third party reporting © 2008 ernst & young llp. all rights reserved. for internal use within ey...

Third Party Reporting

© 2008 Ernst & Young LLP. All rights reserved. For Internal Use Within EY Only; Not for Distribution to Clients.

Third Party ReportingNew International Audit Standard for

Service Auditor’s Reports – ISAE 3402

James Merrill – Ernst & Young LLP

Third Party Reporting 2

Agenda

• Background

• Comparison of ISAE 3402 to SAS 70

• Planning Considerations

Third Party Reporting 3

Historical Perspective

• AICPA set initial standard with SAS No. 70 in 1990s

• Other countries have issued similar standards– Japan – ASCR 18– UK – FRAG 21/94– Others – Australia, Hong Kong

• US Congress’ Sarbanes-Oxley Act in 2002 significantly increased demand for SAS 70 reports

• International Federation of Accountants (IFAC) issued user’s guide to service auditor’s reports in 2004

Third Party Reporting 4

New Standard – Timeline of IFAC

• IFAC’s International Accounting and Auditing Standards Board (IAASB) recognized a need for consistent service auditor’s reports on an international basis in 2006

• IAASB developed ISAE 3402 in 2007– Started with SAS 70 standard– Exposure draft issued January 2008– Coordinating with local country standards

setting organizations– Effective in late 2009

Third Party Reporting 5

Similarities Between ISAE 3402 & SAS 70

• Major elements of SAS 70 adopted by the IAASB– Type 1 and Type 2 reports (now Type A and Type B)– Description of controls prepared by service organization– List of controls specified and tested– Provision for carve-out and inclusive sub-servicers– Use of internal audit is permitted

• Helps to minimize transition efforts• Easier training for service organization staff,

auditors, and users of such reports

Third Party Reporting 6

Differences Between ISAE 3402 & SAS 70• Change to an attestation standard

– Service organization attests to the existence and operating effectiveness of controls in the report

– Auditor opines on the subject matter supporting the assertions

• Service auditor required to assess the reasonableness of management’s criteria used to develop the control objectives and controls– Criteria must be specific, measurable, and relevant to

users’ intended reliance on the report

Third Party Reporting 7

Planning Considerations – ISAE 3402

• Assertions– Included in the report after the service auditor’s opinion– In addition to the letter of representations between the

auditor and the service organization– Examples provided by IAASB in ISAE 3402 Appendices

Third Party Reporting 8

Assertions by Management – ISAE 3402• Focus on existing systems and

user organizations• Confirms to user of the report:

– Description of controls is fairly presented

– Does not distort or omit information relevant to intended users

– Controls were suitably designed and operated effectively

– The criteria used to make the assertion are appropriate.

• Signed by business process owners

Third Party Reporting 9

Distribution of the Report – ISAE 3402

Intended Users and Purpose

This report and the description of tests of controls on pages [yy-zz] are intended only for existing customers of XYZ Service Organization’s [type or name of] system, and their auditors, who have a sufficient understanding to consider it, along with other information including information about controls operated by customers themselves, when assessing the risks of material misstatements of customers’ financial statements.

[Service auditor’s signature]

[Date of the service auditor’s assurance report]

Third Party Reporting 10

Planning Considerations – ISAE 3402

• Planning objectives:– Developing relevant assertions– Identifying relevant criteria for

control objectives– Identifying other changes to

report content

• Project management for transition is necessary– Designated service organization

staff for best results

Third Party Reporting 11

Planning Considerations – AICPA Standards

• Awareness of new AICPA attest standard– Replaces SAS 70 with two new standards

• ISA 402• ISAE 3402

– Expected implementation year is 2010– Similar in scope and content to ISAE 3402– Parallel planning effort necessary by service

organizations

Third Party Reporting 12

IAASB Feedback Period

• IAASB welcomes feedback during “comment period”– Encourages industry reaction and feedback– ISA 402 (user auditor’s use of the report) feedback

due April 30, 2008– ISAE 3402 (reporting standard) feedback due May 31,

2008– Respond directly to IAASB in New York City– Document Address:

http://www.ifac.org/Guidance/EXD-Details.php?EDID=0099

Third Party Reporting 13