Here is an interesting article from CA Magazine which sheds some light on the CICA 5970 and SAS 70 standards.
Here is the link;
Click Here
Enjoy the read.
......................................................
At your service
By Joy Keenan
Illustration: Mike Constable
Mike ConstableWith the dramatic increase in the use of service organizations, the AASB presents new standards for such groups
Since the CICA’s Auditing and Assurance Standards Board (AASB) issued two service organizations standards in 1987 (CICA Handbook – Assurance Section 5900, Opinions on Control Procedures at a Service Organization, which provides guidance on the service auditor’s responsibilities, and Section 5310, Audit Evidence Considerations When an Enterprise Uses a Service Organization, which provides guidance to user auditors when using the service auditor’s report in an audit engagement) a number of developments have redefined the environment.
The use of service organizations has increased dramatically, for example: service organizations are providing much more varied and complex services; companies outsource nonstrategic business functions; service organizations increasingly operate on a global scale, resulting in a crossborder flow of outsourced services; and companies cut costs by outsourcing.
Thus, the service organizations may represent a larger proportion of an entity’s internal control.
The Sarbanes-Oxley Act of 2002 and related standards have resulted in an increased focus on internal control, including management’s responsibility for internal control resident at service organizations.
New standards have been issued: the AICPA’s Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, and PCAOB’s Auditing Standard No. 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, containing more detailed requirements for such engagements than Section 5900.
In 2004, with these developments in mind, the AASB started a project to update the standards. The two new standards — Section 5970, Auditor’s Report on Controls at a Service Organization, and Section 5310, Audit Evidence Considerations When an Entity Uses a Service Organization — were released in July 2005.
The AASB recognized at the outset that one standard could not meet the full array of users’ needs related to service organizations. However, it decided the highest priorities, from a standard-setting viewpoint, are to support user organizations and their auditors in fulfilling regulatory requirements related to internal control over financial reporting. The AASB noted that the AICPA’s guidance in this matter is robust and there was no need to reinvent the wheel. That led to AASB’s decision to harmonize the Canadian standards with the AICPA’s Statement on Auditing Standards No. 70, Service Organizations (SAS 70).
Because SAS 70 is geared to those service organization controls related to financial reporting at user organizations, new Section 5970 also focuses on such controls. Most respondents to the January 2005 Exposure Draft supported this stance. Others, however, objected because Section 5900 permitted reporting not only on controls related to financial reporting but also controls over other aspects of a service organization’s operations. They suggested leaving Section 5900 intact, whether or not a new standard based on SAS 70 was issued. The AASB felt these concerns had merit, but on balance felt that having two standards dealing with a similar subject matter would cause a great deal of confusion for all stakeholders, including service auditors, user auditors, user organizations and regulators. Further, as noted earlier, Section 5900 was out of date because of recent developments and would have required a significant effort to update. The AASB concluded that practitioners can respond to requests by service organizations to audit operations and other controls beyond the scope of Section 5970 by performing engagements under other existing Canadian standards, such as those for assurance engagements (Standards for Assurance Engagements, CICA Handbook – Assurance Section 5025, establish a framework for performing an assurance engagement, including general, examination and reporting standards and guidance) including SysTrust or specified procedures.
The new requirements
Section 5970 contains the following new requirements for service auditors.
The service auditor needs to understand how the service organization’s controls might affect the user organizations’ internal control. Internal control would be considered in the context of a recognized framework, such as the Committee of Sponsoring Organizations framework of internal control related to financial reporting. Under Section 5900, the service auditor was able to report on any control objectives specified, including those outside financial reporting. Further, there was no requirement to use a suitable framework.
The service auditor is required to determine if control objectives specified by the service organization are reasonable in the circumstances and consistent with the service organization’s contractual obli-gations. Under Section 5900, the service auditor was responsible to assess reasonableness of the control objectives, but only to assess if the control procedures were suitably designed to meet the stated internal control objectives of the system.
A Type 2 report (dealing with the operating effectiveness of controls) must cover a minimum reporting period of six months to be useful to user auditors.
Type 2 reports must contain a reference to a description of tests of specific service organization controls designed to obtain evidence about the operating effectiveness of those controls in achieving specified control objectives. This description needs to include information on:
*
the controls the service auditor tested and the control objectives the controls were intended to achieve;
*
the nature, timing and extent of the tests applied to those controls, as well as enough detail to enable user auditors to determine the effect of such tests on user auditors’ assessments of control risk, including the results of those tests;
*
the causative factors for exceptions, to the extent the service auditor has identified such factors;
*
the current status of corrective actions, to the extent the service auditor has determined the status; and
qualitative aspects of exceptions noted, to the extent the service auditor has obtained such information.
Under revised Section 5310, user auditors also face some new requirements for evaluating a service auditor’s report. Section 5310 provides standards and detailed guidance on the user auditor’s use of a service auditor’s report: in planning the audit; as audit evidence in relation to assessing the risks of material misstatement in the financial statements, in particular, control risk; and as part of the audit evidence necessary to support their opinions in circumstances when the service auditor has performed specified substantive procedures on balances and transactions processed by the service organization.
Section 5310 also provides guidance for evaluating the evidence provided by the service auditor’s report, including assessing the professional reputation, competence and independence of the service auditor.
To assist service auditors in understanding and applying the new standard in practice, the AASB included additional guidance, adapted from other US sources of guidance on SAS 70, on matters it considered important. That additional guidance includes complementary user organization controls; changes in controls at the service organization; deficiencies in the service organization’s controls; and the service organization’s and user auditor’s responsibilities with respect to illegal acts, fraud and uncorrected errors at the service organization.
Implementation
The AASB recognizes that the market may need time to adjust to the new standards. Service auditors will need to educate their clients and users about the impact of the new standards. For example, existing outsourcing contracts or regulations that specify a Section 5900 report may need to be amended and/or new contracts entered into in order to address such requirements. As well, service auditors and user auditors will need time to revise their methodologies to reflect the requirements of the new standards.
In addition, respondents to the exposure draft indicated that service organizations need sufficient time to remediate control deficiencies that might be reported under a new Section 5970 engagement (in particular, in a Type 2 engagement, which reports the results of tests performed).
For these reasons, the AASB has deferred the implementation of the new standards until January 1, 2006, although earlier adoption is permitted. The AASB recognizes that, in the transition period, service auditor reports may unavoidably be issued under either former Section 5900 or new Section 5970. Thus, users of such reports are cautioned to read the report carefully to determine whether it meets their needs, particularly if they have a regulatory requirement to report on their internal control over financial reporting.
Respondents to the exposure draft also indicated specific guidance is needed on the use of subservice organizations. The AASB is in the process of developing an Assurance and Related Services Guideline dealing with the specific issue of subservice organizations to address multiple-tiered service organization structures.
The AASB also plans to develop questions and answers to specific issues of concern to practitioners, which will be posted on the AASB’s website.
Looking ahead
The AASB is aware of the ongoing importance of service organizations to the internal control of user organizations. It will continue to monitor and respond to developments on the international and US fronts. In particular, when identifying its future projects, the AASB will consider the need for additional guidance on applying the Section 5025 requirements to engagements to report on controls at a service organization beyond those related to internal control over financial reporting.
Joy Keenan, CA•CISA, is a principal with Auditing and Assurance Standards
Technical editor: Ron Salole, vice-president, Standards
RELATED LINKS
Service Organizations, CICA
Use of specialists in assurance engagements – CICA
Statement on auditing standards (SAS) No. 70
No comments:
Post a Comment