Third party assurance reports have become an integral part of outsourcing transactions: they represent an auditor’s report on the controls in place at a service provider that impact a customer’s financial reporting. In this posting, I want to look at the new Canadian standard, CSAE 3416. Before doing so however, I want to consider third party assurance reporting in more detail.
Third Party Assurance Reporting
Third party assurance reports relate to the control objectives and controls established by a service provider, i.e. it is the service provider that is responsible for the control objectives relating to its business, the specific controls that are implemented and for the completeness, accuracy and presentation of its policies and procedures. In the third party assurance report, an auditor retained by the service provider audits the controls and expresses an opinion about the controls based on the results of its audit.
For example, a service provider may establish control objectives in respect of its business that relate to its procedures to ensure the confidentiality of information, the effectiveness of its change control procedures or its facilities being protected against unauthorized access. The service provider will also establish, for each of these control objectives, a series of controls that are designed to achieve the objective. For the control objective, the service provider’s controls provide reasonable assurance that its facilities are protected against unauthorized access, the service provider’s controls in support of this objective might well include the following:
- the service provider’s resources are subject to site access controls in the service provider’s data centres;
- the service provider’s data centres are protected by a video surveillance system; and
- the security and guard services at the service provider’s data centres follow physical security procedures.
In preparing the third party assurance report, the auditor retained by the service provider will audit the controls in place at the service provider to obtain reasonable assurance about whether: (1) the description of the controls presents fairly, in all material respects, the aspects of the service provider’s controls that may be relevant to a customer’s internal control as it relates to an audit of the customer’s financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily; and (3) the controls were in operation at a specified date.
Since 2006, in Canada, the standard to be applied by auditors in performing third party assurance reports has been the Canadian Institute of Chartered Accountants, Section 5970, Auditor’s Report on Controls at a Service Organization, commonly referred to as a Section 5970 Audit or a Section 5970 Report. But that is now changing. The Canadian Auditing and Assurance Standards Board, the body responsible for developing and establishing standards and guidance governing auditing and assurance in Canada, has issued a new standard, Canadian Standard on Assurance Engagements, Reporting on Controls at a Service Organization (“CSAE 3416”) that will become the standard for third party assurance reports issued for periods ending after December 15, 2011 (although earlier implementation is permitted).
The new Canadian standard was a response to developments internationally and in the United States. For many years, in the absence of an international standard for assurance engagements, service providers were forced to offer international customers reports done according to the U.S. standard or to undertake multiple audits according to varying local standards. To deal with this and other issues affecting third party assurance reporting, the International Auditing and Assurance Standards Board (“IAASB”) developed and issued an international standard, International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization (ISAE 3402). The standard was published in December 2009, to be effective for periods ending after June 15, 2011 (earlier implementation was permitted). It was not the intention of the IAASB to replace national standards for assurance engagements. Instead, it wanted to provide service providers with an alternative to issuing multiple reports under varying local standards.
The American standard, Statement on Auditing Standards No. 70, or SAS 70, had been issued by the American Institute of Certified Public Accountants (“AICPA”) in 1992. In the intervening years, it had arguably become the gold standard for audits of internal controls at a service provider. As the IAASB was developing the new international standard however, the United States was reviewing its standards with a view to bringing them in line with the international ones. The Auditing Standards Board of the AICPA also used the review as an opportunity to re-consider service provider audits and whether the standards that applied should be considered “audit standards” as opposed to “attestation standards” (Statement on Auditing Standards (SAS) versus Statement on Standards for Attestation Engagements (SSAE)). In April, 2010 the Auditing Standards Board issued Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Services Organization (SSAE 16). As with the international standard, SSAE 16 was effective for periods ending on or after June 15, 2011 with earlier implementation being permitted.
In the “Basis for Conclusions” document prepared by staff of the Auditing and Assurance Standards Board relating to CSAE 3416 (available at http://www.aasbcanada.ca/basis-for-conclusions/item40880.pdf), the AASB’s objectives in developing CSAE 3416 were identified:
The AASB’s objective was to develop a Canadian Standard on Assurance Engagements equivalent to SSAE 16, making only minimal amendments to the wording of the SSAE to:
(a) avoid any inconsistency with Other Canadian Standards; or
(b) address circumstances particular to the Canadian environment where amendments are required to serve the Canadian public interest and maintain the quality of auditing and reporting in Canada.
Since SSAE 16 was developed on the basis of ISAE 3402 but amended to respond to U.S. requirements, in aligning the new Canadian standard with the U.S. standard, the Canadian standard would also be aligned with the international standard. Although the Basis for Conclusions document identified three areas where amendments were made to SSAE 16 in finalizing the Canadian standard, e.g. in respect of cross-references to auditing standards, it concluded that CSAE 3416 was aligned with the U.S. standard in all material respects.
CSAE 3416 does not represent a radical overhaul of the standards for third party attestation engagements. In many ways, the new standard is similar to CICA, Section 5970, for example:
- The scope of the attestation engagements under CSAE 3416 continues to be focussed on controls likely to be relevant to customers’ internal controls over financial reporting;
- Two types of reports may be issued: a Type 1 report attesting to the fair presentation and design of the service provider’s controls and a Type 2 report attesting to the fair presentation, design and operating effectiveness of the controls; and
- Use of the report is limited to management of the service provider, existing customers and their auditors. The CSAE 3416 report is not intended to be used by service providers in marketing their services to potential customers.
There are differences however that will impact service providers. These differences include:
- Management of the service provider is now required to provide a written assertion about the service provider’s controls. This requires management to state, in the case of a Type 1 report, that the controls are fairly presented and suitably designed and in the case of a Type 2 report, that the controls are fairly presented, suitably designed and operating effectively to achieve the identified control objectives. It is not intended however, that the auditor report on the written assertion provided by service provider’s management.
- If the auditor relies on the work of the service provider’s internal audit in the engagement, this fact needs to be disclosed in the report.
Neither the similarities between CICA, Section 5970 and CSAE 3416 nor the differences between the standards that are identified above are intended to be comprehensive. However, as December 15, 2011 approaches, there has been an outpouring of information about CSAE 3416. It is important for outsourcing counsel to spend the time reviewing the material and getting an understanding of the new standard, if only to be able to appreciate the benefits and the limitations of third party assurance reports prepared in accordance with the new standard.