One giant leap for third party assurance standards

While the world may have changed dramatically over the last 40 years, many would expect the standards for audit to change with it. Unfortunately this has not been the case when it comes to third party assurance, despite regulations on transparency seeing a frenzy of activity over the last ten years.

Created by the Americans, over four decades ago, the previous standard, SAS 70, is in need of a relaunch.

The International Auditing and Assurance Standards Board (IAASB) has created an improved third party assurance standard for June 2011 – which offers guidelines for auditors to report to clients about the inter­nal controls of outsourced bus­iness process service suppliers.

SAS 70, had been the globally adopted standard for audits of outsourcing companies’ controls since 1969. But FDs’ need for third party assurance by auditors has dramatically increased since the introduction of US rules on internal controls, namely Sarbanes-Oxley.

The huge increase in focus on risk required a fresh and modern standard to replace SAS 70. New standard ISAE 3402 will include reports on operational risk areas, wider regulatory compliance, as well as business continuity planning and disaster recovery.

Richard Porter, partner, performance assurance leader at PwC, said that stakeholder pressure for great risk assurance about businesses’ outsourced service providers had also added to momentum for a more robust standard.
“Markets now want to know more about a company – more than its financial information. They want to make sure they have the right controls, governance in place. It’s there to bring transparency.”

The new standard requires the management to make specific assertions on the controls of their business processes. “At the moment management don’t have to assert that everything is accurate,” said Michael Elysee, head of IT advisory in risk and compliance at KPMG.

If auditors checked the strength of one outsourcer, they could use the report on that company for all of their audit clients – negating the need for separate audits.

This would prove useful for companies using online software or cloud computing.

Companies use cloud computing to store sensitive data. The data centres, usually found in North America, are known for having military-like safeguards to protect the information, but third party assurance is still needed.

Unfortunately the previous lack of a modern and all-encompassing single international standard has resulted in some global organisations reporting under various local standards, which creates inconsistencies and confusion.
Arnold Schilder, IAASB chair, said: “This new standard sets a global benchmark for reporting on controls at a service organisation, thereby helping to fulfill the needs of those who use such services and their auditors under international standards.”

IN OUR VIEW

While not exactly glamorous, this is a vital component for transparency around businesses’ risk manage­ment. The improved standard might save FDs some sleep over their data being held thousands of miles away.

Further reading:

ifac.org/IAASB