Implementing and maintaining ISAE 3402

Similar documents
Complex contracting made simple

EMEIA service provider survey 2015 results. Building trust with your clients in an outsourced world

Revenue reckoning: a transformational new standard

IFRS 3.0 IFRS is going into the next phase. Overview of the key changes

Can your customers trust your services? Third Party Assurance

Annual reporting in 2016/17: broad perspective, clear focus Aide mémoire

ESMA Consultation Paper on the Regulatory Technical Standards on the European Single Electronic Format (ESEF)

Integrated reporting. Communicating sustainable value creation

Service Organization Controls (SOC) Reporting Discussion: Perspectives and Opportunities

Payments the new player domain. How EY can assist

Institute of Global Mobility

Driving Enterprise IT Project Success through Independent Program Assurance

GDPR: what you need to know

The velocity of change

Delivering tomorrow s companies today. How global business services can transform your business. The CFO perspective at a glance

Best practice workshop. Training course outline

Feedback Statement and Impact Assessment ISA (UK) 540 (Revised December 2018) Auditing Accounting Estimates and Related Disclosures

The past, present and future of service organization control reporting

The Who, What, and Why of Service Organization Control (SOC) Engagements. Presentation to: 2nd Annual 'I Heart Audit' Conference

Delivering tomorrow s companies today. How global business services can transform your business. The CIO perspective

Supporting local public services through change. Contract optimisation

The future of assurance How technology is transforming the audit

ERM vs. Internal Audit

Where did that risk come from?

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

CoE in a Box - Enablement and Controls. The key get rights vital to successful RPA CoE Program

Assessing the effectiveness of the external audit process

Heightened standards for compliance risk management. Lines of defense compliance s role

Easing the burden of data privacy compliance

FAAS Financial Reporting Training

Make money, save money and manage risk. The benefits of well-designed environment, health, safety and sustainability programs

executives Using health insurance exchanges to gain competitive advantage

Strathclyde Partnership for Transport

Is your business transforming its technology or is technology transforming your business?

The New Service Auditor Reporting Requirements

SA 402(REVISED) AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING

Automotive finance. October 2014

Business resilience in the provider care sector. Actively adapting to a changing environment

APES 305 TERMS OF ENGAGEMENT

Software license forensics. An investigative approach to publisher licensing reviews

Financial modelling. Corporate Finance PRECISE. PROVEN. PERFORMANCE.

Regulatory Reporting: Implementing the proposed MAS Notice 610. Navigating the regulatory reporting and data challenge

Strategic Technology Advisory Services. Building a better working world from strategy through execution

Delivering tomorrow s companies today. How global business services can transform your business. The COO perspective

International Financial Reporting Standards (IFRS) Seminar in Arabic. Sheraton Hotel Riyadh, Saudi Arabia 23 April 2014

Out with the old, in with the new. Early reflections from EY s review of December 2013 annual reports in the FTSE 350 June 2014

IIRC Consultation Draft. Executive Summary

Workshop on Companies Amendment Act & Ind-AS

Accelerating your financial close arrangements

A Framework for Audit Quality

Ind AS Master Class Practical insights on transition to Ind-AS Fifth Edition Delhi I Mumbai

Introduction to Financial Modelling. Training course outline

Employment Law Newsletter

Enterprise Risk Management Discussion American Gas Association Risk Management Committee Meeting

International Standard on Auditing (UK) 600 (Revised June 2016)

Robotic process automation in the Finance function of the future

Internal audit effectiveness reviews. Working in partnership to help you enhance the quality and effectiveness of your internal audit function

Are you ready for a future outside of the European Union?

Finance for non-finance managers. Delhi Mumbai Bengaluru

International Standard on Auditing (UK) 220 (Revised June 2016)

NHS Corby Clinical Commissioning Group

Risk reduction? Value creation?

EU Directive: disclosure of non-financial information and diversity information

Customer Loyalty Programmes. Implementation Guidance of IFRIC 13 for Telecommunications Operators. Telecommunications Accounting Updates:

Building and operating the UK s infrastructure. Establishing your roadmap to success

At Law, we are a team of dedicated legal advisors with extensive experience and specialist skills in various areas.

EY license compliance manager for SAP software. Forensic Technology & Discovery Services

Introduction to DCF Modelling. Training course outline

Companies Act 2013: Internal Audit s response to the changing governance landscape

SUMMARY OF: FSA Discussion Paper 06/05. FSA Confirmation of Industry Guidance

IAASB CAG Public Session (March 2018) CONFORMING AND CONSEQUENTIAL AMENDMENTS ARISING FROM DRAFT PROPOSED ISA 540 (REVISED) 1

Cairngorms National Park Authority

The UK Modern Slavery Act What are the requirements and how should businesses respond?

Finance for non-finance managers. Delhi Mumbai Bengaluru

Finance for non-finance managers. Delhi Mumbai Bengaluru

EY Center for Board Matters. Leading practices for audit committees

International Standard on Auditing (UK and Ireland) 500

What is next for Interbank Offered Rates?

The long and winding road to corporate governance reform

NHS West Essex Clinical Commissioning Group

NHS Milton Keynes Clinical Commissioning Group

Accelerate programme launch

Welcome to the Consumer Revolution

Governing the cloud. insights for 5executives. Drive innovation and empower your workforce through responsible adoption of the cloud

Wokingham Borough Council

Are you ready for the first Forensic Trailblazer Award?

COP21 and the Paris Agreement: what it means for UK businesses

Appointing CFOs for a rapidly changing world: the role of the Audit Committee

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Fraud Risk Management

International Standard on Auditing (UK) 315 (Revised June 2016)

International Standard on Auditing (Ireland) 500 Audit Evidence

China Compliance Roundtable RDPAC Legal and Compliance Working Group Best Practices Task Force

Excellence in Operations. Getting the basics right in banking

Supporting local public services through change. Getting more from strategic commissioning

Bringing patients into focus

Are you prepared for the FRC s latest proposals on implementing EU audit reforms?

The viability statement. Finding opportunities in the new regulatory challenge March 2015

W h i t t l e s C h a r t e r e d A c c o u n t a n t s

Scope of this SA Effective Date Objective Definitions Sufficient Appropriate Audit Evidence... 6

Transcription:

Implementing and maintaining ISAE 3402

2 Implementing and maintaining ISAE 3402

Contents Introduction 4 Purpose and background 5 Benefits to the service organization 7 How Ernst & Young helps 8 Successful continuance after implementation 10 Contacts 11 Implementing and maintaining ISAE 3402 3

Introduction Although many businesses have been outsourcing portions of their work for years now, outsourcing is still becoming more popular by the day. This is especially driven by increased globalization, technological evolutions and the need for standardised business processes. Outsourcing is any task, operation, job or process that could be performed by employees within the user organisation, but is instead contracted to a third party (service organisation) or another group company for a period of time. Some examples for the financial sector are: Asset managers that perform asset management services for different parties within the group company. Pension administrators who perform the administration for pension funds. Claim service companies that perform claim handling services for large insurers. The widespread use of outsourcing requires organizations to better manage their risks associated with the outsourced services. More specifically, the user organisation requires a degree of assurance that the service organisation has a well established internal control framework that is operating effectively. New regulations, regulatory authorities and supervisory boards also ask for specific controls over outsourced procedures. For SOC 2 and SOC 3 reporting the International Standard on Assurance Engagements (ISAE 3000) and national equivalents (e.g., Attestation Standards (AT) in the US) are used. For Service Organisation Control (SOC) reporting a distinction has been made in three types of reports: SOC 1 Reports on controls over processing that impacts the financial statements, typically produced using ISAE 3402 (issued by the International Auditing and Assurance Standards Board) or SSAE 16 (issued by the American Institute of Certified Public Accountants). Distribution would be restricted to users of the services. A ISAE 3402 or SSAE 16 engagement is an examination (similar to an audit) of a description produced by the service organisation of the system(s) they operate on your behalf which are relevant to your internal control processes. SOC 2 Reports on non-financial processing based on one or more of the Trust Services criteria on security, privacy, availability, confidentially and processing integrity, and including the description on the services provided and the controls tested. Distribution would be restricted to users of the services. SOC 3 Again, a report on non-financial processing based on the Trust Services criteria. A SOC 3 report can be distributed to anyone, but only contains management s assertion that they have met the requirements of the chosen criteria and the auditor s opinion on this assertion. This brochure outlines the purpose and background of the ISAE 3402 standard, its main benefits and key operational insights for implementing and maintaining. 4 Implementing and maintaining ISAE 3402

Purpose and background ISAE 3402 deals with assurance engagements undertaken by an auditor to provide a report for use by user entities and their auditors on the controls at a service organization that provides a service to user entities that is likely to be relevant to user entities internal control as it relates to financial reporting. The collaboration between the user organization, service organization and their respective auditors is visualized in the figure below. User organization SLA Outsourcing contract Service organization Alignment Alignment ISAE 3402 report Annual report User Auditor ISAE 3402 Assurance report Service Auditor Testing The user organization is an entity that outsourced part of its business to a service organization. Formal agreements regarding the outsourced services are recorded in a contract and/or Service Level Agreement (SLA). Under the ISAE 3402 standard the service organisation has five primary responsibilities: 1 Prepare and present a complete an accurate description of the system (i.e. the internal control framework). 2 Specify the control objectives. 3 Identify the risks that threaten the achievement of the control objectives. 4 Design, implement and maintain controls to provide reasonable assurance that the control objectives will be achieved. 5 Provide a written assertion to accompany the description as to the completeness and accuracy of the information provided and state the criteria used as a basis for making the assertion. The auditor of the service organisation (service auditor) shall subsequently determine if all relevant aspects of the ISAE 3402 standard are adequately addressed by the system description. In addition, the service auditor determines if mentioned controls exist, are adequately designed and operated effectively (only type II) during a certain period. The service auditor provides an opinion to the ISAE 3402 report. The auditor of the user organisation (user auditor) can subsequently rely on the service auditor opinion, when auditing the user organization financial statements. ISAE 3402 could provide competitive advantage, since it is a method of distinguishing a service organization from its competitors Implementing and maintaining ISAE 3402 5

Initial planning Determine scope Perform examination Communicate results Expectations Service Organization Ernst & Young Identify expectations between service organization and EY Gain high-level understanding of key processes Establish relationship protocols Understand key business processes and system design: Understand Company s business, contractual relations and user expectations Determine scope of the report Perform risk assessment Identify risks Identify controls Map the risks and controls Perform gap analysis and action list Perform preliminary assessment of controls: Perform pre-assessment Evaluate system description General controls Application controls Evaluate system design and perform tests of operating effectiveness: Design is suitable for effective internal control environment Conclude on operating effectiveness RESULTS Pre-assessment report (if necessary) SOCR report User entities Issue project charter Identify stakeholder expectation Control recommendations report Feedback Types of ISAE 3402 reports There are two types of reports, Type I and Type II. Type I reports provide: A description of the service organisation s system and controls supported by a management assertion and an auditor s opinion on the fairness of that description, and whether the controls had been placed into operation. A management assertion and an auditor s opinion on whether the controls are appropriately designed to meet the control objectives. A Type II report adds a management assertion and an auditor s opinion on the operating effectiveness of controls in addition to the opinions provided in a Type I report. 6 Implementing and maintaining ISAE 3402

Benefits to the service organization The ISAE 3402 standard provides assurance to clients that the service organization has appropriate controls in place. In the table below potential benefits and expected results of an ISAE 3402 engagement are listed: Meeting client needs Managing costs Improving your business Mixed team, breaking through the silo s Planning (preset activities en timelines) Managed expectations No legal liability while all agreements made are recorded Complete and accurate risk assessment Scope which is tailored to the wishes and demands of the users Use of the appropriate reporting standards SLA and SLR, which provide full coverage of and insight in the services provided Efficient ISAE 3402 framework Appropriate number and mix of controls Scope which is tailored to the wishes and demands of the users Appropriate and sufficient control evidence (documentation) Accurate and complete populations to facilitate sampling High reliance of work performed by Internal Audit Integrated ISAE 3402 framework Cost savings while adding value Measuring and evaluating your performance Root cause analysis for service level disputes Managed contractual obligations Managing client support costs Leveraging the knowledge of an outsider that is evaluating your business processes Commercial benefits Increased user satisfaction Additional comfort to management on the design and operation of controls Increased control awareness within the organization Identification of opportunities for improvements ISAE 3402 is a recurring (annual) project. Making a onetime investment in your approach and framework pays off the coming years. Implementing and maintaining ISAE 3402 7

How Ernst & Young helps you to deliver an ISAE 3402 report to your clients Our approach is hands on and focused on helping you to meet your requirements in a cost effective manner, by: Understanding your clients regulatory and compliance needs and to develop a strategy for meeting those needs. Assessing your project plan and align it with the service auditor plan. Determining the scope of the report. Assisting you to draft the system description. Developing the control objectives for your processes. Planning an appropriate approach to the risk assessment and identifying the basis for your management assertion. Helping your personnel to identify controls and address them to control objectives. Benchmarking your report, control objectives and controls with leading practices. Testing the operational effectiveness of your controls. Reporting on the results of our testing. We will offer our assistance through workshops and training programs for your organization and evaluate the design and operating effectiveness of the ISAE 3402 control framework and report. We will issue an ISAE 3402 report and a management letter containing findings and recommendations. User organization (Sub)service organization Perform risk analysis External Financial Reporting Risks ISAE 3402 Scope Internal Financial Reporting Risks Determine link to processes and perform risk analysis Key processes Perform external audit procedures Risks Determine control objectives and key controls Control Objectives Key Controls Discuss and agree on User Control Considerations User Control Considerations Determine and provide Other Material Information Other Material Information The scoping process. 8 Implementing and maintaining ISAE 3402

Illustrative time horizon for first time adoption and implementation is visualized in the figure below. Building Internal Control framework Acces control existence and design ISAE 3402 Type I report Assess control existence, design and operating effectiveness ISAE 3402 Type II report Continuous improvement Internal Control framework Year 1 (t) Year t + 1 Year t + 2 Implementing and maintaining ISAE 3402 9

Successful continuance after implementation After successful implementation, annual maintenance of the ISAE 3402 process is necessary to continue the process effectively. It depends on: Impact of organizational changes on control environment. New legislation and compliance requirement. Changes in business and risks. Contractual adjustments. Changing requirements from user organizations. Recommendations from the service auditor. Our approach to an existing ISAE 3402 process is focused on assisting you in effectively maintaining and optimizing the ISAE 3402 process. Each year we will thoroughly evaluate the complete project and process considering all relevant internal en external developments. We will input our industry knowledge and assess the impact on your processes and our audit work. The Ernst & Young difference in approach Experienced professionals Our service delivery team includes dedicated professionals with significant experience performing ISAE 3402 engagements. This means you will be teaming with people who understand the issues and how critical your programs and projects are to your organisation s success. Knowledge Our skilled professional experience and knowledge from working with multiple clients in the financial services industry is fully leveraged to directly benefit your organization. Perspective - The ISAE 3402 report is not just a tool for meeting clients requirements; it is usually the single best description of your processes and procedures that you can provide your clients. We advise you on how to leverage this communication to enhance your clients understanding of your processes. This perspective is a major part of the Ernst & Young difference. Ernst & Young helps organisations achieve their business objectives by delivering a wide range of advisory services that are designed to help enhance risk management activities and improve business processes. From our network of member firms around the world, Ernst & Young s 18,000 advisory professionals provide services that help clients assess, improve and monitor their business risks. 10 Implementing and maintaining ISAE 3402

Contacts Risk Services Alexander Beijer Partner Tel +31 (0)88-407 11 81 alexander.beijer@nl.ey.com Mobile +31 (0)629-08 41 78 Annemiek Mollema Manager Tel +31 (0)88-407 41 28 annemiek.mollema@nl.ey.com Mobile +31 (0)629-08 40 05 IT Risk & Assurance Marc Welters Partner Tel +31 (0)88-407 41 41 marc.welters@nl.ey.com Mobile +31 (0)621-25 22 23 Mark de Bos Manager Tel +31 (0)88-407 14 10 mark.de.bos@nl.ey.com Mobile +31 (0)621 25 28 31 Implementing and maintaining ISAE 3402 11

Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Legal and notarial services are provided by Holland Van Gijzen Advocaten en Notarissen LLP through a strategic alliance with Ernst & Young Belastingadviseurs LLP. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com Ernst & Young Advisory is a trade name of Ernst & Young Accountants LLP. This is a limited liability partnership registered in England and Wales with registered number OC335594. Ernst & Young Accountants LLP has its registered office at 1 Lambeth Palace Road, London SE1 7EU, United Kingdom, its principal place of business at Boompjes 258, 3011 XZ Rotterdam, the Netherlands and is registered with the Chamber of Commerce Rotterdam number 24432944. About Ernst & Young s Advisory Services The relationship between risk and performance improvement is an increasingly complex and central business challenge, with business performance directly connected to the recognition and effective management of risk. Whether your focus is on business transformation or sustaining achievement, having the right advisors on your side can make all the difference. Our 25,000 advisory professionals form one of the broadest global advisory networks of any professional organization, delivering seasoned multidisciplinary teams that work with our clients to deliver a powerful and superior client experience. We use proven, integrated methodologies to help you achieve your strategic priorities and make improvements that are sustainable for the longer term. We understand that to achieve your potential as an organization you require services that respond to your specific issues, so we bring our broad sector experience and deep subject matter knowledge to bear in a proactive and objective way. Above all, we are committed to measuring the gains and identifying where the strategy is delivering the value your business needs. It s how Ernst & Young makes a difference. 2013 Ernst & Young Accountants LLP. All Rights Reserved. 130007 This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor. www.ey.com/nl ED None

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback