Service organisation control reports are reports on the internal control structure for organisations that provide transaction processing services. The objective of a service organisation control report is to provide clients of a service organisation and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements. The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.
The client’s auditors use the report to understand controls related to a service that is likely to be relevant to clients’ internal control, as it relates to financial reporting, and to reduce or eliminate audit procedures at the service organisation.
Service organisation control reports have become increasingly prevalent in the marketplace since the issuance of Statements on Auditing Standards No. 70, Service Organisations (SAS 70) in 1992.
One reason for the change is that prior to the IAASB’s development of International Standard on Assurance Engagements 3402 (ISAE 3402), there was no global standard for engagements to report on controls at a service organisation. SAS 70 is a US standard, and although it has been used for engagements outside the US, the IAASB saw a need to develop an internationally recognised standard. The AICPA, as part of its efforts to converge its US standards with those of the IAASB, followed suit and issued a new Statement on Standards for Attestation Engagements No. 16 (SSAE 16) that replaced SAS 70 and mirrored ISAE 3402.
The new standards by the IAASB and AICPA are not aimed at overhauling how an engagement to report on controls at a service organisation is performed. Rather, they have been issued to meet the demands of the current market environment and to fit into the modern framework of assurance standards.
If you have any questions or require a more detailed discussion, all regional contact details are provided at the end of the article.