International Standard on Assurance Engagements (ISAE) 3402, titled Assurance Reports on Controls at a Service Organization, is an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls. [1] ISAE 3402 was developed by the International Auditing and Assurance Standards Board (IAASB) and published by the International Federation of Accountants (IFAC) in 2009. It supersedes SAS 70. and puts more emphasis on procedures for the ongoing monitoring and evaluation of controls. [2]
An ISAE 3402 attestation including an audit report is regarded as a quality criterion for service providers that distinguishes them from competitors. [3]
It also pays for a customer to contract with a service provider that holds an ISAE 3402 attestation: the auditor of the customer can rely on the attestation of the service organization, resulting in a reduced necessary audit budget.
The scope of an ISAE 3402 engagement is control set of the service organization, or to be more precise the service organizations controls over services, functions performed and applications that are likely to be relevant for the customer and its auditor to evaluate the internal control over financial reporting [ further explanation needed ]. It is also known as "Internal Control Framework over Financial Reporting" (ICFR)[ citation needed ]. When performing an ISAE 3402 the auditor has to take the position of the customer, selecting and testing controls that are relevant for the customer.
The ISAE 3000 standard is a more general standard for assurance engagements both for financial and non-financial purposes. Assurance engagements according to ISAE 3402 require compliance of the auditor with ISAE 3000.
ISAE 3402 defines two kinds of reports:
ISAE 3402 is a SOC 1 engagement. SOC is an acronym coined by the American Institute of Certified Public Accountants (AICPA) for service organizations controls, and was re-coined in 2017 as system and organizational controls. AICPA has defined three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 is an abbreviation for SOC for Service Organizations: ICFR. SOC 2 is an abbreviation for SOC for Service Organizations: Trust Services Criteria. SOC 3 is an abbreviation for SOC for Service Organizations: Trust Services Criteria for General Use Report. [3]
SOC 2 engagements are performed on the basis of the more general ISAE 3000, whereas SOC 1 engagements are performed on the basis of ISAE 3402 (see above).
In order to be able to read and understand an ISAE 3402 report, some core terms are essential:
Accounting, also known as accountancy, is the process of recording and processing information about economic entities, such as businesses and corporations. Accounting measures the results of an organization's economic activities and conveys this information to a variety of stakeholders, including investors, creditors, management, and regulators. Practitioners of accounting are known as accountants. The terms "accounting" and "financial reporting" are often used interchangeably.
Assurance service is an independent professional service, typically provided by Chartered or Certified Public Accountants or Chartered Certified Accountants, with the goal of improving information or the context of information so that decision makers can make more informed, and presumably better, decisions. Assurance services provide independent and professional opinions that reduce information risk.
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.
In the United States, Statements on Auditing Standards provide guidance to external auditors on generally accepted auditing standards in regards to auditing a non-public company and issuing a report. They are promulgated by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), which holds all copyright on the Standards. They are commonly abbreviated as "SAS" followed by their respective number and title.
The Institute of Chartered Accountants of India, abbreviated as ICAI, is India's largest professional accounting body under the administrative control of Ministry of Corporate Affairs, Government of India. It was established on 1 July 1949 as a statutory body under the Chartered Accountants Act, 1949 enacted by the Parliament for promotion, development and regulation of the profession of Chartered Accountancy in India.
International Standards on Auditing (ISA) are professional standards for the auditing of financial information. These standards are issued by the International Auditing and Assurance Standards Board (IAASB). According to Olung M, ISA guides the auditor to add value to the assignment hence building confidence of investors.
Materiality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy. The objective of an audit of financial statements is to enable the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in conformity with an identified financial reporting framework, such as the Generally Accepted Accounting Principles (GAAP) which is the accounting standard adopted by the U.S. Securities and Exchange Commission (SEC).
In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.
In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public accountants (CPAs) for non-public company audits. Created in October 1978, it is composed of 19 members representing various industries and sectors, including public accountants and private, educational, and governmental entities. It issues pronouncements in the form of statements, interpretations, and guidelines, which all CPAs must adhere to when performing audits and attestations.
The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.
Emphasis of matter is a type of paragraph in an auditors' report on financial statements. Such a paragraph is added to indicate a matter which is disclosed appropriately in the notes forming part of the financial statements that the auditor considers is fundamental to the users' understanding of the financial statements.
The International Federation of Accountants (IFAC) is the global organization for the accountancy profession. Founded in 1977, IFAC has 180 members and associates in 135 jurisdictions, representing more than 3 million accountants in public practice, education, government service, industry, and commerce. The organization supports the development, adoption, and implementation of international standards for accounting education, ethics, and the public sector as well as audit and assurance. It supports four independent standard-setting boards, which establish international standards on ethics, auditing and assurance, accounting education, and public sector accounting. It also issues guidance to professional accountants in small and medium business accounting practices.
The International Ethics Standards Board for Accountants (IESBA) develops and promotes the International Code of Ethics for Professional Accountants. The IESBA also supports debate on issues related to accounting ethics and auditor independence.
The Forum of Firms is an association of international networks of accounting firms that perform transnational audits.
Delaware Depository is a privately held precious metals custody and distribution center founded in 1999. Located in Wilmington, Delaware, Delaware Depository provides precious metals bullion custody, safekeeping, and distribution services for IRA custodians, financial institutions, broker-dealers, refiners, and individual investors. Customers have the option of storing bullion in either Wilmington, DE, Orange County, CA, or internationally, in Canada or Switzerland.
ISAE 3000 is the standard for assurance engagements other than audits or reviews of historic financial information. ISAE 3000 is issued by the International Auditing and Assurance Standards Board (IAASB). The standard consists of guidelines for the ethical behavior, quality management and performance of an ISAE 3000 engagement.
Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18.
Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.
System and Organization Controls as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Criteria. The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017. These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service. The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis. The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework. In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles. The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, "Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting", defines two levels of reporting, type 1 and type 2. Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.