A shift in third party assurance reporting is on the way
A new standard in Third Party Assurance: ISAE 3402
International Standard on Assurance Engagements (ISAE) 3402
"Management should consider performing a comprehensive design effectiveness analysis and operating effectiveness testing to identify control gaps prior to performing an attestation of any new control activities."
Take a look at the background and at some key points that could add value to Trust Companies.
Recently a change in third party assurance standards occurred with the introduction of International Standard on Assurance Engagements (ISAE) 3402 by the International Federation of Accountants (IFAC). Third party assurance reports provide users (clients, accountants, authorities) with information regarding the internal controls in a service organization (i.e. basically any company that provides outsourced services, including trust offices).
According to the Dutch Central Bank who oversees trust offices, trust offices have an obligation that their administrative organization and internal controls must be organized in such a way that they, among other things:
• know and have recorded the identity of the ultimate beneficial owner and the origins of the assets of the company, legal person (target company) or trust administered by the trust office;
• know the origins and intended use of the target company's assets and are familiar with the relevant parts of the structure of the group to which the target company belongs; and
• know the identity of the buyer and anyone with a qualifying holding in the buyer, if the trust office is selling a legal entity.
A trust office must also keep a written record of the basic principles relating to controlling integrity risks, as elaborated in organizational and administrative procedures and measures.
In recent substantial growth of the (trust) services sector – both in terms of client base and the scope of the services being offered, heightened awareness of the above regulatory requirements has brought renewed focus to end users (clients) who may have previously incorrectly absolved themselves of responsibility on the basis that a service organization completes certain activities on their behalf.
For the user organization (clients) and regulatory bodies (DNB) to gain comfort over the design and operating effectiveness of service organization controls which support significant balances. This leaves the service organization with two choices:
(1) Service annual audit requests from multiple clients; or
(2) Complete a third party assurance report over those activities which are relevant to financial reporting, and share that report with relevant clients.
The most widely used and well known third party assurance reporting standard is the AICPA issued SAS 70, although local standards such as the UK issued AAF01/06 and AAF02/07 are also utilized.
The new standard provides service organizations and user organizations with some great opportunities and benefits: they are expected to ‘open the door’ to allow reporting on controls beyond financial reporting in areas such as regulatory or compliance controls, operational controls, and business resumption/disaster recovery planning controls. The proposed standards require that management of the service organization provide a formal assertion acknowledging its responsibilities for the controls, providing user auditors and user organizations with a greater level of comfort. In addition, the new international standard will also provide more consistent reporting globally, thereby eliminating the need to understand or interpret multiple report standards.
Specifically, service organizations should consider the following:
• What processes does management of the service organization have in place to provide them with support when completing the management assertion over the controls in place? Expanding the report beyond financial reporting may create a perceived threat or opportunity for the service organization.
• Are customers (and/or accountants, regulators, supervisors) seeking additional comfort in a particular area(s) but the service organization has not historically incorporated the area(s) either because of limitations with the existing control standards or concern that the area is not prepared for a review?
• Will management take advantage of the opportunity to report on controls in an area(s) beyond financial reporting to meet customers and regulators demands?
• Has management of the service organization considered information contained in its contracts and service level agreements and the need to incorporate these requirements into future control reports?
• Has management of the service organization reviewed the current compliance activities for opportunities to reduce compliance costs through simplified and consolidated reporting under the proposed standards?
The new standard will be effective for reporting periods ending on or after 15th June 2011. The new opportunity to expand beyond financial reporting may become a useful competitive
advantage, but could also lead to report exceptions as controls in other areas may not be sufficiently formalized or evidenced.
Management should consider performing a comprehensive design effectiveness analysis and operating effectiveness testing to identify control gaps prior to performing an attestation of any new control activities. The benefit of this pre-assessment is to afford management the opportunity to undertake remedial action, as necessary, to address any design or operating effectiveness observations prior to commencing the attestation.
HLB and its business partners are well experienced and equipped to provide you with the necessary methodologies, tools and resources to help you with the evaluation of your internal organization and decide over complying with the ISAE 3402 standard.
Recently a change in third party assurance standards occurred with the introduction of International Standard on Assurance Engagements (ISAE) 3402 by the International Federation of Accountants (IFAC). Third party assurance reports provide users (clients, accountants, authorities) with information regarding the internal controls in a service organization (i.e. basically any company that provides outsourced services, including trust offices).
According to the Dutch Central Bank who oversees trust offices, trust offices have an obligation that their administrative organization and internal controls must be organized in such a way that they, among other things:
• know and have recorded the identity of the ultimate beneficial owner and the origins of the assets of the company, legal person (target company) or trust administered by the trust office;
• know the origins and intended use of the target company's assets and are familiar with the relevant parts of the structure of the group to which the target company belongs; and
• know the identity of the buyer and anyone with a qualifying holding in the buyer, if the trust office is selling a legal entity.
A trust office must also keep a written record of the basic principles relating to controlling integrity risks, as elaborated in organizational and administrative procedures and measures.
In recent substantial growth of the (trust) services sector – both in terms of client base and the scope of the services being offered, heightened awareness of the above regulatory requirements has brought renewed focus to end users (clients) who may have previously incorrectly absolved themselves of responsibility on the basis that a service organization completes certain activities on their behalf.
For the user organization (clients) and regulatory bodies (DNB) to gain comfort over the design and operating effectiveness of service organization controls which support significant balances. This leaves the service organization with two choices:
(1) Service annual audit requests from multiple clients; or
(2) Complete a third party assurance report over those activities which are relevant to financial reporting, and share that report with relevant clients.
The most widely used and well known third party assurance reporting standard is the AICPA issued SAS 70, although local standards such as the UK issued AAF01/06 and AAF02/07 are also utilized.
The new standard provides service organizations and user organizations with some great opportunities and benefits: they are expected to ‘open the door’ to allow reporting on controls beyond financial reporting in areas such as regulatory or compliance controls, operational controls, and business resumption/disaster recovery planning controls. The proposed standards require that management of the service organization provide a formal assertion acknowledging its responsibilities for the controls, providing user auditors and user organizations with a greater level of comfort. In addition, the new international standard will also provide more consistent reporting globally, thereby eliminating the need to understand or interpret multiple report standards.
Specifically, service organizations should consider the following:
• What processes does management of the service organization have in place to provide them with support when completing the management assertion over the controls in place? Expanding the report beyond financial reporting may create a perceived threat or opportunity for the service organization.
• Are customers (and/or accountants, regulators, supervisors) seeking additional comfort in a particular area(s) but the service organization has not historically incorporated the area(s) either because of limitations with the existing control standards or concern that the area is not prepared for a review?
• Will management take advantage of the opportunity to report on controls in an area(s) beyond financial reporting to meet customers and regulators demands?
• Has management of the service organization considered information contained in its contracts and service level agreements and the need to incorporate these requirements into future control reports?
• Has management of the service organization reviewed the current compliance activities for opportunities to reduce compliance costs through simplified and consolidated reporting under the proposed standards?
The new standard will be effective for reporting periods ending on or after 15th June 2011. The new opportunity to expand beyond financial reporting may become a useful competitive advantage, but could also lead to report exceptions as controls in other areas may not be sufficiently formalized or evidenced.
Management should consider performing a comprehensive design effectiveness analysis and operating effectiveness testing to identify control gaps prior to performing an attestation of any new control activities. The benefit of this pre-assessment is to afford management the opportunity to undertake remedial action, as necessary, to address any design or operating effectiveness observations prior to commencing the attestation.
HLB and its business partners are well experienced and equipped to provide you with the necessary methodologies, tools and resources to help you with the evaluation of your internal organization and decide over complying with the ISAE 3402 standard.