Alternatives to SAS 70 reports: ISA 402 and ISAE 3402

-

This post builds further on the comments given on the strengths and weaknesses of the widely used SAS 70 statements to gain assurance over the control maturity of an external service IT provider, see this post.

The message in short of the other post was that a SAS 70 report has its uses, but its value depends highly on the expertise available within your organisations´ retained organisation and audit department as these can ensure that relevant services, processes and controls are included in the audit scope.

Some of the weaknesses addressed within the first post can be mitigated by:

  • alternative to the SAS 70 report, discussed in this posting,
  • a different way of looking at assurance over your third party vendor, discussed in future posting.

Next generation SAS 70, meet ISA 402 and ISAE 3402
SAS 70 reports are issued on every continent and country leading to various audit and accounting standards being used.

To address the inevitable overlap that arises from multiple similar standards, an initiative was started in 2007 by the International Auditing and Assurance Standards Board (IAASB). The goal of the IAASB initiative is to issue two new international standards for reports on controls at service organizations. One of the two standards will be for user organizations and their auditors (ISA 402), while the second standard will be for service organizations and service auditors (ISEA 3402).

ISA 402 and ISAE 3402 are both assurance reports which aims to provide insight into the controls at a Third Party Service Organization:

  • ISA 402: International Standard on Auditing (ISA) 402 is an international equivalent of SAS 70 in the United States, which also presents itself around the world in the form of designations such as AGS 1042 (Australia), Section 5900 (Canada), FIT1/94 (United Kingdom), IDW PS331 (Germany), and ASCR18 (Japan).
  • ISAE 3402: International Standard on Assurance Engagements (ISAE) 3402 is based on ISA 402. The IAASB wanted to make the ISA 402 report more useful to a wider range of users, not just the management of user organizations and user organization auditors.
    ISA 402 has a focus on third-party service organizations but can also be used in situations where an entity uses a shared service center that provides services to a group of related entities.

The are several differences with the SAS70, which are intended to increase the overall usefulness of the service organization’s:

  • Controls related to the both effectiveness and efficiency of operations and compliance with applicable laws and regulations.
  • Management has to make a written assertion as to the controls that are the subject of the examination.

More background on third party assurance reports can be found here and here. More on ISAE 3402 here.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

The importance to innovate as a supplier

-
Image
I spoke recently with a senior executive of a small external service provider. A service provider with a staff of 350+ in the year 2000 and some 75 today. So one of the main topics we discussed was how this happened. The founders of the company identified some twenty years ago a software niche in supply chain management. In this period manufacturers and their up-and downstream partners in the supply chain were looking for solutions to exchange information to optimize their logistics processes and stock levels. The founders came up with some very clever concepts and for many years the sky was the limit. What the founders and subsequent managers overlooked however is that every (software) product goes through a lifecycle. And at the end of the lifecycle the software product has become obsolete. It may become obsolete because of not anticipating on evolving functionalities, technologies (e.g. Cobol) or because business models. Functionalities. In the past many software vendor
Read more