Log In Sign Up
FREE software to file tax return of your clients
Enter all client details with a single XML upload

SAE 3402 deals with the assurance engagement carried on by a professional accountant to report on controls at a service organization. Let’s understand SAE 3402 in detail.

  1. Scope
  2. Non-Applicable
  3. Objective
  4. Definition
  5. Requirements
  6. Acceptance and Continuance
  7. Assessing Suitability of Criteria
  8. Sampling
  9. Work of Internal Audit Function
  10. Written Representation
  11. Documentation

1. Scope

SAE 3402 deals with the assurance engagement that provides a service relevant to the user entities’ internal control as it related to financial reporting.

This standard applies only when the service organizations are responsible for, or otherwise make an assertion about the suitable designs of control.

SAE 3402 is effective for service auditor’s assurance reports covering periods ending on or after April 1, 2011.

2. Non-Applicable

SAE 3402 does not deal with the following:

i. Assurance engagement to report only on if the service organization controls are operated as described

ii. Service auditor engaged to provide the report on user entity’s transaction or service organization’s balance and an agreed-upon procedures report on controls

3. Objective

Stated below is the Service auditor’s objective:

1. Obtain reasonable assurance in all material aspects of the service organisation’s description-

i. Systems are designed and implemented throughout the specified period

ii. System’s control objectives are suitably designed throughout the specified period

iii. Controls were operated effectively in accordance with the control objectives

2. Report on the above matters in accordance with the service auditor’s findings

4. Definition

Carve out method – “Method of dealing with the services provided by a subservice organisation, whereby the service organisation’s description of its system includes the nature of the service provided by a subservice organisation, but that subservice organisation’s relevant control objectives and related control are excluded from the service organisation’s description of its system and from the scope of the service auditor’s engagement.”

Complimentary user entity controls – “Controls that the service organization assumes, in the design of its service will be implemented by user entities, and which, if necessary to achieve control objectives stated in the service organization’s description of its system, are identified in that description.”

5. Requirements

Service auditor should:

Service organisation

 

6. Acceptance and Continuance

Before agreeing to accept or continue an engagement, the service auditor should:

1. Determine whether:

i. Capabilities and competence of service auditor to perform the engagement

ii. Criteria used to prepare the description of service organization’s system will be suitable and available to user entities and their auditors

iii. The scope of the engagement and the service organization’s description of its system will be useful to the user entities and their auditors

2. Service organization acknowledges and understands its responsibility:

i. For the preparation of system’s description of its system including completeness, accuracy, and method of presentation

ii. A reasonable basis for the service organisation’ assertion

iii. Control objectives stated in the description

iv. Description of  its system – where they are specified by law or regulation or another part, the party who specified them

v. Identifying the risk threatening the achievement of control objectives

3. Provide the service auditor with:

i. Access to all information such as records and documentation and other including the service agreement

ii. Any additional informed required for the assurance engagement

iii. Unrestricted access to persons within service organisation to obtain evidence

7. Assessing Suitability of Criteria

In assessing the suitability of criteria to evaluate the service organisation’s system description, the service auditor should determine the following:

1. Design and implementation of a system including:

i. Types of service provided and classes of transaction processed

ii. Procedures within both information technology and manual system

iii. Related records and supporting information

iv. How significant events and conditions are dealt with

v. Report preparation process

vi. Specified control objectives and control design to achieve them

vii. Complimentary user entity controls

viii. Other aspects including risk assessment process, communication etc

2. In case of type 2 report if the description includes relevant details of changes to the service organisation’s system

3. Whether the description omits or distorts any information relevant to the scope of the service organisation’s system.

Understanding the Service Organisation’s System

Sl.No Particulars Details
1 Obtaining evidence regarding the description Obtain and read the service organisation’s system description are fairly presented and whether:
i. Control objectives are reasonable in the circumstances

ii. Controls identified were implemented– Adequate description of complementary user entity controls

iii. Service performed by a subservice organisation, if any are adequately described
Service auditor should determine if the service organisation’s system has been implemented and operated through conducting inquiries, inspection and other documentation

2 Obtaining evidence regarding the design of controls Determine which controls are necessary to achieve the control objectives and if they are suitably designed including :
i. Identifying the risk that threatens the achievement of control description

ii. Evaluate the linkage of controls identified with the risk

3 Obtaining evidence regarding operating effectiveness of controls When providing type 2 report, the service auditor should test the controls necessary to achieve control objectives.

When designing and performing the test of controls:
i. Perform procedures to obtain evidence about control application, its consistency and by whom the control was applied

ii. If controls tested depends upon other controls, then obtain evidence to support its operating effectiveness

iii. Determine the means of selecting items for testing Consider the characteristics of the population tested including nature of controls, application frequency, deviation etc

8. Sampling

When using sampling, the service auditor should:

i. Consider the purpose of the procedure

ii. Characteristics of the population tested

iii. Determine appropriate sampling size to reduce the sampling risk

iv. Each sampling unit in the population has a chance of selection

v. If a designed procedure is not applicable to a selected item, perform the procedure on a replacement item

vi. Determine the existence of any deviation item

W.r.t deviations if any identified, service auditor should determine if they are within the expected rate of deviation if any additional testing is necessary to provide an appropriate basis to conclude if the control objective is operating effectively.

9. Work of Internal Audit Function

If the service organisation has an internal audit function, the service auditor should understand its nature of responsibilities, activities performed to determine if it’s relevant to the engagement:

2

10. Written Representation

Service auditor should obtain written representation from the service organisation regarding:

1. Reaffirm the assertion accompanying the description of the system
2. Provide the service auditor with all relevant information and access as agreed
3. Disclosed to the service auditor any of the following of which it is aware:

i. Control design deficiency

ii. An instance where controls have not operated as described

iii. Non-compliance with law and regulation, fraud or uncorrected deviation

iv. Any subsequent event which could have a sign on the assurance report

If the service organisation does not provide the written representation for any of the above, the service auditor should disclaim an opinion.

11. Documentation

Following are the documentation requirements for any service auditor to understand the engagement:

1. Nature, Timing, and extent of procedures performed

i. Identifying characteristics of the specific items tested

ii. Who performed the work and the completion date

iii. Who reviewed the work and date completed

2. Procedure result and evidence obtained

3. Significant matters, judgments, and conclusions reached

4. If specific work of internal auditors are used, then document the conclusion reached regarding the adequacy of that work and procedures performed by the service auditor on that work

5. If there is any inconsistency with the service auditor’s final conclusions, then how the inconsistency was addressed should be documented

6. Service auditor should maintain the  documentation until its retention period etc

FREE software to e-file tax return of your clients
Signup Now for FREE