SAE 3402 deals with the assurance engagement carried on by a professional accountant to report on controls at a service organization. Let’s understand SAE 3402 in detail.
SAE 3402 deals with the assurance engagement that provides a service relevant to the user entities’ internal control as it related to financial reporting. This standard applies only when the service organizations are responsible for, or otherwise make an assertion about the suitable designs of control. SAE 3402 is effective for service auditor’s assurance reports covering periods ending on or after April 1, 2011.
SAE 3402 does not deal with the following:
i. Assurance engagement to report only on if the service organization controls are operated as described
ii. Service auditor engaged to provide the report on user entity’s transaction or service organization’s balance and an agreed-upon procedures report on controls
Stated below is the Service auditor’s objective:
1. Obtain reasonable assurance in all material aspects of the service organisation’s description-
2. Report on the above matters in accordance with the service auditor’s findings
Carve out method – “Method of dealing with the services provided by a subservice organisation, whereby the service organisation’s description of its system includes the nature of the service provided by a subservice organisation, but that subservice organisation’s relevant control objectives and related control are excluded from the service organisation’s description of its system and from the scope of the service auditor’s engagement.” Complimentary user entity controls – “Controls that the service organization assumes, in the design of its service will be implemented by user entities, and which, if necessary to achieve control objectives stated in the service organization’s description of its system, are identified in that description.”
Service auditor should:
Before agreeing to accept or continue an engagement, the service auditor should:
1. Determine whether:
2. Service organization acknowledges and understands its responsibility:
3. Provide the service auditor with:
In assessing the suitability of criteria to evaluate the service organisation’s system description, the service auditor should determine the following:
1. Design and implementation of a system including:
2. In case of type 2 report if the description includes relevant details of changes to the service organisation’s system 3. Whether the description omits or distorts any information relevant to the scope of the service organisation’s system.
Understanding the Service Organisation’s System
|1||Obtaining evidence regarding the description||Obtain and read the service organisation’s system description are fairly presented and whether: i. Control objectives are reasonable in the circumstancesii. Controls identified were implemented– Adequate description of complementary user entity controls iii. Service performed by a subservice organisation, if any are adequately described Service auditor should determine if the service organisation’s system has been implemented and operated through conducting inquiries, inspection and other documentation|
|2||Obtaining evidence regarding the design of controls||Determine which controls are necessary to achieve the control objectives and if they are suitably designed including : i. Identifying the risk that threatens the achievement of control descriptionii. Evaluate the linkage of controls identified with the risk|
|3||Obtaining evidence regarding operating effectiveness of controls||When providing type 2 report, the service auditor should test the controls necessary to achieve control objectives. When designing and performing the test of controls: i. Perform procedures to obtain evidence about control application, its consistency and by whom the control was applied ii. If controls tested depends upon other controls, then obtain evidence to support its operating effectiveness iii. Determine the means of selecting items for testing Consider the characteristics of the population tested including nature of controls, application frequency, deviation etc|
When using sampling, the service auditor should:
w.r.t deviations if any identified, service auditor should determine if they are within the expected rate of deviation if any additional testing is necessary to provide an appropriate basis to conclude if the control objective is operating effectively.
If the service organisation has an internal audit function, the service auditor should understand its nature of responsibilities, activities performed to determine if it’s relevant to the engagement:
Service auditor should obtain written representation from the service organisation regarding:
1. Reaffirm the assertion accompanying the description of the system
2. Provide the service auditor with all relevant information and access as agreed
3. Disclosed to the service auditor any of the following of which it is aware:
If the service organisation does not provide the written representation for any of the above, the service auditor should disclaim an opinion.
Following are the documentation requirements for any service auditor to understand the engagement:
1. Nature, Timing, and extent of procedures performed
2. Procedure result and evidence obtained
3. Significant matters, judgments, and conclusions reached
4. If specific work of internal auditors are used, then document the conclusion reached regarding the adequacy of that work and procedures performed by the service auditor on that work
5. If there is any inconsistency with the service auditor’s final conclusions, then how the inconsistency was addressed should be documented
6. Service auditor should maintain the documentation until its retention period etc