Assurance Report on Controls at Service Organizations SAE 3402 By P.SELVAMOORTHY, FCA,DISA,CISA,CISSP,CHE,AFCEH, ISO27001:LA
Assurance Report on Controls at Service Organizations SAE 3402 Standards SAE 3402 ISAE 3402 SSAE 16 (previously SAS 70)
A1. User Entity vs Service Organization
A1. User Entity vs Service Organization… User Organization—The entity that has engaged a service organization and whose financial statements are being audited. User Auditor—The auditor who reports on the financial statements of the user organization Service Organization—The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system. Service Auditor—The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements.
A2. Terminologies UE – User entities SO – Service Organization SSO – Sub Service Organization Management of user entity Management of Service entity Management of Sub Service Entity UA – User entity auditor SA – Service Auditor reporting under Carve out method Controls at SSO will not be assessed by SA SA – Service Auditor reporting under inclusive method Controls at SSO will be assessed by SA
B. Need for SOC reports (Demand) Data Security & Privacy are increasing concerns for most organizations. This is especially important in cases where data is regulated and/or sensitive as in case of compliance requirements for HIPAA, PCI etc. Cloud environments are adding to the complexity of the issue where the actual location of the data stored may not be known. Privacy laws are being enforced that may lead to heavy fines or penalties.
C. Applicability SAE 3402 reporting is applicable to the audit of the financial statements of the user organization that obtains services from a service organization that are part of its information system.
C. Applicability… A service organization's services are part of the user organizations’ information system if they affect any of the following: The classes of transactions in the user organization’s operations that are significant to the user organization’s financial statements The procedures, both automated and manual, by which the user organization’s transactions are initiated, authorized, recorded, processed, and reported from their occurrence to their inclusion in the financial statements The related accounting records, whether electronic or manual, supporting information and specific accounts in the entity's financial statements involved in initiating, recording, processing and reporting the user organizations’ transactions. How the user organizations’ information system captures other events and conditions those are significant to the financial statements The financial reporting process used to prepare the user organizations’ financial statements, including significant accounting estimates and disclosures.
D. What is Type I report? In a Type I engagement , the service auditor will express an opinion and report on the subject matter provided by the management of the service organization as to (1) whether the service organization's description of its system fairly presents the service organization's system that was designed and implemented as of a specific date; and (2) whether the controls related to the control objectives stated in management's description of the service organization's system were suitably designed to achieve those control objectives - also as of a specified date. A Type I report can be for either a SOC 1, or SOC 2 depending on the objectives of controls and services being provided.
What is Type II report? In a Type II engagement , the service auditor will additionally express an opinion and report on the subject matter provided by the management of the service organization as to; (3) whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period to achieve those control objectives. A Type II report also can be for either a SOC 1, or SOC 2 depending on the objectives of controls and services being provided.
E1. Type 1 Vs Type 2 Reports SOC reporting Type 1 Type 2 Reports on Compliance Report is as of point in time (i.e., as of 2/31/200X) Looks at the design of controls – not operating effectiveness Limited use & considered for information purposes only Not considered useful for purposes of reliance by user auditors Not used as a basis for reducing the assessment of control risk below the maximum Generally performed in the first year that a service organization has a SSAE16 requirement. Report covers a period of time, generally not less than 6 months and not more than 12 months Differentiating factor: Includes tests of operating Effectiveness May provide the user auditor with a basis for reducing assessment of control risk below maximum Requires more internal and external effort Identifies instances of noncompliance of the stated control activity More emphasis on evidential matter
E2. Comparative Details – statement / report by SO – Carve out method Sl. No Type of Description / Report Management assertions about systems and controls of Service Organization About Sub Service Organization 1 Type 1 Description of system and comment on suitability of correct design of system in SO Not described in detail 2 Description of control objectives of systems in SO and description of design of controls in SO 3. Type 2 Description of the effectiveness of controls operated throughout the specified period to achieve those control objectives
E2. Comparative Details – statement / report by SO – inclusive method Sl. No Type of Description / Report Management assertions about systems and controls of Service Organization About Sub Service Organization 1 Type 1 Description of system and comment on suitability of correct design of system in SO System details described in detail 2 Description of control objectives of systems in SO and description of design of controls in SO Details of controls designed described in detail 3. Type 2 Description of the effectiveness of controls operated throughout the specified period to achieve those control objectives Effectiveness of controls described in detail
E3. Type II currently provides the Most Reasonable Assurance for the following reasons: SOC Type II can cover the entire year and the effectiveness of the controls in place can be reported It is a Third Party Period- of-Time assessment and so has Accountability Since it is a period of time assessment, it is more like a continuous compliance with low risk and high reliability Most other assurance programs or audits are only, at a point in time
F. Statement of assertion by Management of Service Organization ???
G. Independence SA Assurance report. ???
Thank You…