SAE 3402 Assurance Reports on Controls at Service Organisation

SAE 3402 deals with the assurance engagement carried on by a professional accountant to report on controls at a service organization. Let’s understand SAE 3402 in detail.

Scope

SAE 3402 deals with the assurance engagement that provides a service relevant to the user entities’ internal control as it related to financial reporting. This standard applies only when the service organizations are responsible for, or otherwise make an assertion about the suitable designs of control. SAE 3402 is effective for service auditor’s assurance reports covering periods ending on or after April 1, 2011.

Non-Applicable

SAE 3402 does not deal with the following:

i. Assurance engagement to report only on if the service organization controls are operated as described

ii. Service auditor engaged to provide the report on user entity’s transaction or service organization’s balance and an agreed-upon procedures report on controls

Objective

Stated below is the Service auditor’s objective:

1. Obtain reasonable assurance in all material aspects of the service organisation’s description-

• Systems are designed and implemented throughout the specified period
• System’s control objectives are suitably designed throughout the specified period
• Controls were operated effectively in accordance with the control objectives

2. Report on the above matters in accordance with the service auditor’s findings

Definition

Carve out method – “Method of dealing with the services provided by a subservice organisation, whereby the service organisation’s description of its system includes the nature of the service provided by a subservice organisation, but that subservice organisation’s relevant control objectives and related control are excluded from the service organisation’s description of its system and from the scope of the service auditor’s engagement.” Complimentary user entity controls – “Controls that the service organization assumes, in the design of its service will be implemented by user entities, and which, if necessary to achieve control objectives stated in the service organization’s description of its system, are identified in that description.”

Requirements

Service auditor should:  

Acceptance and Continuance

Before agreeing to accept or continue an engagement, the service auditor should:

1. Determine whether:

• Capabilities and competence of service auditor to perform the engagement
• Criteria used to prepare the description of service organization’s system will be suitable and available to user entities and their auditors
• The scope of the engagement and the service organization’s description of its system will be useful to the user entities and their auditors

2. Service organization acknowledges and understands its responsibility:

• For the preparation of system’s description of its system including completeness, accuracy, and method of presentation
• A reasonable basis for the service organisation’ assertion
• Control objectives stated in the description
• Description of  its system – where they are specified by law or regulation or another part, the party who specified them
• Identifying the risk threatening the achievement of control objectives

3. Provide the service auditor with:

• Access to all information such as records and documentation and other including the service agreement
• Any additional informed required for the assurance engagement
• Unrestricted access to persons within service organisation to obtain evidence

Assessing Suitability of Criteria

In assessing the suitability of criteria to evaluate the service organisation’s system description, the service auditor should determine the following:

1. Design and implementation of a system including:

• Types of service provided and classes of transaction processed
• Procedures within both information technology and manual system
• Related records and supporting information
• How significant events and conditions are dealt with
• Report preparation process
• Specified control objectives and control design to achieve them
• Complimentary user entity controls
• Other aspects including risk assessment process, communication etc

2. In case of type 2 report if the description includes relevant details of changes to the service organisation’s system 3. Whether the description omits or distorts any information relevant to the scope of the service organisation’s system.

Understanding the Service Organisation’s System

Sampling

When using sampling, the service auditor should:

1. Consider the purpose of the procedure
2. Characteristics of the population tested
3. Determine appropriate sampling size to reduce the sampling risk
4. Each sampling unit in the population has a chance of selection
5. If a designed procedure is not applicable to a selected item, perform the procedure on a replacement item
6. Determine the existence of any deviation item

w.r.t deviations if any identified, service auditor should determine if they are within the expected rate of deviation if any additional testing is necessary to provide an appropriate basis to conclude if the control objective is operating effectively.

Work of Internal Audit Function

If the service organisation has an internal audit function, the service auditor should understand its nature of responsibilities, activities performed to determine if it’s relevant to the engagement:

Written Representation

Service auditor should obtain written representation from the service organisation regarding:

1. Reaffirm the assertion accompanying the description of the system

2. Provide the service auditor with all relevant information and access as agreed

3. Disclosed to the service auditor any of the following of which it is aware:

• Control design deficiency
• An instance where controls have not operated as described
• Non-compliance with law and regulation, fraud or uncorrected deviation
• Any subsequent event which could have a sign on the assurance report

If the service organisation does not provide the written representation for any of the above, the service auditor should disclaim an opinion.

Documentation

Following are the documentation requirements for any service auditor to understand the engagement:

1. Nature, Timing, and extent of procedures performed

• Identifying characteristics of the specific items tested
• Who performed the work and the completion date
• Who reviewed the work and date completed

2. Procedure result and evidence obtained

3. Significant matters, judgments, and conclusions reached

4. If specific work of internal auditors are used, then document the conclusion reached regarding the adequacy of that work and procedures performed by the service auditor on that work

5. If there is any inconsistency with the service auditor’s final conclusions, then how the inconsistency was addressed should be documented

6. Service auditor should maintain the  documentation until its retention period etc