Escolar Documentos
Profissional Documentos
Cultura Documentos
Replacing SAS70
The International Auditing and Assurance Standards
Board (IAASB) issued a new international standard for
engagements to report on controls at service organisations.
At the same time, the American Institute of Certified Public
Accountants (AICPA) also redrafted SAS 70.
The new standards have become effective for assurance
reports covering periods ending on or after June 15 2011.
These revisions of SAS 70 represent the first significant
modifications to the standard since it was issued nearly
two decades ago. While the standards issued by the IAASB
and AICPA are not significantly different from each other,
they do present some changes from SAS 70 that may prove
challenging for some service organisations.
2002 - Passage
of the Sarbanes-Oxley Act of 2002
leads to much wideruse of SAS 70.
2008/
2009 - IAASB begins development of international
standard on service organisations. AICPA
SAS 70 task force begins redrafting SAS 70.
2010 - A
global standard to be issued by the IAASB
called ISAE 3402 and a new U.S. standard to
be issued by the AICPA, called SSAE No. 16
to replace SAS 70.
2011 - F or examination periods ending on or after
June 15, 2011, service auditors are required
to comply with either SSAE No. 16
or ISAE 3402.
ISAE 3402 & SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls
Section
Section
oneOne
Section two
Section three
Section four
Section five
Level of assertion
Example
Procedures
Supporting
Documentation
SOX testing
Separate
evaluations
Ongoing
monitoring
No basis
Service auditor
performs testing and
issues report
None
Management reporting
and other oversight
activities
Management risk
assessment
Management monitoring
documentation
Management risk
assessment
documentation
Internal audit
testing/monitoring
Independent regulatory
examination
Independent risk
assessment
Regulatory reporting
Independent risk
assessment results
Management or
independent
assessment of
operating effectiveness
of controls
Testing evidence
for the operating
effectiveness of
controls
* A combination of ongoing monitoring and separate evaluations will usually help ensure that internal control maintains its
effectiveness over time.
ISAE 3402 & SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls
Use of report
Intentional acts
Subsequent events
Reporting
One-stop shopping
Hiring an independent service auditor to perform
the review allows the organisation to be subjected
to just one internal controls audit. Upon completion,
the report is distributed to the service organisations users
so that their auditors may rely upon its opinion and findings
and subsequently limit or eliminate additional substantive
audit procedures. It can help:
R
educe the impact on your resources by minimising
disruption from other outside parties
R
educe operating costs for your clients, due to the fact
that they will no longer have to send auditors
to audit your organisation
A "must have"
With the recent heightened awareness to operational risk
management, more and more clients of service organisations
are requesting a service organisation control report to
provide comfort over the processing control.
Assessment tool
ISAE 3402/SSAE 16 reports provide management with
an independent assessment of the control procedures
adequacy and `reasonable assurance over the processing
control environment operating effectiveness that impacts
user entities internal control over financial reporting.
It illustrates the positive effects of properly functioning
and articulated control environment to an organisations
senior management and can assist to reduce the likelihood
of unwanted surprises:
Identifying and documenting your control objectives
A
nalysing the effectiveness of your control activities
H
elping identify process and technology weaknesses
Identifying opportunities for improvement throughout
audited operational areas
D
etermining the consistency with which your controls
are applied throughout the organisation
S tandardising the processes among multiple services
A
ssessing the strength of your management oversight
Service organisation
control reports, now
more than ever...
Insight
on ISAE 3402/SSAE 16 report improvements
We aim to continuously provide our clients with
comparative information on the quality of ISAE 3402/
SSAE 16 reports versus other reports in the industry.
We strive to add value to the process by identifying ways
to remove ambiguities from the reports to provide a crisp
and clear picture of the control environment to the report
users and their auditors.
Enhancements to controls and processes
We proactively look for opportunities throughout our
ISAE 3402/SSAE engagements to provide our clients with
insights and commentary related to enhancements to
controls or processes based upon our extensive service
organisation control experience and our knowledge of
the leading edge of industry trends and developments.
Use of industry experts
We bring our outstanding pool of recognised industry
experts to support our core engagement team in their
service delivery responsibilities. We believe that
the availability of industry experts is a key differentiating
factor that brings a comprehensive and business oriented
view to your operations and enables us to focus and
emphasise those areas that are crucial for you and your
customers and to advise you in a proactive manner on best
practices and potential procedure improvement in addition
to the pure examination work required by the audit
standard governing ISAE 3402/SSAE examinations.
ISAE 3402 & SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls
2. Service organisation
Deloitte
3. Service auditor role
Readiness
assistance
Process / Control
enhancement implementation
ISAE 3402/SSAE 16
examination
Examination
D
escriptions fairness
C ontrol design suitability
Control operating effectiveness
ISAE 3402/SSAE 16
report issuance
10
Why Deloitte?
Industry expertise
Deloitte is built around specialised industry groups
that enable our practitioners to capitalise on our core
knowledge of industry-specific trends and issues.
This means that, no matter what specific industry
segment a service organisation is in, we have
the necessary expertise and knowledge to deliver
a tailored focused ISAE 3402/SSAE 16.
The Deloitte ISAE 3402/SSAE 16 is delivered through
dedicated knowledge of your industry.
Doing the
right thing
Quality
Technical
excellence
360 view
Strong values
Effective independence-monitoring systems
Controls and corporate governance expertise
Ongoing training in technical matters
for all professionals
C
onsultative approach to service
A
nnual, intensive, case-based programmes
for partners and managers
ISAE 3402 & SSAE 16 (replacing SAS 70) Reinforcing confidence through demonstration of effective controls 11
Laurent Berliner
Partner - Governance, Risk & Compliance
EMEA Financial Services Industry
Enterprise Risk Services Leader
+352 451 452 328 - berliner@deloitte.lu
Michael Blaise
Director - Governance, Risk & Compliance
+352 451 452 562
mblaise@deloitte.lu
Jrme Sosnowski
Director - Governance, Risk & Compliance
+352 451 454 353
jsosnowski@deloitte.lu
Jol Vanoverschelde
Partner - Advisory & Consulting Leader
+352 451 452 850
jvanoverschelde@deloitte.lu
Audit
Sophie Mitchell
Partner - Audit Leader
+352 451 452 481
somitchell@deloitte.lu
Tax
Raymond Krawczykowski
Partner - Tax Leader
+352 451 452 500
rkrawczykowski@deloitte.lu
PSF
Stphane Csari
Partner - PSF Leader
+352 451 452 487
scesari@deloitte.lu
Banking & Securities
Accounting
Jean-Philippe Foury
Partner - Accounting Services Leader
+352 451 452 418
jpfoury@deloitte.lu
Martin Flaunet
Partner - Banking & Securities Leader
+352 451 452 334
mflaunet@deloitte.lu
Deloitte Luxembourg
560, rue de Neudorf
L-2220 Luxembourg
Grand Duchy of Luxembourg
Tel: +352 451 451
Fax: +352 451 452 401
www.deloitte.lu
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL), its network of member firms, and their related
entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global) does not provide services to clients.
Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of
member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to
address their most complex business challenges. Deloittes more than 200,000 professionals are committed to becoming the standard of excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the
Deloitte Network) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss
whatsoever sustained by any person who relies on this communication.
2014. For information, contact Deloitte Touche Tohmatsu Limited.
Designed and produced by MarCom at Deloitte Luxembourg.