated the suitability of design or operating effectiveness of complementary user entity controls. The stated control objectives can be achieved only if complementary user entity controls are suitably designed or operating effectively, along with the controls at the service organization. We fully support this guidance, but recommend that the proposed standard include additional guidance on the placement of such a statement within the service auditor s report. This could be done through an additional example in the Appendix. We recommend that it be placed within the audit opinion.

Page 5 We also encourage the IAASB to consider whether there should be a specific statement that the service auditor cannot opine on user entity controls. Paragraphs 59 and A31 Paragraphs 59 and A31 relate to Other Communication Responsibilities when the service auditor becomes aware of non-compliance with laws and regulations, or uncorrected errors that are not clearly trivial and may affect one or more user entities. The requirement in paragraph 59 is to determine whether this information has been clearly communicated to affected user entities, and if not, to take appropriate action. Application material in paragraph A31 provides examples of appropriate action. However, we believe that some appropriate action as listed in paragraph A31 should be taken, regardless of whether the information has been clearly communicated to affected user entities or not. Accordingly, we recommend that the heading above paragraphs 59 and A31 be changed to Other Responsibilities and that the following changes be made to both paragraphs: 59. If the service auditor becomes aware of non-compliance with laws and regulations, or uncorrected errors attributable to the service organization that are not clearly trivial and may affect one or more user entities, the service auditor shall determine whether this information has been communicated appropriately to affected user entities. If the information has not been so communicated and management of the service organization is unwilling to do so, the service auditor, and shall take appropriate action. A31. Appropriate action when the service auditor becomes aware of noncompliance with laws and regulations, or uncorrected errors that has not been communicated appropriately to affected user entities, and management of the service organization is unwilling to do so are not clearly trivial and may affect one or more user entities, may include one of more of the following: o Requesting that management of the service organization communicate such information to affected user entities. o Obtaining legal advice about the consequences of different courses of action. o Communicating with those charged with governance of the service organization. o Communicating with third parties (for example, a regulator) when required to do so. o Modifying the service auditor s opinion, or adding an other matters paragraph. o Withdrawing from the engagement.

Page 6 Paragraph A10 We recommend adding another bullet to paragraph A10, to include reperformance as an additional procedure used by the auditor to obtain an understanding of the service organization s system, as this is a common procedure employed. Appendix 2 We recommend providing report examples for the inclusive and carve out methods when using sub-service organizations. We would be pleased to discuss our letter with you or your staff at your convenience. If you have any questions, please contact Jens Simonsen, Director of Global Audit Services at + 1 212 492 3689 or John Fogarty, Chairman DTT Assurance Technical Policies and Methodologies Group at + 1 203 761 3227. Very truly yours,

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback