Given recent developments in corporate governance and internal control, organisations are required to provide more and more information about their own internal controls environment to a variety of external and internal stakeholders. In addition, the current regulatory environment presents new challenges, specifically with regard to the internal control reporting requirements of Sarbanes-Oxley, Basel II, the Companies Bill 2008, and more recently, the draft King III report on corporate governance.
Many companies are being challenged in implementing appropriate monitoring and review activities to oversee all internal controls affecting their respective businesses, particularly as the number and scope of outsourcing relationships continue to increase. Outsourcing relationships now extend beyond financial reporting and include critical business areas such as information technology infrastructure management, application management and transaction processing.
The outsourcing business in South Africa is experiencing significant growth, with an increasing number of companies looking towards outsourcing non-core but critical functions relating to finance, information technology and operations. Today, outsourcing is particularly prevalent in the financial services sector – for example, asset managers often outsource their back office support, administration and/or compliance functions, and most of the large financial institutions have outsourced at least parts of their information technology functions. We also see many examples where large conglomerates set up their own “service organisations” in-house in the form of shared service centres to consolidate multiple key business functions (e.g. finance, human resources, information technology etc.) across their respective business units or subsidiaries.
While service organisations have attempted to increase their focus and reporting on internal controls to support client requirements, the auditing standards in most countries do not offer the flexibility for service organisations to perform a more comprehensive “audit” that meets all client needs. In trying to accommodate creatively these additional requirements, there has been increased complexity, cost and inconsistency in terms of the scope and approach of such reviews.
With many service providers being global organisations supporting clients with international operations, there is a clear need for a single and more comprehensive auditing standard to deliver consistent reporting to the geographically spread customers of service organisations. Currently, global service organisations often issue reports under various local third party internal control standards (e.g. the US SAS 70, the Canadian Section 5970, the Institute of Chartered Accountants in England and Wales’ FRAG 21 etc.) which create inconsistencies and confusion in the marketplace.
The International Auditing and Assurance Standards Board (IAASB), an independent standard-setting board, has addressed several of these issues by proposing a new standard focused on enhancing auditors’ consideration of internal controls at service organisations. The proposed International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Third Party Service Organisation, is a subject matter-specific standard developed under the IAASB International Framework for Assurance Engagements. It is not intended to replace country-specific standards – where these exist – but rather provide a reporting option for service organisations to address all these challenges.
Simultaneously, the United States and Canada are in the process of updating their SAS 70 and 5970 standards respectively. The result of these independent, yet related initiatives has been the convergence of the international and local standards. Standard-setting organisations within each country are encouraged to either adopt directly the ISAE, where they do not have existing standards, or closely align their existing standard to ISAE 3402.
As the Committee for Auditing Standards of the Independent Regulatory Board for Auditors (IRBA) has adopted the entire suite of auditing pronouncements issued by the IAASB for use in South Africa, ISAE 3402 will also be adopted when it is released in its final form. This means that those auditors issuing assurance opinions for service organisations in South Africa will need to follow this standard in order to comply with local auditing standards.
There are three main benefits to a global and more comprehensive standard:
• First, it would provide more consistent reporting globally. This benefits users of the reports as they would no longer be required to understand or interpret multiple reporting standards.
• Second, while the standard remains grounded in addressing the financial reporting requirements of users of service organisations, it is expected to “open the door” to allow reporting on controls beyond financial reporting (as is presently not permitted by SAS 70) – to areas such as regulatory, compliance, operational and business resumption/disaster recovery planning controls and specific elements of the customer’s service level agreement.
• Third, the standard requires management of the service organisation to provide a formal assertion acknowledging its responsibilities for the controls, providing user auditors and user organisations with a greater level of comfort, something which SAS 70 does not currently insist on.
The new standard does not only impact on auditors and their clients which use service organisations. The service organisations themselves should seek to understand the expected changes in the standard, the impact on reporting, and any potential changes in expectations from customers currently receiving controls reporting. Service organisations that ultimately expand the scope of their controls reporting may have certain control activities tested by their auditors for the first time.
For service organisations that have been issuing SAS 70 or other country-specific reports, the following are a few suggested focus areas:
• Has management considered what processes the service organisation has in place to evaluate and assess the performance of its controls to support a formal assertion on its controls?
• Expanding the report beyond financial reporting may create a perceived threat or opportunity for the service organisation.
• Are customers seeking additional comfort in a particular area(s), but the service organisation hasn’t historically incorporated the area(s), either because of limitations with the existing control standards or concern that the area is not prepared for a review?
• Will management take advantage of the opportunity to report on controls in an area(s) beyond financial reporting to meet customer demands?
• Has the company considered information contained in its contracts and service level agreements, and the need to incorporate these requirements into future control reports?
• Have current compliance activities been reviewed for opportunities to reduce compliance costs through simplified and consolidated reporting under the proposed standards?
• Do existing or new service offerings require compliance or operational “audits” or third-party assurance that could be combined with financial reporting “audits”?
• Have “audit” activity and site visits executed by customers been reviewed to determine if an attestation report could reduce or eliminate customer-requested site visits?
• Can several different types of third-party assurance reports (Agreed-Upon Procedures, Attestation and/or SAS 70) be consolidated or eliminated under the proposed standards?
Service organisation management should consider performing both comprehensive design effectiveness analysis and operating effectiveness testing to identify control gaps, prior to performing an attestation of any new control activities. This pre-assessment would enable management to undertake remedial action, as necessary, to address any design or operating effectiveness observations prior to commencing the attestation.
The IAASB released the exposure draft of ISAE 3402 for comment in December 2007. The proposed standard may be modified in light of comments received before being issued in its final form. The updated SAS 70 standard is expected to follow a similar timeline as ISAE 3402, and both have an anticipated effective date of December 2010.
John Wilkinson CA(SA), CISA, BCompt (Hons), is Director: Risk Advisory Services, and Ernst Maritz CA(SA), BCom (Hons), MCom is National FS Advisory partner at PricewaterhouseCoopers in
Cape Town.