Third Party Assurance:
New requirements for
Release date: August 22, 2011
Host: Vanessa Iarocci
Guests: Tony Pedari
Running time: 11:55 minutes
Service organizations undertaking a third party report for the first time should align their reports with CSAE 3416.In this episode of Strategy Talks, PwC's Tony Pedari and Jennifer Johnson about these new requirements for Canadian auditors under Section 5970.
**Please note, a glossary of terms appears at the bottom of this transcript**
Announcer: Welcome to Strategy Talks, the business podcast series by PricewaterhouseCoopers Canada. Hosted by Helen Mallovy Hicks, National Leader of PwC’s Valuations, Forensics & Disputes Practice, and Calum Semple, an Operations and Consulting Partner. This interview series, featuring new topics and guests every episode, is designed to valuable insight into some of today’s hottest issues affecting your business.
Vanessa: Hi, I am Vanessa Iarocci, your guest host for today’s edition of PwC’s Strategy Talks.
Today we will be exploring some important changes happening in financial reporting that may have an impact on your business.
Third Party organizations that provide services that impact their customers’ financial reporting processes are often subject to audit of these processes on behalf of their customers. The auditor’s report on controls at a service organization, or a Section 5970 report, has long been the governing standard in Canada for performing these audits. But now requirements for Canadian auditors reporting under Section 5970 are changing; there is a new Canadian standard on insurance engagements known as CASE3416.
What exactly are these changes and what will they mean for your business? Keep listening to find out. Joining me here, to tell us more, are Jennifer Johnson, a director in PwC’s Controls practice, and Tony Pedari, a partner in PwC’s Consulting practice.
Welcome Tony and Jennifer.
Vanessa: Tony, perhaps we can start off by having you set out what the new reporting standards are and what was behind these new changes.
Tony: There were two main reasons for the changes. First, there’s a move towards global consistency of accounting and auditing standards. As a new international standard, ISA3402 was created to fill a gap in the international standards, it was a good opportunity to align the local standards as well. Secondly, the US standard S70 had not been updated in a number of years and was up for renewal.
In addition, as more organizations expand globally a common reporting framework was needed to promote consistency. We, in Canada, are likely to be working with three of these standards; that is, the Canadian standard CSAE3416, the US Standard SSA16, and the international standard I spoke about ISA3402. Well the standards have some differences they are essentially the same. Let’s talk about some of the key similarities.
First, the scope. Primarily, we’ve got to continue to focus on controls relevant to financial reporting at a user entity.
Second, the types of reports. We’re familiar with the Type 1 design and Type II design and operating effectiveness reports, and these continue to exist.
Third, subservice. The concept of having an inclusive and exclusive, or carve-in, carve-out, method will still exist under the new standards.
Fourth, the description of systems. The description of controls under the 5970 is generally the same as what you will see in the new standard, and that is, there has to be enough of a description there for a user to understand the underlying processes and systems. And finally, the use of the report continues to be restricted to the use of existing customers of the service organization during the period of coverage.
Let’s talk about key differences. First, the implementation timelines will differ slightly. The use International standard indicate a June 15, 2011 implementation date, while the Canadian standard has a December 15, 2011 implementation date.
Second, management must now provide an assertion over the design and, if a Type II report, the operating effectiveness and controls. This is one of the key differences in what’s taking up a lot of management’s mindshare right now.
Third, where a sub-service organization is included in the report, it too is required to provide a management assertion.
Fourth, the opinion on design. In a Type II report, the suitability of the design of the control objective will now refer to the entire period of coverage.
Fifth, the reliance on the work of others. It will require disclosure by the service auditor on any reliance on internal audit or other independent management testing function.
And finally, the auditor’s opinion will have some formatting changes.
Vanessa: Fantastic. That was a very thorough overview of the new standards. And, Jennifer, perhaps you can shed some light on what the key impacts to issuers are of these reports.
Jennifer: Sure, thank you. I’m going to focus on the four areas of differences we transition to these new standards that will be most impactful to issuers of these reports. First of which is really around that management assertion that Tony mentioned a moment ago which is their new requirement for management under these standard, and really embedded under this management assertion requirement is two components:
One is the need to perform a risk assessment and to also set criteria performing an evaluation process to create the basis of management’s assertion. As Tony mentioned, this activity is taking up a lot of time right now and a lot of discussion in the marketplace around how far or how expensive this evaluation needs to be.
In our view for larger organizations with well established oversight and monitoring controls, this may be an exercise of inventorying and assessing these monitoring controls and deriving or understanding the level of comfort that can be derived from these activities.
However for smaller organizations, they’re more likely to identify some improvement needs in their oversight and monitoring processes in order to derive the level of comfort needed in order to issue the management assertion under these standards.
Secondly, the changes in the design of controls during the audit period or any changes in design during the audit period will require some additional communication between the service organization and their auditor. This is really to ensure that both the original control activities as well as the new control activities can be tested and will need to be fully disclosed in the report.
Thirdly an opportunity exists whereby the definition of internal audit has been expanded to include others that are in an independent and an objective oversight manager role. As a result, there may be an opportunity for the auditors to rely more heavily on the work of internal audit and others as defined here, and potentially to decrease the audit footprint on the organization and therefore letting people focus on delivering their services directly to their customer versus supporting multiple concurrent audits.
Lastly over the last few years we’ve seen that a number of service organization have further outsourced parts of their service offering to other service organizations. These organizations are referred to as a subservice organization, and as Tony mentioned they are required to also provide a management assertion letter. As a primary service organization there will be a requirement to coordinate heavily with the subservice organization to ensure that they’re both comfortable and able to provide their required assertion as well.
Vanessa: Well definitely a lot of key impacts. Now those were the impacts to the issuers of the reports. But Tony, what are the key impacts to the users of these reports?
Tony: Should note that the equivalent standards dealing with the use of the control reports were issued prior to the issuance of the new service organization standards. In Canada CAS402 addresses considerations when using the controls report. Changes proposed in the service organization reports have been improved the coverage of these reports and provided more transparency in terms of the testing performed. For example some of the changes that have contributed to these benefits include: the users of the report not only getting an independent opinion of the service auditor, but as Jen mentioned earlier they also now get the opinion back by managements assertion, and in the case of the inclusive report, the subservice organization as well.
Managements assertion and the service auditors opinion with regard to the suitability of design will now be extended to the entire period, when in the past it was at disappointing time.
Finally when the service auditor uses the work by service organizations internal audit department, the service auditor’s report will provide the description of the internal audits work and the procedures performed with respect to that work.
Now users will still have to understand the scope of the report and assess whether the report is relevant to their needs and they as a user are included in that report. User auditors will still have to develop an understanding of the underlying system in processing so the controls report should have the appropriate level of detail to support this.
Finally users should also continue to read the user control considerations noted in the report, to ensure that they have identified the controls in place at their organizations to compliment the service organizations controls.
Vanessa: Thanks Tony. Jennifer, perhaps you could shed some lights on how clients can manage through this transition, and what PwC can do to help.
Jennifer: Sure, thank you. There are a few different ways that I will point out that we can assist an organization with managing through this transition.
First I’ll start with the risk assessment and management assertion requirement we mentioned earlier on. Some organization may be feeling resource constraints and challenged with where to begin on these processes and that’s where we can we can really come in with that risk view, and help evaluate the risks of the services being provided and the controls mitigating those risks over the scope of services being covered in that particular report.
We can also help management inventory their existing oversight and monitoring controls, and help determine whether there’s any gaps or areas for improvements that should be considered before transitioning to this new standard, in order to help management gain some comfort that they will be able to issue their management assertion ladder when need be.
Thirdly we can actually help benchmark your existing report against others in the industry which may be an opportunity to take a fresh look at your report and identify if there are some areas for clarification, for some additional improvements, things that your competitors may be doing, that you might want to also consider and hold under your transition plan to this new standard.
Vanessa: Sounds great! Unfortunately we are out of time. Thank you again for our guests for joining us today and shedding some light on this issue. For more information on the new standard or to download a copy of our publication “Third party reporting: A new level of trust and transparency” visit our webpage at pwc.com/ca/controls.
Thanks Tony and Jennifer.
Announcer: This concludes this episode of strategy talks. Thank you for listening. We hope you will join us again soon for another episode. To download or to subscribe to this podcast series, or to find more information, please visit pwc.com/ca/strategytalks. The information in this podcast is provided with the understanding that the authors and publishers are not here and engaged in rendering legal accounting, tax or other professional advice or services. The audience should discuss with professional advisors how the information may apply to their specific situation. Copyright 2009 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, an Ontario Limited liability partnership or as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each is which a separate and independent legal entity.
A Canadian auditing standard relating to the audit of financial reporting processes at service organizations. Service organizations issue a section 5970 report to their customers and their customers' auditors to indicate that their control environment was examined by an independent auditor.
Canadian Standard on Assurance Engagements 3416 is the new standard in Canada for performing independent third-party assurance engagements, replacing Section 5970 which has long been the governing standard.
International Standard on Assurance Engagement 3402 is global standard for performing audits of finance reporting processes at service organizations. It provides a reporting option for service organizations with the need for a global attestation standard to deliver consistent reporting worldwide.
Statement of Auditing Standards No. 70 is the long governing standard in the U.S. for performing audits of finance reporting processes at service organizations.
Statement on Standards for Attestation Engagements is new standard in the US for performing audits of finance reporting processes at services organizations replacing SAS 70.
A company that provides services to other organizations (user entities) on an outsourcing basis.
An organization that outsources services to a third-party or service organization.
Type I report
CSAE 3416 allows service organizations to issue two types of service auditor's reports. In a Type I report, management will have to attest that controls are in placed in operation and are suitably designed to meet the control objectives.
Type II reports
After controls are determined to be suitably designed, a Type II report allows management to report on the operating effectiveness of these controls.