Page 534 - ITGC_Audit Guides
P. 534
GTAG – IT Outsourcing Delivery: Risk and Control Considerations
• Gain assurance by relying on the other assurance AICPA Service Organization Controls Reports: In
providers. implementing SSAE 16, the AICPA has adopted three
• Play a more proactive advisory role across various service organization controls (SOC) reports to expand
aspects of the whole service delivery process — for the scope of issues examined by CPAs as service auditors.
example, by being involved early in the design of This helps organizations gain more trust in service delivery
systems to ensure that the user entity’s needs are processes. Under the SOC label, there are three separate
identified, or by tracking management action. categories of service audits, designed to allow service
providers to meet specific needs and refocus on niche risks:
The ITO Audit • SOC 1 Report – Report on Controls at a Service
Organization Relevant to User Entities’ Internal
The outsourcing process exposes clients and service Control over Financial Reporting.
providers to a series of risks that can seriously affect their • SOC 2 Report – Report on Controls at a Service
activities. Managing these risks by improving the quality Organization Relevant to Security, Availability,
and efficiency of internal control has made the ITO audit Processing Integrity, Confidentiality, or Privacy.
a necessary component for all the organizations involved • SOC 3 Report – Trust Services Report for Service
in this process. At the organizational level, the ITO audit Organizations.
can be included not only internally, but also in the external
audit process. Moreover, the ITO audit can be extended Service Auditor’s Reliance on Internal Audit
from the user entity to the service provider through mutual Function: The new attest standards will allow the service
collaboration. Alternative audit approaches, such as walk- auditor to rely not only on management’s description of
throughs and continuous monitoring, can enhance the the processes but also on the service provider’s internal
collaboration between service provider and client and auditors.
elevate the level of assurance obtained through auditing.
ISAE 3402/SSAE 16 The Problem with Over-reliance
ISAE 3402 has become a widely recognized standard In the past, SAS 70 Type II audits have been often used
and indicates that a service provider has had its control as the de facto standard for publicly traded companies to
objectives and activities examined by an independent meet their Sarbanes-Oxley Section 404(b) “audit and
accounting and audit firm. Third-party reports on internal control” disclosure requirements. This includes outsourcing
controls in service organizations describe the control contracts. However, the new “attest” reports will remove
processes in services performed by a service provider. Such a layer of comfort for users, because the service auditors
reports give users information to assess and address the will not be exercising as much critical judgment as they
risks associated with an outsourced service. If a service would have under SAS 70 Type II. In short, the user entity
provider has an ISAE 3402 review conducted, it has greater will exercise its own judgment about the acceptability of
credibility essential to meet the accounting and regulatory the attest reports and may ask for a special attest report on
compliance needs of customers. Service-provider audits user-defined “control objectives.” User entities now will
are necessary to a user entity’s ability to assert that it has have to rely more on the service providers to perform the
appropriate audit and control procedures to manage its risk analysis, and the users will need to spot gaps in that
business under Section 404(b) of Sarbanes-Oxley Act. analysis.
The Standards Under the new assurance standards, it is the service
provider’s responsibility to define the risks it faces and how
International Standards: In December 2009, the IAASB it plans to monitor and mitigate those risks to ensure that
adopted ISAE 3402 as an “attest” procedure for assessing the stated control objectives will be achieved.
service organizations’ compliance with IT and process
controls. An attestation involves an audit professional’s Monitoring KRIs
assertion about subject matter other than the fairness of the
presentation of financial statements. An attestation may be Monitoring for emerging risk and responding with prompt
less rigorous than an audit. Service auditor reports might action is the way forward. A KRI is a measure used in
still survive by special request from enterprise customers. management to indicate how risky an activity is. Whereas
a KPI measures how well something is being done, a KRI
U.S. Standards: In April 2010, the AICPA’s Auditing is an indicator of the possibility of future adverse impact.
Standards Board (ASB) issued SSAE 16. Like ISAE 3402, KRIs act as early warning signals by indicating changes
the SSAE 16 is an attest report. in an organization’s risk profile. As such, KRIs are a
fundamental component of a full-featured risk and control
22
