Statement on Auditing Standards – SAE 3402

SAE 3402 – Statement on Auditing Standards

Scope and objectives

SAE 3402 – the standard on assurance engagements undertaken by professional accountants in public practice to provide a report on the controls at a service organization that provides a service likely to be relevant to user entities’ internal control as it relates to financial reporting. This SAE 3402 applies only to assertion-based engagements that convey reasonable assurance, with the assurance conclusion worded directly in terms of the subject matter and criteria.

It controls related to a service organization’s operations and compliance objectives may be relevant to a user entity’s internal control as it relates to financial reporting. The determination of whether controls at a service organization related to operations and compliance are likely to be relevant to user entities’ internal control as it relates to financial reporting is a matter of professional judgment, having regard to the control objectives set by the service organization and the suitability of the criteria.

The SAE 3402 only deals with assertion-based engagements that convey reasonable assurance, with the assurance conclusion worded directly in terms of the subject matter and the criteria. It applies only when the service organization is responsible for, or otherwise able to make an assertion about, the suitable design of controls.

The objectives of the service auditor, which are to obtain reasonable assurance about whether, in all material respects, the service organization’s description of its system fairly presents the system as designed and implemented throughout the specified period and the controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period.

The SAE 3402 expands on how the requirements of the Framework for Assurance Engagements are to be applied in a reasonable assurance engagement to report on controls at a service organization. Compliance with the Framework for Assurance Engagements requires, among other things, that the service auditor comply with the Code of Ethics of the Institute of Chartered Accountants of India and implement quality control procedures applicable to the individual engagement. This SAE 3402 is effective for service auditors’ assurance reports covering periods ending on or after April 1, 2011.

Ethical Requirements

The specific requirements for service auditors in performing an engagement in accordance with the Service Auditor Reporting Standard (SAE). It states that a service auditor cannot claim compliance with the SAE 3402 unless they have complied with the requirements of both the SAE 3402 and the Framework for Assurance Engagements.

The service auditor is also required to comply with relevant ethical requirements, including those related to independence. However, in the context of this SAE 3402, the Code of Ethics of the Institute of Chartered Accountants of India (ICAI) does not require the service auditor to be independent from each user entity.

When the SAE 3402 requires the service auditor to interact with the service organization, they must determine the appropriate person(s) within the service organization’s management or governance structure to interact with. This decision should be based on factors such as the person(s)’ responsibilities and knowledge of the matters concerned. The appropriate management and governance structures may vary depending on the jurisdiction and the entity, making it necessary for the service auditor to use professional judgment in identifying the right personnel to interact with.

Acceptance and Continuance

The requirements and responsibilities of a service auditor before accepting or continuing an engagement with a service organization. The service auditor must ensure that they have the necessary capabilities and competence to perform the engagement, which includes knowledge of the relevant industry, an understanding of information technology and systems, and experience in evaluating risks, designing and executing tests of controls, and evaluating the results.

The service auditor must also obtain the agreement of the service organization that they acknowledge and understand their responsibility for preparing the description of their system, providing a reasonable basis for their assertion accompanying the description of their system, stating the criteria used to prepare the description, identifying the risks that threaten achievement of the control objectives stated in the description of their system, and designing and implementing controls to provide reasonable assurance that those risks will not prevent achievement of the control objectives stated in the description.

Additionally, the service auditor must have access to all relevant information, documentation, and personnel within the service organization and be provided with any additional information necessary for the engagement.

If the service organization requests a change in the scope of the engagement before completion, the service auditor must determine if there is a reasonable justification for the change. Requests to exclude control objectives or if the service organization will not provide a written assertion may not have a reasonable justification, while requests to exclude non-applicable areas or to expand the scope may have a reasonable justification.

Assessing the Suitability of the Criteria

Assessing suitability of criteria used by service organizations in preparing their system descriptions and evaluating their controls. The guidelines are in accordance with the Framework for Assurance Engagements, which provides a standard for the conduct of assurance engagements.

The service auditor must assess whether the criteria used by the service organization are suitable for evaluating the design and operation of their controls. The auditor must ensure that the criteria encompass specific requirements for the service organization’s system description, including how the system was designed and implemented, the types of services provided, procedures used to provide services, related records and supporting information, control objectives and controls designed to achieve those objectives, complementary user entity controls, and other relevant aspects of the control environment, risk assessment process, information system, communication, control activities, and monitoring controls.

For evaluating the design of controls, the auditor must determine if the criteria encompass whether the service organization has identified the risks that threaten achievement of control objectives stated in the system description, and whether the controls identified in that description would provide reasonable assurance that those risks do not prevent the stated control objectives from being achieved.

For evaluating the operating effectiveness of controls, the auditor must determine if the criteria encompass whether the controls were consistently applied as designed throughout the specified period, including manual controls applied by individuals who have the appropriate competence and authority.

Criteria must be available to intended users to allow them to understand the basis for the service organization’s assertion about the fair presentation of its system description, the suitability of the design of controls, and the operating effectiveness of controls related to control objectives.

SAE 3402 also provides a table that identifies the subject matter and minimum criteria for each of the opinions in type 2 and type 1 reports, which relate to the fair presentation of the system description and the suitability of the design and operating effectiveness of controls.

Obtaining an Understanding of the Service Organization’s System

Obtain an understanding of a service organization’s system, including controls that are within the scope of the engagement. This is important in order to identify the boundaries of the system and how it interacts with other systems, as well as to assess whether the service organization’s description of the system is accurate and complete.

Additionally, the service auditor must determine which controls are necessary to achieve the control objectives stated in the service organization’s description of the system, assess whether controls were suitably designed, and in the case of a type 2 report, whether controls were operating effectively.

The procedures that a service auditor may use to obtain this understanding include inquiring of relevant individuals within the service organization, observing operations, inspecting documents and records of transaction processing, and performing control procedures. The goal is to gain a thorough understanding of the service organization’s system and its controls to provide an accurate and reliable report.

Obtaining Evidence Regarding the Description

The auditor should follow when evaluating a service organization’s system and controls. The service auditor should obtain and read the service organization’s description of its system and evaluate whether the description fairly presents those aspects included in the scope of the engagement. The service auditor should also determine whether the control objectives stated in the description are reasonable in the circumstances, whether the controls identified in the description were implemented, and whether complementary user entity controls, if any, are adequately described.

To evaluate the fair presentation of the description, the service auditor’s procedures may include considering the nature of user entities and how the services provided by the service organization are likely to affect them, reading standard contracts with user entities to gain an understanding of the service organization’s contractual obligations, and reviewing policy and procedure manuals and other systems documentation. The service auditor may also observe procedures performed by service organization personnel.

The service auditor should also determine whether the service organization’s system has been implemented by using other procedures in combination with inquiries, such as observation, inspection of records and other documentation, and tracing items through the system. The procedures should be performed in conjunction with obtaining an understanding of the system and may include specific inquiries about changes in controls that were implemented during the period. Significant changes that are relevant to user entities or their auditors are included in the description of the service organization’s system.

Obtaining Evidence Regarding Design of Controls

The auditors to follow when evaluating the design and effectiveness of controls at a service organization, which is a company that provides services to other companies. These guidelines are designed to ensure that service auditors can provide reasonable assurance to their clients that the controls in place are adequate to prevent or detect and correct material misstatements, which are errors or fraud that could have a significant impact on the financial statements.

The guidelines are divided into two main sections: obtaining evidence regarding the design of controls and obtaining evidence regarding the operating effectiveness of controls.

In the first section, the service auditor is instructed to determine which controls are necessary to achieve the control objectives stated in the service organization’s description of its system and assess whether those controls are suitably designed. This determination involves identifying the risks that threaten the achievement of the control objectives and evaluating the linkage of controls with those risks. The service auditor may use flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls.

 The service auditor is required to test those controls that are necessary to achieve the control objectives stated in the service organization’s description of its system and assess their operating effectiveness throughout the period. The service auditor is instructed to perform other procedures in combination with inquiry to obtain evidence about how the control was applied, the consistency with which the control was applied, and by whom or by what means the control was applied. The service auditor must determine whether controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those indirect controls.

Overall, these guidelines are designed to ensure that service auditors provide their clients with a comprehensive evaluation of the controls in place at service organizations, which will help prevent or detect and correct material misstatements in financial statements.

The Work of an Internal Audit Function

The service auditor must first obtain an understanding of the internal audit function’s responsibilities and activities to determine whether it is relevant to the engagement. The internal audit function may perform activities related to the service organization’s internal controls or activities related to the services and systems provided to user entities.

The service auditor must then determine whether the work of the internal auditors is likely to be adequate for the engagement and, if so, the planned effect of the work on the nature, timing, or extent of the service auditor’s procedures. The service auditor should evaluate the nature and scope of the work performed or to be performed by the internal auditors, the significance of that work to the service auditor’s conclusions, and the degree of subjectivity involved in the evaluation of the evidence gathered in support of those conclusions.

If the service auditor decides to use specific work of the internal auditors, they must evaluate and perform procedures on that work to determine its adequacy for the service auditor’s purposes. The nature, timing, and extent of the service auditor’s procedures will depend on the significance of the work to the service auditor’s conclusions, the evaluation of the internal audit function, and the evaluation of the specific work of the internal auditors.

To determine the adequacy of specific work performed by the internal auditors, the service auditor must evaluate whether the work was performed by internal auditors having adequate technical training and proficiency, properly supervised, reviewed and documented, whether adequate evidence has been obtained to enable the internal auditors to draw reasonable conclusions, and whether conclusions reached are appropriate in the circumstances.

If the work of the internal audit function has been used, the service auditor shall make no reference to that work in the section of the service auditor’s assurance report that contains the service auditor’s opinion. Regardless of the degree of autonomy and objectivity of the internal audit function, such function is not independent of the service organization as is required of the service auditor when performing the engagement. The service auditor has sole responsibility for the opinion expressed in the service auditor’s assurance report, and that responsibility is not reduced by the service auditor’s use of the work of the internal auditors.

Written Representations

The written representations that a service auditor must obtain from a service organization during an assurance engagement. Specifically, the service auditor must request the service organization to provide a representation letter that includes certain assertions, separate from and in addition to the service organization’s original assertion. The written representations should include:

(a) A reaffirmation of the assertion accompanying the description of the system

(b) Confirmation that the service auditor has been provided with all relevant information and access that was agreed upon

(c) Disclosure of any non-compliance with laws and regulations, fraud, design deficiencies in controls, instances where controls have not operated as described, and any events that could have a significant effect on the service auditor’s assurance report.

The written representations should be addressed to the service auditor and dated as near as possible to the date of the service auditor’s assurance report. If the service organization does not provide one or more of the written representations requested, the service auditor may disclaim an opinion or modify the opinion according to certain objectives.

Other Information

In relation to “Other Information,” the service auditor is required to read any additional information included in the document containing the service organization’s description of its system and the service auditor’s assurance report, with the objective of identifying any material inconsistencies with that description. If the service auditor identifies any material inconsistencies or apparent misstatements of fact, they should discuss the matter with the service organization and request that the information be corrected. If the service organization refuses to do so, the service auditor should take further appropriate action, which may include describing the material inconsistency or misstatement of fact in the assurance report, withholding the assurance report until the matter is resolved, or withdrawing from the engagement.

If the “Other Information” contains future-oriented information, such as recovery or contingency plans, or claims of a promotional nature that cannot be reasonably substantiated, the service auditor may request that the information be removed or restated.

Regarding “Subsequent Events,” the service auditor must inquire whether the service organization is aware of any events that occurred after the period covered by the service organization’s description of its system up to the date of the service auditor’s assurance report that could have a significant effect on the service auditor’s assurance report. If the service auditor becomes aware of such an event and it is not disclosed by the service organization, the service auditor should disclose it in the assurance report. The service auditor has no obligation to perform any procedures regarding the description of the service organization’s system or the effectiveness of controls after the date of the assurance report.

Documentation

The service auditor is required to prepare documentation that is detailed enough to allow an experienced service auditor who has no prior connection with the engagement to understand the nature, timing, and extent of procedures performed, as well as the results of those procedures and significant matters arising during the engagement.

The service auditor must document who performed the work, when it was completed, who reviewed the work and the extent of that review, and the conclusions reached regarding the evaluation of the adequacy of the work of the internal auditors if they were used. Discussions with the service organization or others on significant matters, as well as any inconsistencies with the final conclusion regarding significant matters, must also are documented.

The service auditor must assemble all documentation in an engagement file and complete the administrative process of assembling the final engagement file in a timely manner after the date of the service auditor’s assurance report. Once the final engagement file has been assembled, the service auditor must not delete or discard any documentation before the end of its retention period.

If the service auditor needs to modify existing documentation or add new documentation after the final engagement file has been assembled, and this does not affect the service auditor’s report, then the service auditor must document the specific reasons for making the modifications, when and by whom they were made, and reviewed.

Preparing the Service Auditor’s Assurance Report Content of the Service Auditor’s Assurance Report

The basic elements that should be included in a service auditor’s assurance report, which a report is issued by an independent auditor on a service organization’s internal controls. These basic elements are:

(a) A title that clearly indicates the report is an independent service auditor’s assurance report.

(b) An addressee.

(c) Identification of:

(i) The service organization’s description of its system, and the service organization’s assertion, which includes the matters described in certain objectives report.

(ii) Those parts of the service organization’s description of its system that are not covered by the service auditor’s opinion.

(iii) If the description refers to the need for complementary user entity controls, a statement that the service auditor has not evaluated the suitability of design or operating effectiveness of complementary user entity controls.

(iv) The nature of activities performed by the subservice organization, and whether the inclusive method or the carve-out method has been used in relation to them.

(d) Identification of the criteria and the party specifying the control objectives.

(e) A statement that the report and the description of tests of controls are intended only for user entities and their auditors who have a sufficient understanding to consider it.

(f) A statement that the service organization is responsible for preparing the description of its system and the accompanying assertion, providing the services covered by the service organization’s description of its system, stating the control objectives, and designing and implementing controls to achieve those objectives.

(g) A statement that the service auditor’s responsibility is to express an opinion on the service organization’s description and the design and operating effectiveness of controls related to the control objectives stated in that description, based on the service auditor’s procedures.

(h) A statement that the engagement was performed in accordance with SAE 3402, “Assurance Reports on Controls at a Service Organization,” which requires that the service auditor comply with ethical requirements and plan and perform procedures to obtain reasonable assurance about whether, in all material respects, the service organization’s description of its system is fairly presented and the controls are suitably designed and, in the case of a type 2 report, are operating effectively.

(i) A summary of the service auditor’s procedures to obtain reasonable assurance and a statement of the service auditor’s belief that the evidence obtained is sufficient and appropriate to provide a basis for the service auditor’s opinion.

(j) A statement of the limitations of controls and the risk of projecting to future periods any evaluation of the operating effectiveness of controls.

(k) The service auditor’s opinion, expressed in the positive form, on whether, in all material respects, the description fairly presents the service organization’s system that had been designed and implemented throughout the specified period, the controls related to the control objectives stated in the service organization’s description of its system were suitably designed and, in the case of a type 2 report, operated effectively throughout the specified period.

SAE 3402 also provides additional guidance on specific points that should be included in the assurance report, such as including the results of all tests where deviations have been identified and providing information about causative factors for identified deviations. Finally, the text emphasizes the importance of compliance with ethical requirements and planning and performing procedures to obtain reasonable assurance about the service organization’s description of its system and the design and operating effectiveness of controls.

Example Service Organization’s Assertions

The International Space Station (ISS) is a habitable artificial satellite that orbits the Earth, and it is currently the largest human-made object in space. It was developed in the late 1990s through collaboration between five space agencies: NASA (United States), Roscommon (Russia), JAXA (Japan), ESA (Europe), and CSA (Canada).

The ISS is primarily used as a research laboratory for studying various scientific disciplines such as physics, astronomy, meteorology, biology, and others. Astronauts conduct experiments and carry out research in a microgravity environment, which can reveal new insights that cannot be obtained on Earth. Additionally, the ISS is also used as a testing ground for new space technologies and serves as a platform for future space exploration missions.

The ISS orbits the Earth at an altitude of approximately 408 kilometres (253 miles) and completes one orbit every 90 minutes. It travels at a speed of about 28,000 kilometres per hour (17,500 miles per hour), which means it circles the Earth once every 45 minutes. The ISS is continuously inhabited by a crew of up to seven astronauts, who live and work on board for periods of several months at a time. They are supported by mission control centres located around the world, which provide communications, guidance, and other essential services.

Quiz: Assurance Reports on Controls at a Service Organization

1. True or False: SAE 3402 applies to assertion-based engagements that convey reasonable assurance on the controls at a service organization that are relevant to user entities’ internal control as it relates to financial reporting.

Answer: True

2. What are the objectives of the service auditor in an assurance engagement?

a) To evaluate the financial statements of the service organization.

b) To obtain reasonable assurance about the fair presentation of the service organization’s system description and the design of controls.

c) To provide legal advice to the service organization.

d) To assess the profitability of the service organization.

Answer: b)

3. Which of the following is NOT a requirement for service auditors in performing engagements under SAE 3402?

a) Compliance with the Code of Ethics of the Institute of Chartered Accountants.

b) Compliance with the SAE 3402 and the Framework for Assurance Engagements.

c) Independence from each user entity.

d) Implementation of quality control procedures.

Answer: c)

4. When determining the appropriate person(s) within the service organization’s management or governance structure to interact with, the service auditor should consider:

a) The person(s)’ responsibilities and knowledge of the matters concerned.

b) The person(s)’ relationship with the service auditor.

c) The person(s)’ level of seniority within the organization.

d) The person(s)’ availability during the engagement period.

Answer: a)

5. True or False: The service auditor’s responsibilities before accepting or continuing an engagement include ensuring access to all relevant information, documentation, and personnel within the service organization.

Answer: True

6. What does the service auditor need to assess regarding the suitability of the criteria used by service organizations?

a) Whether the criteria cover financial reporting requirements.

b) Whether the criteria encompass specific requirements for the system description and control objectives.

c) Whether the criteria are approved by the Institute of Chartered Accountants.

d) Whether the criteria align with international accounting standards.

Answer: b)

7. Which of the following procedures can the service auditor use to obtain an understanding of a service organization’s system?

a) Reviewing policy and procedure manuals.

b) Consulting external auditors of the service organization.

c) Interviewing customers of the service organization.

d) Analyzing competitors’ financial statements.

Answer: a)

8. What written representations should a service auditor obtain from a service organization during an assurance engagement?

a) A confirmation of the service organization’s profitability.

b) A statement acknowledging the service organization’s compliance with laws and regulations.

c) A representation letter reaffirming the assertion accompanying the system description and disclosing any non-compliance or fraud.

d) A statement disclosing the service organization’s trade secrets.

Answer: c)

9. True or False: The service auditor is required to prepare documentation that allows an experienced service auditor who has no prior connection with the engagement to understand the nature, timing, and extent of procedures performed.

Answer: True

10. What should the service auditor document regarding the work performed by the internal auditors, if they were used?

a) The conclusions reached regarding the adequacy of the work.

b) The names of the internal auditors involved.

c) The dates of the internal auditors’ reviews.

d) The extent of the review conducted by the internal auditors.

Answer: a)

Additional questions:

11. True or False: The SAE 3402 standard applies only when the service organization is responsible for, or able to assert, the suitable design of controls.

Answer: True

12. What is the main purpose of SAE 3402?

a) To assess the financial performance of a service organization.

b) To evaluate the effectiveness of a service organization’s marketing strategies.

c) To provide a report on the controls at a service organization relevant to user entities’ internal control as it relates to financial reporting.

d) To investigate the cybersecurity measures of a service organization.

Answer: c)

13. Which of the following is NOT a component of the written representations that a service auditor should obtain?

a) Confirmation of the service organization’s compliance with all laws and regulations.

b) Reaffirmation of the assertion accompanying the system description.

c) Disclosure of any non-compliance with laws and regulations.

d) Identification of significant events that could affect the service auditor’s assurance report.

Answer: a)

14. True or False: The service auditor should evaluate the work performed by the internal audit function to determine its adequacy for the engagement.

Answer: True

15. What procedures can the service auditor use to obtain evidence regarding the operating effectiveness of controls?

a) Inquiring of relevant individuals within the service organization.

b) Observing operations and inspecting documents.

c) Performing control procedures.

d) All of the above.

Answer: d)

16. What should the service auditor do if they identify material inconsistencies or apparent misstatements of fact in the “Other Information” section of the service organization’s description?

a) Request correction from the service organization and describe the issue in the assurance report if not resolved.

b) Withhold the assurance report until the matter is resolved.

c) Withdraw from the engagement.

d) All of the above.

Answer: a)

17. True or False: The service auditor must inquire whether the service organization is aware of any subsequent events that could have a significant effect on the assurance report.

Answer: True

18. What is the purpose of assessing the design of controls at a service organization?

a) To determine the financial stability of the service organization.

b) To identify areas where controls are lacking or ineffective.

c) To evaluate the skills and qualifications of the service organization’s employees.

d) To ensure compliance with international auditing standards.

Answer: b)

19. What should the service auditor include in the administrative process of assembling the final engagement file?

a) Deleting or discarding unnecessary documentation.

b) Retaining documentation until the end of its retention period.

c) Modifying existing documentation to reflect updated information.

d) Documenting the specific reasons for making modifications.

Answer: b)

20. True or False: Once the final engagement file has been assembled, the service auditor is allowed to delete or discard any documentation that is no longer needed.

Answer: False

Statement on Auditing Standards – SA 210

Statement on Auditing Standards – SA 220

Statement on Auditing Standards – SA 230

Statement on Auditing Standards – SA 240

Statement on Auditing Standards – SA 250

Statement on Auditing Standards – SA 260

Statement on Auditing Standards – SA 265

Statement on Auditing Standards – SA 299

Statement on Auditing Standards – SA 300

 Statement on Auditing Standards – SA 315

Statement on Auditing Standards – SA 320

Statement on Auditing Standards – SA 330

Statement on Auditing Standards – SA 402

Statement on Auditing Standards – SA 450

Statement On Auditing Standards – SA 500

Statement on Auditing Standards – SA 501

Statement on Auditing Standards – SA 505

Statement on Auditing Standards – SA 510

Statement on Auditing Standards – SA 520

Statement on Auditing Standards – SA 530

Statement on Auditing Standards – SA 540

Statement on Auditing Standards – SA 560

Statement on Auditing Standards – SA 570

Statement on Auditing Standards – SA 580

Statement on Auditing Standards – SA 600

Statement on Auditing Standards – SA 610

Statement on Auditing Standards – SA 620

Statement on Auditing Standards – SA 700

Statement on Auditing Standards – SA 701

Statement on Auditing Standards – SA 705

Statement on Auditing Standards – SA 706

 Statement on Auditing Standards – SA 710

Statement on Auditing Standards – SA 720

Statement on Auditing Standards – SA 800

Statement on Auditing Standards – SA 805

Statement on Auditing Standards – SA 810

Statement on Auditing Standards – SAE 3400

Statement on Auditing Standards – SAE 3402

Statement on Auditing Standards – SRE 2400

Statement on Auditing Standards – SRE 2410

Statement on Auditing Standards – SRS 4400

Statement on Auditing Standards – SRS 4410

Audit trail in software requirements

Standard on Quality Control

Statement on developmental and regulatory policies