This post builds further on the comments given on the strengths and weaknesses of the widely used SAS 70 statements to gain assurance over the control maturity of an external service IT provider, see this post.
The message in short of the other post was that a SAS 70 report has its uses, but its value depends highly on the expertise available within your organisations´ retained organisation and audit department as these can ensure that relevant services, processes and controls are included in the audit scope.
Some of the weaknesses addressed within the first post can be mitigated by:
- alternative to the SAS 70 report, discussed in this posting,
- a different way of looking at assurance over your third party vendor, discussed in future posting.
Next generation SAS 70, meet ISA 402 and ISAE 3402
SAS 70 reports are issued on every continent and country leading to various audit and accounting standards being used.
To address the inevitable overlap that arises from multiple similar standards, an initiative was started in 2007 by the International Auditing and Assurance Standards Board (IAASB). The goal of the IAASB initiative is to issue two new international standards for reports on controls at service organizations. One of the two standards will be for user organizations and their auditors (ISA 402), while the second standard will be for service organizations and service auditors (ISEA 3402).
ISA 402 and ISAE 3402 are both assurance reports which aims to provide insight into the controls at a Third Party Service Organization:
- ISA 402: International Standard on Auditing (ISA) 402 is an international equivalent of SAS 70 in the United States, which also presents itself around the world in the form of designations such as AGS 1042 (Australia), Section 5900 (Canada), FIT1/94 (United Kingdom), IDW PS331 (Germany), and ASCR18 (Japan).
- ISAE 3402: International Standard on Assurance Engagements (ISAE) 3402 is based on ISA 402. The IAASB wanted to make the ISA 402 report more useful to a wider range of users, not just the management of user organizations and user organization auditors.
ISA 402 has a focus on third-party service organizations but can also be used in situations where an entity uses a shared service center that provides services to a group of related entities.
The are several differences with the SAS70, which are intended to increase the overall usefulness of the service organization’s:
- Controls related to the both effectiveness and efficiency of operations and compliance with applicable laws and regulations.
- Management has to make a written assertion as to the controls that are the subject of the examination.