ISAE 3402 Audit Services
Internal Control Objectives through an Assurance Engagement
In December 2009, the International Standard on Assurance Engagements (ISAE) 3402, “Assurance Reports on Controls at a Service Organization,” was prepared by the International Auditing and Assurance Standards Board (IAASB). The standard was created to serve as an international standard to address “engagements undertaken by a professional accountant in public practice to provide a report for use by user entities and their auditors on the controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control objectives as it relates to financial reporting”. ISAE 3402 audit is effective for service auditors’ assurance reports covering periods ending on or after June 15, 2011; however, earlier implementation is permitted.
A-lign can assist clients in several ways with their ISAE 3402 audit and compliance initiative. Whether we are the service auditor or assisting companies in their transition from SAS 70 to ISAE 3402, our experienced professionals will work to ensure that the ISAE 3402 audit report achieves management’s compliance objectives.
Assurance Engagement ISAE 3402 Type 1 Examination
An ISAE 3402 Type 1 audit is a report on management’s description of a service organization’s system and the suitability of the design of controls.
Assurance Engagement ISAE 3402 Type 2 Examination
An ISAE 3402 Type 2 audit is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.
Components of ISAE 3402 Audit Reports
In an ISAE 3402 audit report, management describes their service organization’s system. The description will need to include detail such as how transactions are processed and reported to user organizations, the specified internal control objectives and controls designed to achieve those objectives, along with additional aspects of internal control such as control environment, risk assessment, information and communication systems, control activities and monitoring controls. In the case of a Type 2 report, management includes relevant details of changes to the service organization’s system during the period covered by the description.
Furthermore, management provides the auditor with a written assertion to be included in the service auditor’s report. The written assertion states the following:
-
Management’s description of the service organization’s system fairly presents the service organization’s system that was designed and implemented as of a specified date (or for a Type 2 – throughout the specified period);
-
The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives as of the specified date (or for a ISAE 3402 Type 2 Audit – throughout the specified period);
-
The controls related to the control objectives stated in management’s description of the service organization’s system operated effectively throughout the specified period to achieve those control objectives (ISAE 3402 Type 2 only).
With the ISAE 3402 audit, the service auditor will now make an attestation on these management assertions. The service auditor will assess whether the service organization has used suitable criteria in preparing the description of its system, in evaluating whether controls are suitably designed, and, in the case of a type 2 report, in evaluating whether controls are operating effectively.
For a free phone consultation for auditing internal controls, submit the short form to the right, or call 1-888-702-5446 today.