Professional Documents
Culture Documents
I SAE 3402
Preface
In one of our professional debates, we often discussed how the ISAE 3402 framework
could be made more useful. A recurring subject was the limitation of information on
the future operating effectiveness of controls. With this idea in mind, we noted in
many discussions with colleagues and fellow students that this subject is easily
recognizable and people were curious in finding the solution. After this, it seemed clear
to us that this would become the subject of our thesis.
By writing this thesis, we would like to contribute to the profession of IT auditing and
to NOREA. Within the period this thesis was written, we couldn’t create a completely
approved and formalized framework to be used internationally. However, we believe
this thesis will provide in the knowledge needed to make the first steps to enhance the
current set of assurance frameworks (ISAE) to elaborate on the future operating
effectiveness of controls in order to address the changing assurance needs.
We could not have written this thesis without the guidance and feedback of our
supervisors René Matthijsse from VU University and Tom Ooms from PwC. We would
also like to thank Arnold’s wife Maaike Brugge-Cobelens (who is pregnant at the time
of writing) for her support and understanding.
October 2014
I
Executive summary
To gain assurance about a process executed by a third party, independent auditors
issue an opinion about the way a process is performed by the service providing
organization, using for instance the International Standard on Assurance Engagements
(ISAE) 3402. Different developments are discerned, such as continuous auditing and
monitoring, with the focus on more insights in the continuity aspects of an
organization. Currently, the ISAE 3402 framework does not encompass information
about future operating effectiveness of controls and therefore, the continuity of
controls. Given these changes, clients and auditors do not only need assurance of a
process performed in the past, but also need more information about how the business
and controls will operate in the future. This thesis investigates which additions should
be made in the current ISAE 3402 approach to give the user of the ISAE 3402 the
ability to report more insights in the future operating effectiveness of the controls at
the service provider.
The ISAE 3402 framework is used to provide comfort to user entities and their auditors
about the internal control components related to financial reporting of the service
organization covering a specified period in which controls; designed and implemented,
suitably designed throughout the specified period or as at a specified date and
operated effectively throughout the specified period. This leads us to the most
significant limitation of the ISAE 3402 framework within the context of this thesis
research; the lack of information on future operating effectiveness of controls. The
most important reasons why this absence of information is essential are effective
operation of primary processes, more control over the processes (contributing to
continuous monitoring) and transparency regarding continuity, as it is also a necessity
within financial statement audits.
Based on the analysis of similar frameworks, such as ISAE 3000, combined with
interviews with stakeholders, the following conceptual additions on the audit approach
are suggested to contribute the future operating effectiveness of controls and are
proven in practice by the use of case studies:
1) Select the right assurance framework to address the assurance need by choosing
the ISAE 3000 framework or one of the SOC2/3 related frameworks. Maintain at least
the scope of ISAE 3402 to cover the essential and obligatory assurance needs and
expand this scope with the additional audit work to address the future operating
effectiveness aspects.
2) Understanding the client and engagement by gaining an update of knowledge, and
review the effects of changes regarding applicable industry and regulatory standards.
Verify if an approach is implemented for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving an organization's internal control
system and to verify if an Internal Audit function is established and actively involved in
managing the achievement of control objectives related to the ISAE 3402 scope.
3) While execution of the audit, more attention is dedicated to the amount of Meta
controls, monitoring the key controls and the amount of automated controls.
4) Ensure that the report covers subsequent events, a statement of the limitations of
controls and the risk of projecting to future periods, a statement of direction by
management.
II
Table of contents
Preface ........................................................................................................... I
Executive summary ....................................................................................... II
Table of contents......................................................................................... III
List of Figures ................................................................................................. V
List of Tables .................................................................................................. V
1 Introduction ............................................................................................. 1
1.1 Problem statement and decomposition....................................................... 5
1.2 Research methodology ............................................................................. 5
1.3 Scope ..................................................................................................... 6
1.4 Relevance ............................................................................................... 6
1.5 Outline .................................................................................................... 7
2 The ISAE 3402 framework and its limitations .......................................... 8
2.1 Background ............................................................................................. 8
2.2 The scope of the ISAE 3402 framework ..................................................... 9
2.3 Objectives of the ISAE 3402 framework .................................................... 10
2.4 Usage of the ISAE 3402 framework in practice .......................................... 10
2.5 Limitations of the ISAE 3402 framework ................................................... 11
3 Analysis of the ISAE 3402 framework and other relevant frameworks .. 14
3.1 Elements within the 3402 framework ........................................................ 14
3.2 Analysis of frameworks similar to ISAE 3402 ............................................. 16
3.2.1 ISAE 3000........................................................................................ 17
3.2.2 ISO 27001 ....................................................................................... 18
3.2.3 SOC1, SOC2 and SOC3 ..................................................................... 18
3.2.4 PCI-DSS........................................................................................... 20
3.2.5 ISA 520 – Going Concern .................................................................. 21
4 Exploratory interviews and results ......................................................... 23
4.1 Interview approach ................................................................................. 23
4.2 Interview results ..................................................................................... 25
III
4.3 Additions in the regular ISAE 3402 audit approach as derived from research 27
4.3.1 Choose the assurance framework to address the assurance need ......... 27
4.3.2 Planning and understanding the client ................................................ 27
4.3.3 Execution of the audit ....................................................................... 28
4.3.4 Reporting......................................................................................... 28
5 Case study research ............................................................................... 29
5.1 Approach ............................................................................................... 29
5.2 Case study A .......................................................................................... 29
5.2.1 Context ........................................................................................... 29
5.2.2 Case study findings and analysis ........................................................ 30
5.2.3 Summary ......................................................................................... 35
5.3 Case study B .......................................................................................... 36
5.3.1 Context ........................................................................................... 36
5.3.2 Case study findings and analysis ........................................................ 37
5.3.3 Summary ......................................................................................... 42
5.4 Case research outcomes and analysis ....................................................... 43
6 Research question and conclusion ......................................................... 45
6.1 Research question................................................................................... 45
6.2 Additions in the regular ISAE 3402 audit approach ..................................... 46
6.3 Limitations of this research ...................................................................... 47
6.4 Further research ..................................................................................... 48
7 Bibliography ........................................................................................... 49
Appendix ...................................................................................................... 51
A Exploratory interview: Domain Expert .......................................................... 51
B Exploratory interview: Service Provider ........................................................ 54
C Exploratory interview: Client of Service provider ........................................... 56
D Exploratory interview: External auditor ......................................................... 58
IV
List of Figures
Figure 1: Outline ................................................................................................. 7
Figure 2: Standards (source: AICPA, 2010) ........................................................... 19
Figure 3: Meta controls ....................................................................................... 26
List of Tables
Table 1: ISAE 3402 requirements analysis............................................................. 14
Table 2: Case A analysis of additions .................................................................... 35
Table 3: Case B analysis of additions .................................................................... 42
V
1 Introduction
Throughout the years, IT has become more and more Service-Oriented by which IT
processes are outsourced to third parties. However, by outsourcing a process one does
not outsource its accountability. To gain assurance about a process executed by a third
party, independent auditors give an opinion about the way a process is performed by
the service providing organization.
Until 2011, SAS70 was the reporting standard regarding service-providing
organizations. The International Standard on Assurance Engagements (ISAE)
developed by the International Auditing and Assurance Standards Board (IAASB) is a
standard now used for an assurance opinion about the work performed by a Service
Organization over a historic period in time, the successor of SAS70.
At the moment of writing, different developments are discerned such as Continuous
auditing and monitoring. The developments are focussed on having more insight in the
continuity aspects of an organization. For instance, regarding the annual financial
statements reports, many discussions are held regarding the unavailability of continuity
aspects of the audited organization in the annual financial statements report. The
readers of the annual financial statements report, shareholders and other stakeholders,
cannot form a grounded opinion and/or get insight in the future operating
effectiveness of an organization as in the report the continuity aspects of an
organization is not clearly explained (Mertens, Meliefste MSc, & Blij CFA, 2013).
Especially with the current uncertainty in the economic developments, special attention
is dedicated to the continuity of organizations. However, why is it important to look
into aspects regarding continuity and future operating effectiveness? Before we look
into depth why it is important to consider future operating effectiveness, allow us to
first introduce our definition of future operating effectiveness.
Definition of future operating effectiveness
When we mention operating effectiveness, we refer to the effectiveness of the
operation of a control. In nearly all audit standards, when performing an audit on the
operating effectiveness of the controls (i.e. a Type II report), the historical information
regarding the operation of the control are assessed and tested. This way the auditor
gains reasonable assurance that the control has worked as it should be in a certain
period in the past.
When we refer to the future operating effectiveness in this thesis, we mean the
operating effectiveness of the specific control in the future. Based on the information
acquired during the audit regarding the past and current operation of the control, a
high-level opinion – with limited degree of assurance – on the future operation of the
control can be formed. Future operating effectiveness is the operating effectiveness of
the control in the future. By future, we mean any point in time after the audit has been
performed.
With this definition being clear, the most important and relevant reasons why a
stakeholder is interested in the future operating effectiveness of the key processes at a
service organization are mentioned below.
For example, a retail organization has outsourced its payment processes to a payment
service provider (PSP). With continuous monitoring, the directors of the retail
organization can monitor the most important processes related to sales and logistics.
The payment process lies with the PSP, which provides not only information regarding
the operating effectiveness of the payment process for the retail organization, but
information on future operating processes as well. When the process impends to miss
their process / control objective, the retail organization will know this soon enough to
implement corrective measures and create their own workaround(s) to maintain their
level of control and quality of its processes.
1.3 Scope
We limit our research to the standard ISAE 3402. This standard is chosen because it is
widely used in the area of financial reporting. However, other standards might exist
that are comparable to the ISAE 3402 standard.
Furthermore, we limit our research to perform two case studies in two different
environments therefore resulting in a qualitative research.
1.4 Relevance
The relevance of this research can be decomposed into two perspectives.
Firstly, currently the society requires special attention 1 on the continuity of
organizations. In the past years organizations encounter problems with continuity,
which affect many other organizations up/ down the supply chain, employees,
government and / or regular civilians. The society requires having more insight in the
management of continuity risks in order of being able to anticipate on the possible
consequences.
In the modern world, many organizations work tightly with service providers to
manage the whole process chain as efficient as possible. For this reason, it is of
importance to be clear about the continuity of the operating effectiveness of the
processes at the service provider related to the audittee organization, as this affects
(partly) the continuity of the audittee organization. Assessing the need and
implementation of continuity aspects in the ISAE 3402 standard helps to plot all the
relevant continuity risks of an organization.
Secondly and partly related to the first described perspective, the current
developments regarding continuous assurance, as stated in Spotlight (openly published
company literature (Roozendaal, 2011), enables organizations to have more insight the
effectiveness and efficiency of processes. This should include the processes that are
(partly) outsourced to service providers. The current ISAE 3402 framework provides
assurance based on historical information regarding the processes in scope. By
adjusting the work performed it is possible give more insight in the operating
effectiveness in the (near) future and therefore for the user organizations to include it
in their monitoring processes in the light of continuous assurance.
1
http://www.accountancynieuws.nl/actueel/accountancymarkt/risicorapportage-in-jaarverslag-te-algemeen-
voor.125662.lynkx
Chapter 3
Relevant
frameworks
Chapter 4
Practice (interviews)
Figure 1: Outline
2.1 Background
Until 2011, Statement on Auditing Standards No. 70 (SAS 70) was the reporting
standard regarding service-providing organizations. SAS 70 was a widely recognized
American audit standard issued by the American Institute of Certified Public
Accountants. SAS 70 provides guidance to service auditors when assessing the internal
control of a service organization on behalf of a user organization. SAS 70 is applied in
situations where outsourcing is in place. SAS 70 provides information on the service
organization’s internal control on behalf of the user organization’s financial statement.
SAS 70 is developed by accountants for accountants (Ewals, 2009). The scope of SAS
70 covers the integrity of financial reporting and may include specific controls
determined by the client, who has engaged the service auditor.
A distinction in two types of SAS 70 can be made: type I and II (Ewals, 2009). A SAS
70 type I report states whether the service organization’s description of its controls are
fairly presented and implemented on a certain date. A SAS 70 type II report provides
the same information as a SAS 70 type I report and adds another part that reports on
whether the controls that were tested were operating with sufficient effectiveness to
provide reasonable assurance that the related control objectives were achieved during
a specified period.
The main reason for the replacement of SAS70 was the need for an international
standard. As SAS70 is an American standard, it complicates engagements that cross
borders. There was a demand for a new single auditing standard that provides
consistency to customers around the world. Global service organizations often issued
assurance reports under various country specific standards, thereby creating more
inconsistencies and confusion. Another reason was that SAS 70 did not maintain a risk
based approach, its scope being limited to integrity of financial reports and
management did not explicitly take the responsibility regarding internal control (Ernst
& Young, 2009).
The International Standard on Assurance Engagements (ISAE), developed by the
International Auditing and Assurance Standards Board (IAASB), is a standard now used
for an assurance opinion about the work performed by a Service Organization over a
historic period in time, the successor of SAS 70 mitigating the shortcomings noted
above.
“This ISAE applies only when the service organization is responsible for, or otherwise
able to make an assertion about, the suitable design of controls. This ISAE does not
deal with assurance engagements:
(a) To report only on whether controls at a service organization operated as described,
or
(b) To report on controls at a service organization other than those related to a service
that is likely to be relevant to user entities’ internal control as it relates to financial
reporting (for example, controls that affect user entities’ production or quality control).
This ISAE, however, provides some guidance for such engagements carried out under
ISAE 3000.” ( (IAASB, 2009)
This means that the framework only applies to controls related to financial reporting.
Additionally, ISAE 3402 provides some guidance to a related framework ISAE 3000 but
does not cover all.
Although our scope is set to the ISAE 3402 framework, because of the relation
between both frameworks, a comparison between the two frameworks is included in
chapter three to ensure that relevant information is encompassed in this research.
Based on the above, we consider the scope of the ISAE 3402 framework to be a
framework used to provide comfort to user entities and their auditors about the
internal control components related to financial reporting of the service organization
relating to the ISAE 3000 framework, which covers internal control components other
than audits or reviews of historical financial information.
Depending on the reason, one is more eager to cover more processes and controls.
Mainly, the ISAE 3402 is used as an auditor to auditor’s report (reason one of the
above) to cover the risk of material misstatement in processes that are performed by
the service organization.
In practice, according to the interviewed domain expert, (Leenders RA & Nagy RO,
2013) and our own experiences, the ISAE 3402 framework is sometimes used to report
on more than the framework was intended to provide. This leads us to the limitations
of the ISAE 3402 framework in the next paragraph.
1) The ISAE 3402 framework requires a risk-based approach. Based on the risk
management procedures of the service organization the most relevant controls
are considered and included in the scope of the ISAE 3402 audit. These
controls are the controls related to a service organization’s operations and
compliance objectives, which is relevant to a user entity’s internal control as it
related to financial reporting (IAASB, 2009). Defining which controls at a
If we look into the limitations above, the limitation of not providing information about
the reasonableness of the future operating effectiveness of the controls in scope is
considered the most important one. Especially with the current need, in the light of the
recent financial crisis, accounting scandals, for more transparency and control of one’s
processes; we determined that organization require more insight the operation
effectiveness of their internal controls, including the related controls at the service
organization.
As described in detail in chapter one, the most important reasons why information on
future operating effectiveness is relevant for the different stakeholders of the service
provider can be summarized in three points:
• Effective operation of primary processes: as many processes are (partly)
outsources, it is important to have insight in the operating processes at the
service organization and its dependencies with one's own primary processes.
With future operating effectiveness more can be said over the output of the
outsource process (parts) over the upcoming period and therefore strengthen
the control on the process output over time. This way the output of the primary
processes remains controllable over time.
• More control over the processes: with the current development towards
continuous monitoring, it enables organizations to relate the process output to
the corresponding risk profile. This way the organization can instantly identify
exceptions in the process output or changing risks and take corrective actions
accordingly. To be able to be ahead of upcoming exceptions and/or risks, it is
important to have insight in the future operating effectiveness of outsourced
(parts of) processes.
In the next chapter, we look into the conceptual additions to overcome the identified
limitations.
“ 20. The service auditor shall obtain an understanding of the service organization’s
system, including controls that are included in the scope of the engagement.”
In practice, using for instance PwC working papers PwC ISAE 3402 library, 2012
(PricewaterhouseCoopers, 2012), we gain an update of knowledge of, and review the
effects of applicable industry and regulatory standards with a focus on significant
changes affecting the current period or future periods. Therefore, this requirement
already has insight in significant changes that would affect future periods. Based on
this insight, it is likely that we can assess the impact on controls and their future
operating effectiveness.
Obtain evidence
While performing procedures regarding Obtaining Evidence Regarding Design of
Controls and Obtaining Evidence Regarding Operating Effectiveness of Controls,
information is gathered from employee’s carrying out the day-to-day activities. This
information might be relevant for next year’s audit, which will be documented in the
working papers, but is not part of the final report due to the reporting period agreed
upon.
Subsequent Events
Regarding Subsequent Events (IAASB, 2009), the following is defined:
“ 43. The service auditor shall inquire whether the service organization is aware of any
events subsequent to the period covered by the service organization’s description of its
system up to the date of the service auditor’s assurance report that could have a
significant effect on the service auditor’s assurance report. If the service auditor is
aware of such an event, and information about that event is not disclosed by the
service organization, the service auditor shall disclose it in the service auditor’s
assurance report.
As states above, Subsequent Events is part of the final stage before preparing the
Service Auditor’s Assurance Report. These events cover the period between test work
performed regarding the reporting period agreed upon to the moment that the report
would be issued.
“j) A statement of the limitations of controls and, in the case of a type 2 report, of the
risk of projecting to future periods any evaluation of the operating effectiveness of
controls.”
Although the above might be seen as a limitation, the fact that the auditor needs to
make a statement about the limitations might be usable for mentioning relevant
information about future operating effectiveness of controls.
Bridge letter
In practice, as is done for ADP, a so-called Bridge letter is issued based on inquiry with
Management and those charged with governance. This is a solution to mitigate the
limitation as set out in chapter one. However, inquiry is the lowest level of evidence
(out of inquiry, observation, inspection and re-performance) and might not be
sufficient using the current scope of the ISAE 3402 framework. The Bridge letter itself
however might be usable to reflect on the proposed additions as set out in paragraph
5.1.
Based on the analysis performed in paragraph 3.1, the following items of the ISAE
3402 framework might contribute to elaborate on the future operating effectiveness of
controls:
• Obtaining an Understanding of the Service Organization’s System
• Obtain evidence
• Subsequent Events
• Preparing the Service Auditor’s Assurance Report
• Bridge letter
Results from the analysis related to identify points, which might refer to future
operating effectiveness, are summarized below:
• The objective defers from the ISAE 3402 standard leaving more room for
professional judgment of the auditor.
When we examine the phase Preparing the Service Auditor’s Assurance Report:
Results from the analysis related to identify points, which might refer to future
operating effectiveness, are summarized below:
• Like the ISAE 3402 standard, ISAE 3000 states that a remark needs to be made
in the report regarding future periods and effectiveness of controls.
ISO 27001 certification is used by the service provider to show the outside world (i.e.
their clients) that their information security is in control.
Results from the analysis related to identify points, which might refer to future
operating effectiveness, are summarized below:
If the controls are tested for a certain period of time, one wants to know whether the
controls will work in the future and are limited affected by organizational and or
process changes. If the user of the service provider is able to gain insight in the
management regarding process and/or organization changes, more information can be
gathered on the future operating effectiveness of the controls in scope.
Therefore, SOC 1 does not provide in handles to be used for our research other
than already mentioned in paragraph 3.1.
3.2.4 P CI -DSS
The standard describes itself as:
“The Payment Card Industry Data Security Standard (PCI DSS) was developed to
encourage and enhance cardholder data security and facilitate the broad
adoption of consistent data security measures globally. PCI DSS provides a
baseline of technical and operational requirements designed to protect cardholder
data. PCI DSS applies to all entities involved in payment card processing—
including merchants, processors, acquirers, issuers, and service providers, as well
as all other entities that store, process or transmit cardholder data and/or
sensitive authentication data” (PCI Security Standards Council, 2013).
This PCI-DSS framework is concerned with service providers, and therefore relevant in
this thesis research for further analysis.
Results from the analysis related to identify points, which might refer to future
operating effectiveness, are summarized below:
• In the scope of the PCI-DSS standard, there is no special attention on operating
effectiveness of controls. However, the standard does mention that changes to
the organizational structure should be appropriately addressed and mapped to
the impact on PCI DSS scope and requirements. The periodic (audit) reviews
should verify that the PCI DSS requirements continue to be in place at the
organization.
It does not mention that auditors should provide information on future
organizational changes and its impact on the PCI DSS scope and requirements.
• In the standard itself, no references to future operating effectiveness are
present.
Conclusion
Based on the analysis of the different frameworks above, we conclude that:
• The objective of ISAE 3000 defers from the ISAE 3402 standard leaving more
room for professional judgment of the auditor and it states that a remark needs
to be made in the report regarding future periods and effectiveness of controls.
• The ISO27001 standard refers to a comprehensive Information Security
Management System (ISMS) in which changes to the ISMS is included in the
standard. The standard adopts a process approach for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an
organization's ISMS. This approach is based on the “plan-do-check-act” (PDCA)
model.
• The AT section 101 does not clearly state that the report should only cover
historical data. Instead, the following is mentioned regarding the subject
matter: Historical or prospective performance or condition. Therefore, it should
be possible to report on future operating effectiveness of controls using SOC 2
or 3.
• PCI-DSS mentions that changes to the organizational structure should be
appropriately addressed and mapped to the impact on the scope and
requirements.
For the four different perspectives, we have selected the persons / organizations,
which are significantly involved in ISAE 3402 and have a strong opinion on the
standard and its developments. This way we want to acquire as much information from
the interviewees as possible.
With these four perspectives, adequate insight is acquired on the use and view of ISAE
3402 reports. Insight in the practical use of the ISAE 3402 is gained, in which we can
also detect the limitations of the framework in practice. Interviewees, from their
perspectives, experience and knowledge share their ideas on possible
additions/solutions – which can lead us to broaden or deepen our research.
The number of interviews and combination of different perspectives validates the
output of the interviews. The interviews are semi-structured, and based both the
results from the literature study within this thesis research as well as our knowledge
and experience as external auditors performing the ISAE 3402 audits.
Below the interviewee’s and their role are summarized. From each interview we have
summarized the points that we have discussed, this can be found in the appendix of
this thesis. We have anonymized the interviewee’s names, the names are known with
the thesis supervisors.
Interviewee’s
Service provider
A Controller working for a fast growing Payment Service Provider, ISAE 3402
audits are performed annually in his organization.
C C
MC
Examples of monitoring controls include monitoring controls over key controls but can
also controls regarding the reliability of Service Level Reports, which the service
organization sends to their user organizations. This way the user organization gets
reliable insight in the performance of the Service Provider during the year, even after
the audit report has been issued. This can be regarded as form of information on
“future operating effectiveness” of controls, as the audit report is older than the
information provided by the Service Level Report. Important is that the KPI’s internally
within the service organization are aligned with the KPI’s mentioned towards the user
organization, on which the latter relies on. The Meta controls can be included in the
controls framework, so the recent audit approach is not required to be changed.
With reliable periodic Service Level Reports, the user organization can better anticipate
on possible failure of controls. As these controls are included in the controls
framework, no special adjustment on the audit approach is required.
The same holds for automated controls, which are unlikely to operate ineffectively
working except when the IT General Controls are found to be inadequate. These IT
General controls can be part of an organization wide quality management system as
well.
Based on the interviews, the following additions are suggested:
• The amount of automated controls as a percentage of the total control
measures per control given the presence of reliable IT General Controls.
• Include Meta controls, such as monitoring controls over key controls and
controls over reliability of Service Level Reporting in the controls framework.
The conceptual additions to the regular ISAE 3402 audit approach as derived from the
interviews held, combined with the results from the literature study are described in
chapter 4.2
4.3.4 Reporting
1) The service auditor shall inquire whether the service organization is aware of
any events subsequent to the period covered by the service organization’s
description of its system up to the date of the service auditor’s assurance report
that could have a significant effect on the service auditor’s assurance report.
2) A statement of the limitations of controls and, in the case of a type 2 report, of
the risk of projecting to future periods any evaluation of the operating
effectiveness of controls.
3) A statement of direction by management is required and should be part of the
report to be issued.
4) The bridge letter needs to reflect on the proposed additions that are likely to
contribute to the assessment of future operating effectiveness of controls.
As the conceptual additions are now identified, the added value is assessed in two case
studies. Please refer to chapter five.
5.1 Approach
To prove our theoretical additions in practice, two case studies are conducted at two
different organizations.
First, we describe the context to which the additions are applied to gain an
understanding about the as is situation.
Second, we apply the theoretical additions to the case in order to verify whether the
suggested additions contribute to a better knowledge about future operating
effectiveness of controls given the situation.
Last, we conclude with a conclusion per case study stating the results per addition and
whether an addition is likely to contribute to the overall goal of future operating
effectiveness or not.
5.2.1 Contex t
Company description
The company used for case study A, is known for its highly digital platform that
enables people in the Netherlands and abroad, to buy and sell personal belongings.
Besides consumers, also businesses are allowed on the platform. Revenue by
advertisement is the most important stream for this company.
ISAE 3402 description
One of the products related to the advertisement revenue stream, is the possibility to
pay per click per advertisement. The scope of the ISAE 3402 engagement is from the
moment a click is generated to the moment that the cost of this click is invoiced.
The following objectives are part of the scope of the engagement:
• Accuracy and completeness of clicks assigned to advertisers
• Accuracy and completeness of invoices based on the usage data
• Reliability of IT General Controls
Applied in practice
Because ISAE 3402 is an extension of ISAE 3000 based on ISA402 regarding
service organization, there is no problem in using the ISAE 3000 framework for the
current scope as long as the ISAE 3402 format is used such that the report is
usable as audit evidence for the annual audit of financial statements.
Result
Based on the above, the current scope of the engagement can be executed using
the ISAE 3000 standard.
2) SOC 2/3 enables the auditor to extend the scope of SOC1 beyond its limitations
(similar to the ISAE 3402 framework)
Applied in practice
SOC 2, based on the Trusted Service Principles, does not have the limitations of
SOC1/ISAE 3402. Therefore, the five pillars can be mapped to the current scope of
the engagement. The pillars are security, privacy, process integrity, continuity and
availability.
Process integrity
• Accuracy and completeness of clicks assigned to advertisers
• Accuracy and completeness of invoices based on the usage data
Result
Based on the above, the current scope of the engagement can be executed using
the SOC2 standard.
Applied in practice
In the current situation, no control objectives are related to industry or regulatory
standards such that a change the average laws and regulations would significantly
impact the scope of the audit. Additionally, there are no specific (industry)
standards related to click registration of websites.
Result
Based on the current scope, an updated knowledge of industry and regulatory
standards do not give more insight in the future operating effectiveness of controls.
Applied in practice
There is no formal approach of managing the organization’s ISMS. Therefore,
organizational changes and its possible impact to the ISAE 3402 scope are not
noted as such. Therefore, there is no auditable procedure to gain insight in the
organizations controls to manage changes (besides IT General Controls) in an
controllable manner. As an example, the platform mentioned in the context is
recently transformed from a local platform to an international platform without
performing an impact assessment on the controls of the ISAE 3402 scope. Because
of this, it is likely that control weaknesses will be noted in the coming audit.
Result
Based on this case, from the planning phase it is known that organizational
changes with impact on the operating effectiveness of controls are possibly applied
without assessing the impact on the control framework. If the approach on
assessing the impact of organizational changes on the control framework is
included in the COSO elements, the user of the report can have insight in what
controllable manner the changes are applied (or will be applied in the case that no
changes has occurred). Therefore, this addition is likely to contribute to the overall
assessment of future operating effectiveness of controls.
Applied in practice
In this case, an Internal Audit function (IA) is established, however not actively
involved in managing the achievement of all control objectives of the current ISAE
3402 scope. The part which is covered by the IA is managed without control
deficiencies, the non-managed controls however are assigned to control owners but
have proven to show more deficiencies which need to be followed-up to mitigate
the risk of a qualified opinion.
Result
Based on the arguments described above and our experience with entities with an
Internal Audit department, an actively involved Internal Audit function contributes
to reliable execution and achievement of control (objectives). When the information
regarding the tasks and responsibilities of IA are included in the COSO elements,
the user of the report can partly base its opinion on the future operating
effectiveness of the relevant controls.
Applied in practice
The majority of controls is considered automated for case A. As it is a recurring
engagement, we found that the automated controls programmed in the kernel of
the system were unchanged compared to the previous year. The few controls that
were not automated showed deficiencies in design. However, those controls were
not activated during the year but if it were so, they would have led to significant
control weakness in operating effectiveness.
Result
Based on the above, it would seem that a higher amount of automated controls
would contribute to the assessment of future operating effectiveness. However,
one should be aware of the possible failure of IT General Controls regarding
change management affecting these controls.
2) Include Meta controls, such as monitoring controls over key controls and controls
over reliability of Service Level Reporting in the controls framework.
Applied in practice
In the current scope of case A, there are no Meta controls (controls covering
controls) defined. If we would take the concept of Meta controls and map it to the
current case, the following controls would be defined:
With these three controls (besides the IT General Controls), a coverage of the whole
scope is ensured.
Result
Based on the above reasoning, having Meta controls would contribute to a higher
internal control system. Consequently, it would seem that including the Meta controls
covering the control objectives in the existing control framework contributes to the
assessment of future operating effectiveness. Also if the controls regarding reliability of
the Service Level Reporting (e.g. in this case the success rate of invoice reviews) are
included, the user organization can rely on the Service Level reports for operating
effectiveness of the key controls after issue date of the audit report.
Reporting
1) The service auditor shall inquire whether the service organization is aware of any
events subsequent to the period covered by the service organization’s description
of its system up to the date of the service auditor’s assurance report that could
have a significant effect on the service auditor’s assurance report.
Applied in practice
In the context of case A, we were unaware of the timeliness in which changes
would take place. We were informed that the platform would be used to support
multiple countries; however, we did not know their approach and how it would
affect the ISAE 3402 scope. As for the time between issuing the report and the
period covered, there was no need to mention these developments as subsequent
events as they did not yet occur. It would however be of interest to users of the
report to extend the subsequent events to event that will happen shortly after the
report is issued. With some additional work, the impact of the changes that are
about to take place, could have been assessed and appropriate actions to ensure
operating effectiveness could have been mentioned in the report giving the users
of the report more insight.
Result
Extending the assessment of subsequent event beyond the timeframe of report
date to period date would contribute to the assessment of future operating
effectiveness of controls.
Applied in practice
A statement of the limitations of controls and de risk of projecting to future periods
can be used to state the change of the platform which is planned to be
implemented the coming year (as stated in point 1). With this statement, upcoming
changes and their impact can already be assessed. Actions to uphold the control
objectives can be determined and enclosed in the report.
Result
Besides a statement of limitations and the risk of projecting to future periods,
based on the above it can be of interest to extend the statement with directions to
which management wants to move.
Applied in practice
Additional to point 2, a clear statement of direction would give the user of the
report the insight (and possibly assurance) needed to ensure that developments
the coming year will be addressed and no controls and control objectives will fail
because of unmanaged events. As an example regarding case A:
Statement of direction
With regard to the developments that concern the scope set out in this report,
the following developments need to be addressed:
1) The platform used for click registration will be changed to support a multi
country structure. Therefore, the complete set-up as is will be converted per
June 201x. With this conversion, the impact on IT General Controls is assessed.
As a result, one data centre is added to the scope and two application systems
will be in scope; one from January to June and one from June to December
201x. The controls covering these changes will be monitored and if needed
implemented by or with the support of our Internal Audit Service.
Result
Based on the above, a statement of direction by management would contribute to
the assessment of future operating effectiveness of controls.
4) The bridge letter needs to reflect on the proposed additions that are likely to
contribute to the assessment of future operating effectiveness of controls.
Applied in practice
Based on the audit schedule for case A, two testing periods (both of a year) are
defined. As a result, one letter can be issued to cover the time between reports,
i.e. between the two years. Using the bridge letter would inform the user about the
progress of items in the proposed statement of direction or other relevant
information regarding control objectives.
5.3.1 Contex t
Company description
The company selected organizes conference meetings, in a B2B business model. A
client defines its requirements for the setup of an event, on which the company
organizes the event by not only selecting the venue and hosting the actual event but
also facilitating in the registration of invitees / attendees, collecting entrance fees
beforehand, coordinating the suppliers and arranging keynote speakers.
ISAE 3402 description
User organizations of the described company are required to know that the company
organizes events in an accurate and timely manner. Furthermore, it is important for
the user organization to gain insight on the controls regarding the financial aspects of
event organizing and the way this is invoiced to the user organization.
The following objectives are part of the scope of the engagement:
• Accuracy and timeliness of registering and managing events
• Accuracy and timeliness of the financial processes before, during and after the
event
• Reliability of IT General Controls
Applied in practice
Because ISAE 3402 is an extension of ISAE 3000 based on ISA402 regarding
service organization, there is no problem in using the ISAE 3000 framework for the
current scope as long as the ISAE 3402 format is used such that the report is
usable as audit evidence for the annual audit of financial statements.
Result
Based on the above, the current scope of the engagement can be executed using
the ISAE 3000 standard.
2) SOC 2/3 enables the auditor to extend the scope of SOC1 beyond its limitations
(similar to the ISAE 3402 framework)
Applied in practice
If we look at the scope of the ISAE 3402 audit on company B, the controls in scope
are related to process integrity and continuity. The controls in scope describe how
the events / projects are managed and what controls exist to ensure that the
process operates on an accurate and timely manner.
The IT general controls, in scope of the audit as well, cover the aspects of
continuity.
Result
Based on the above, the current scope of the engagement can be executed using
the SOC2 standard.
Result
Based on the current scope, an updated knowledge of industry and regulatory
standards do not give more insight in the future operating effectiveness of controls
Applied in practice
There is no formal approach of managing the organization’s ISMS. Therefore,
organizational changes and its possible impact to the ISAE 3402 scope are not
noted as such. Therefore, there is no auditable procedure to gain insight in the
organizations controls to manage changes (besides IT General Controls) in a
controllable manner.
For example, during this year a significant update on the financial administration
application will be implemented. This will have an impact on the operating
effectiveness of the automated controls in the application. The company has not
assessed this impact yet. Assessment will be performed in the design phase of the
implementation process.
Result
With the information from the impact assessment of the update on the financial
administration application on the control framework, an estimate can be made on
the impact on the operating effectiveness of the controls in in the control
framework. This impact assessment is included in the report, combined with the
described COSO elements, gives the user organization information on how the
significant update in the system can affect the service organization’s services and
maybe even the user organization itself. Based on this information the user
organization can decide on what mitigating activities it might require to perform to
limit the effects of the update on their way of working.
Therefore, this addition is likely to contribute to the overall assessment of future
operating effectiveness of controls.
Applied in practice
There is no Internal Audit function established in this company.
Applied in practice
A significant amount of controls at case B can be categorized as automated
controls. The controls will continue to operate effectively over time when there are
no changes applied on the systems. When there are changes implemented, it is
important to assess how the system changes are implemented and what its effect
has been on operational effectiveness of the control framework. If the IT general
control change management operates adequately, the company can conclude that
the impact of the change has been correctly estimated, and the controls in the
control framework continue to perform effectively.
Result
With a higher amount of automated controls, the predictability of the operating
effectiveness of controls becomes higher. An adequately implemented change
management process secures the operating effectiveness of the automated
controls. In conclusion, the information on the amount of automated controls gives
the user organization indications on the predictability of the operating effectiveness
of the (automated) controls.
2) Include Meta controls, such as monitoring controls over key controls and controls
over reliability of Service Level Reporting in the controls framework.
Applied in practice
The company in case B has Meta controls implemented on the process of
reconciliation of project costs and revenue. These controls include monitoring of
the controls implemented in the financial processing of projects. so when one of
these controls impends to fail this will be timely detected and appropriate action
can be taken upon. Within this company many more Meta or monitoring controls
can be implemented to be assurance of the accurate and timely operation of the
controls and processes.
Result
With this information of Meta controls as included in the control framework in
scope, the user organization gains insight the how the service organization
manages to ensure operating effectiveness in its controls. If no Meta controls are
implemented, the chance is significantly higher that failure of controls is not
detected timely or not at all. Having Meta controls contribute to a higher internal
control system. Consequently, it would seem that the amount and operating
Reporting
1) The service auditor shall inquire whether the service organization is aware of any
events subsequent to the period covered by the service organization’s description
of its system up to the date of the service auditor’s assurance report that could
have a significant effect on the service auditor’s assurance report.
Applied in practice
We were informed that several controls are about to change, right after the period
of review. This regards changes to improve or strengthen the control so its output
meets the control objective better. At this moment this information is included as
management response to the findings, but no further details on the impact on the
controls is not given in the report.
Result
When more information is given on subsequent events in this case, the impact of
the findings can be better estimated by the user organization. With this impact
assessment, the user organization can either decide to accept the risk from the
finding, because the finding is resolved on the short term, or temporarily
implement complementary user controls. Without this information, the finding
seems worse than it might be.
2) A statement of the limitations of controls and, in the case of a type 2 report, of the
risk of projecting to future periods any evaluation of the operating effectiveness of
controls.
Applied in practice
Apart from the implementation of the update on the financial administration
system, we have indicated no other developments that may impact the future
operating effectiveness of the controls.
Result
With the statement on the process of implementation the update on the financial
administration system, upcoming changes and their impact can already be
assessed. Actions to uphold the control objectives can be determined and enclosed
in the report. Also with the notion of no further developments, the user acquires
information on the chances on failure in the future operating effectiveness.
Applied in practice
At this moment the developments on improving controls, and solving this year’s
findings are included as management response in the table of the controls
framework in the appendix of the report. The update of the financial administration
application is shortly mentioned in the system description, but more attention can
be given here on the process of implementation and its impact on the control
objectives and the related control measures.
Result
As the statement of direction lacks at this moment, no information is given on the
developments or events within the organization that might impact the scope of the
ISAE 3402 report, the operating effectiveness of the controls in scope and / or the
complementary user controls.
4) The bridge letter needs to reflect on the proposed additions that are likely to
contribute to the assessment of future operating effectiveness of controls.
Applied in practice
Based on the audit schedule for case B, two testing periods (both of a half year)
are defined. As a result, one letter can be issued to cover the time between
reports, i.e. between the two years. Using the bridge letter would inform the user
about the progress of items in the proposed statement of direction or other
relevant information regarding control objectives.
Result
The bridge letter is good solution for the need of assurance between reports and
can be extended with an evaluation of the statement of direction. It gives the user
indications on the operating effectiveness in the time after the last release of the
report, and therefore future operating effectiveness if compared to the results from
the most recent released report. But looking strictly at the purpose of the bridge
letter, it does not give information on future operating effectiveness.
Reporting
Although these additions were not found to be as relevant as the others, we would like
to point out that the additions might be relevant to cases which are more subject to
industry and regulatory standards. For instance, a case with controls in the
pharmaceutical industry might be significantly impacted by such changes and would
definitely affect the future operating effectiveness if not acted appropriate by the
service organization.
The bridge letter is not part of the auditors section of the ISAE 3402 report and
therefore not likely to contribute for the aim of our thesis. When a bridge letter is
agreed to be issued, we recommend elaborating on the suggested additions such as
the directive report by management.
SOC 2/3 practice
As noted in chapter three SOC 2 / 3 requires that the audit approach should address,
besides the objectives on the financial aspects, the obligated objectives of the Trust
Service Principles as well. As in this thesis research we are looking for additions on the
regular ISAE 3402 audit approach, additional control objectives are not desirable.
Therefore, from this case study, aspects from SOC 2 / 3 can be used, but should be
applied within the ISA3000 framework. The audit (and resulting report) can be
executed within the ISA3000, in which the standard gives flexibility to implement
aspects from for example SOC 2 / 3.
2) How is the current ISAE 3402 report used by stakeholders and what information is
missing in the report regarding the future operating effectiveness of the service
organization?
The ISAE 3402 framework is not designed to cover all possible scope, types of
assurance, objects of research and periods. For different (commercial) reasons,
companies would like to fit as much as possible in the report, which is in conflict with
the original goal of the framework. In practice, the ISAE 3402 framework is therefore
sometimes used to report on more than the framework was intended to provide.
Although companies would like to report on the future operating effectiveness of
controls, the framework does not support this kind of statements. The few elements in
the framework that might be of use to contribute to sub question three are:
• Obtaining an Understanding of the Service Organization’s System
• Obtain evidence
• Subsequent Events
• Preparing the Service Auditor’s Assurance Report
• Bridge letter
The last item needs to be part of the scope of the execution of the audit since these
are controls regarding organizational change management. This can be done by either
including it in the controls framework or describing the approach in the COSO
elements.
The ratios above contribute to an understanding of the maturity of the internal control
system as well as the reliability on automation or monitoring controls. Besides the
ratios, the auditor can express the importance to the service organization to include
automated controls and Meta controls in the controls matrix.
Reporting
The report as we know it should be extended with a section written by the
management of the service organization in which they elaborate on:
• Subsequent events between the report date and period in scope
• Foreseen events within the next year of the period in scope
• A statement of the limitations of controls and a projection to future periods
• A statement of direction with associated risks and planned mitigating actions
The purpose and structure of this section is similar to ISA 520, with the management
description and the auditors’ assessment. However, the purpose of this section is
focused on the future operating effectiveness.
When a bridge letter is issued, we suggest elaborating on the section above to inform
the users of the report about the developments regarding the foreseen events.
• One of the biggest benefits the standardized audit approach that the ISAE 3402
framework entitles. The report framework provides a clear structure, which also
shows in the resulting reports. The only thing being variable in an ISAE 3402
framework are the control objectives and controls in scope, the other aspects
are included in the provided structure.
• One of the limitations regards the misunderstanding on the purposed use of the
ISAE 3402. TheISAE 3402 has been designed as an auditor-to-auditor report,
and its framework is defined based on this principle. So by nature the
framework does not require that the auditor provides information on aspects
such as availability, continuity, confidentiality etc. An auditor is merely
interested in the controls, which have an impact on the reliability of the
financial data, as stated in the ISAE 3402 framework.
In practice, this understanding does not directly affect the work in the ISAE
3402 audits; it only creates an expectation gap between the auditor, user
organization and service provider when the scope is not clearly defined.
1) Organization
2) Processes
3) People
4) Technology
5) Related controls
• A web based portal should be implemented which gives you a direct insight in
the status of control objectives. This overview can be used in quarterly reviews
which can be reported to the clients.
• In the opinion of the Client of the service provider, the COO is becoming more
important than the CFO. The COO also has a focus rather on the future than
the past, in contrary with the CFO. Therefore, the ISAE 3402 framework fits
better with the CFO’s need than the COO’s needs.
• Both the SAS70 and ISAE 3402 framework are being used for other purposes
than originally intended and therefore, a situation is created in which the value
of the report is found to be limited. The expectations (reporting on the
organization’s business performance) do not meet with the report’s offerings
(reporting on the organization’s controls, which affect their financial
performance). Because of this reason, fewer companies are willing to pay for
the report. SAS70 (and later ISAE 3402) remains an auditor-to-auditor report.
The interviewee’s opinion is supported by an article from (Heiser & Caldwell,
2010) as he suggested himself.
1) The auditor discusses the need for assurance with the customer(s)
2) The correct mean is selected which may vary from an ISAE 3402 report to a
simple memo, dependable on the nature of the audit object
3) The goal for usage of the work to be performed (and its result in a report)
should be clearly defined between auditor and auditee
Based on the detailed information of the test work the user of the report can
combine this information with its self-gathered information and determine its
own view on the future operating effectiveness of the specific control measure.
• Forward looking assurance (in business terms) is an upcoming movement,
which is driven by for example James Turling from EY. As a company, one
should have Key Assurance Indicators in place. These indicators can be covered
by an ISAE 3402 report when the scope regards the financial statements.