ISAE 3402, Assurance Reports on Controls at a Third Party Service Organization
Proposed International Standard on Assurance Engagements issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants
Comments from ACCA
May 2008
Executive Summary
ACCA welcomes the opportunity to comment on the proposed International Standard on Assurance Engagements ISAE 3402 Assurance Reports on Controls at a Third Party Service Organization (proposed ISAE 3402), issued for comment by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants. Our comments extend to the relationship between proposed ISAE 3402 and other IAASB pronouncements, in particular International Standards on Auditing (ISAs) and ISAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ISAE 3000).
We are particularly concerned that some aspects of proposed ISAE 3402 will inhibit its adoption outside those jurisdictions that already have a similar standard:
- It is oriented towards larger service organisations and would be disproportionately expensive for both smaller service organisations and smaller users of large service organisations, and
- Its scope is too narrow as it does not extend to limited assurance engagements, or reports on the description and design of controls for a period, rather than a point in time.
We believe that, as a reasonable assurance standard, proposed ISAE 3402:
- Need not cover matters at a similar level of detail to ISAs
- Should not be restricted to assertion-based engagements
- Should not ordinarily require the disclosure of procedures performed
In our other comments, we point out the difficulties of adopting the Clarity drafting conventions developed for ISAs and suggest that the updating of ISAE 3000 should be preceded by a consultation on the approach to the whole series of ISAEs.
Matters on which Specific Comments are Requested
In this section of our response we address the issues identified for specific comment in the Explanatory Memorandum forming part of the Exposure Draft.
Our comments are made on the basis of the scope and format of proposed ISAE 3402 as presented in the Exposure Draft. In the section of this response headed General Comments , we examine the nature of the series of ISAEs and the use of Clarity drafting conventions. Changes in relation to such matters could remedy several of the difficulties we identify below.
assertion-based engagements
The proposal that the ISAE be written for application to assertion-based engagements. In particular, the IAASB would welcome any views on whether there are situations in which it would not be possible or practicable for management of the service organization to provide an assertion?
We do not answer this question directly; instead, we argue that proposed ISAE 3402 should not be restricted to assertion-based engagements, because that may discourage its use in certain jurisdictions.
As set out in the Explanatory Memorandum, we recognise that: ‘the nature, timing and extent of the service auditor's procedures would ordinarily be the same regardless of whether the engagement to report on controls at a service organization is an assertion-based or direct reporting engagement. Further, in the case of a direct reporting engagement, a service auditor obtains representations from the management of the service organization that contain confirmations equivalent to the assertions proposed in ISAE 3402.'
We also note that: ‘Assertion-based engagements are prevalent in some jurisdictions; in others, direct reporting engagements are more common.'
We see the above as strong arguments against seeking to restrict the application of proposed ISAE 3402 to assertion-based engagements because the exclusion of direct-reporting engagements may discourage certain jurisdictions from adopting proposed ISAE 3402.
The argument advanced in support of restricting proposed ISAE 3402 to assertion-based engagements is that there is: ‘. . . an explicit acknowledgement, by management of the service organization to the user entities, of its responsibility for the fair presentation of the description of the system, the suitable design of controls and, in the case of a Type B report, the operating effectiveness of controls.' This is seen as preferable to an implicit acknowledgement, reported by the service auditor.
The restricted nature and purpose of reports of service auditors, coupled with the facts that user entity auditors are professional accountants subject to ISAs and that dealings with user entities are governed by commercial contract, suggest to us that an explicit acknowledgement by management of its responsibilities is of far less importance than in a financial statement audit.
Balancing the arguments set out above, we conclude that restricting the application of proposed ISAE 3402 to assertion-based engagements is not justified. We suggest that it would be fairly easy to continue to express a preference for assertion-based engagements, while constructing the requirements so that they could be applied also to those direct reporting engagements where the responsible party provides a representation.
inclusion of requirements based on ISA s
The inclusion in the proposed ISAE of a number of requirements based on ISAs dealing with matters such as using the work of the internal audit function, sampling, documentation, and using the work of a service auditor's expert. In particular, has the IAASB identified all such matters as are relevant? And should these matters be dealt with in proposed ISAE 3402 or in ISAE 3000?
The Explanatory Memorandum notes that the IAASB has several alternatives through which proposed ISAE 3402, taken with ISAE 3000, can cover similar matters and at a similar level of detail to the ISAs to the extent practicable and relevant. These include replicating or adapting relevant requirements from the ISAs when they are appropriate to the scope of the ISAE; or requiring that all ISAs be applied, adapted as necessary in the circumstances of the engagement.
The IAASB is of the view that it is not appropriate to adopt the approach of requiring all ISAs to be applied, adapted as necessary in the circumstances of the engagement, because to do so would not result in sufficient clarity as to which requirements of the ISAs should be applied or how they ought to be adapted. We agree with this argument and indeed have recently commented, in relation to some proposed ISAs, that it is not realistic to require auditors to adapt their requirements to other circumstances.
We believe, however, that service auditors who are familiar with ISAs should recognise their utility as guidance . As noted in ISAE 3000: ‘Although ISAs and ISREs do not apply to engagements covered by ISAEs, they may nevertheless provide guidance to practitioners.'
Before setting out the above issue, the Explanatory Memorandum states that:
‘The IAASB is of the view that because the engagement seeks to provide reasonable assurance, and therefore is comparable to a financial statement audit, it would be desirable for the proposed ISAE, taken with ISAE 3000, to cover similar matters and at a similar level of detail to the ISAs to the extent practicable and relevant.'
This is a view that goes to the very heart of standard setting. It is only the last few words ‘. . . to the extent practicable and relevant.' that argue against the IAASB producing perhaps a thousand pages of material for proposed ISAE 3402 similar to the length of the series of ISAs. Instead of examining the practicality of this, we challenge the underlying arguments. These are that: (1) because an engagement seeks to provide reasonable assurance it is comparable to a financial statement audit, and (2) related standards should cover similar matters and at a similar level of detail to the ISAs.
The arguments are linked and we do not suggest that the IAASB considers that all reasonable assurance engagements are necessarily comparable to a financial statement audit: there are generally clear differences in complexity and public interest, as well as subject matter, that would negate the first argument above and render the second irrelevant. ISAE 3000 may be applied directly to such engagements.
As we have argued elsewhere in this response, we see considerable differences between the usefulness of Type A and Type B reports. We see no valid reason to exclude certain direct reporting engagements and we suggest that limited assurance engagements would provide considerable utility to user auditors in appropriate circumstances. We would advance no similar arguments to these in relation to financial statement audit. We have also drawn attention to the lack of direct linkage between ‘reasonable assurance' in a service auditor's report and its use in a financial statement audit. For these reasons, we would argue that there is considerable doubt as to whether the two types of engagement are comparable in any sense relevant to standard setting other than that they are both reasonable assurance engagements. Accordingly, we see no reason why related standards should cover similar matters and at a similar level of detail to the ISAs.
A principles-based approach to standard setting allows the creation of standards for specific assurance engagements to obtain reasonable assurance that are only as long as ISAE 3000. There is no need to include, whether in proposed ISAE 3402 or ISAE 3000, detail for matters such as using the work of the internal audit function, sampling, documentation, and using the work of a service auditor's expert.
auditor's external experts
Whether ISAE 3000 should be amended with respect to auditor's external experts as outlined above?
(The IAASB material above this question dealt with the consequences for ISAEs of a proposed change in the definition of ‘engagement team' . The IAASB proposed that when the change was made, it would: ‘consider whether ISAE 3000 should include requirements similar to those in paragraph 26 of the proposed ISAE 3402 '.)
We agree that a change in the definition of engagement team should, as well as influencing the finalisation of proposed ISAE 3402 , result in consideration of the need to revise ISAE 3000.
The requirements in paragraphs 26 to 31 of proposed ISAE 3402 are detailed and overlap with those of paragraphs 26 to 32 of ISAE 3000. We recommend reconsideration of all the material relating to using the work of an expert in the ISAE series in due course. This must necessarily await finalisation of proposed ISA 620 Using the Work of an Auditor's Expert .
Suitable Criteria
The proposed requirements regarding the minimum elements of suitable criteria?
The minimum elements of suitable criteria in paragraphs 15 to 17 of proposed ISAE 3402 are acceptable, subject to the matters discussed below.
Sub-bullet points of paragraph 15(a) are introduced by the words 'including, as appropriate:‘ which indicates that such material is explanatory and ought to be dealt with in the Application and Other Explanatory Material (A&OEM) section.
Much of the wording of paragraph 15(b) (from the words ‘while acknowledging' ) is of the nature of a disclaimer, the inclusion of which is intended to make it mandatory. As management could validly omit such a disclaimer if it wished, it should not be considered to form part of the minimum elements of suitable criteria. The material is important, nevertheless, and it should be dealt with in proposed ISAE 3402 other than, in effect, as a requirement placed on management.
Disclosure of sample sizes
Whether the description of tests of controls included in a Type B report should include the disclosure of sample sizes determined by the service auditor only when a deviation from controls is found?
The underlying issue here is the extent to which the service auditor's opinion stands alone or has to be justified by reference to disclosure of the work done.
In a limited assurance engagement under ISAEs, the work effort is important to determining the assurance conveyed by the report. The user has to know, either through the use of a specific standard, or through a specific disclosure, what work was done and hence what limited assurance was obtained.
This is not the case for reasonable assurance, as there are no upper limitations on the work of the service auditor, save that necessary to obtain reasonable assurance in an effective manner.
Because of the above, for a reasonable assurance engagement with an unmodified opinion, there need be no description of the tests of controls, whether or not deviations are discovered. We do not accept, therefore, the need for the requirement in paragraph 57 of proposed ISAE 3402.
The Explanatory Memorandum states that the proposed requirement to disclose is necessary because the user auditor has to obtain an understanding of the work that has been undertaken to form a view as to whether that work is sufficient in the context of the user entity under audit, and how that work relates to the procedures undertaken by the user auditor.
We reject this argument. The work of the service auditor is not in the context of the user entity under audit. It is in the context of the engagement to issue an assurance report on controls at the service organisation. The Explanatory Memorandum explains that proposed ISAE 3402 does not assume any direct relationship between the service auditor and either user entities or user auditors. Under proposed ISAE 3402, the use made of that work by the user auditor is only through the medium of the assurance report.
The circumstances are not analogous to the audit of group accounts dealt with in ISA 600 (Revised and Redrafted) Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) where the component auditor is, in effect, working together with the group auditor towards the latter's opinion on the group financial statements. Proposed ISAE 3402 could be adapted to be applied where a direct relationship between the service auditor and the user entity or user auditor exists, but that possibility should not be anticipated to justify requirements that unduly increase the cost of every engagement.
Where the service auditor issues a modified opinion, the requirement, in paragraph 58 of proposed ISAE 3402, to include in the report a clear description of all the reasons for the modification, should result in disclosures that meet the needs of users in a more effective way. If considered necessary, guidance on the preferred nature of such disclosures could be provided in the A&OEM section.
Other Matters
The Explanatory Memorandum forming part of the Exposure Draft invites comments on the following other matters:
- Special considerations in the audit of public sector entities
- Developing nations
- Translation
We have no separate comments on public sector aspects of the proposed standard, or on translation.
Our response contains comments on smaller entities that are relevant to developing nations, where such entities are common. These are made in the section of this response headed Overall approach and smaller entities .
General Comments
Use and Acceptance of proposed ISAE 3402
In this section of our response we comment on aspects of proposed ISAE 3402 that we believe will restrict its widespread adoption. In this regard we also refer to comments made earlier in this response, under the heading Assertion-based Engagements .
Overall approach and smaller entities
In our separate response dealing with proposed ISA 402 (Revised and Redrafted) Audit Considerations Relating to an Entity Using a Third Party Service Organization (proposed ISA 402), we expressed concern that its overall approach was out of step with the way audits of smaller entities are generally conducted.
It is clear that proposed ISAE 3402 is orientated towards larger service organisations where demand may be found for formal reports on controls. Its use on a smaller service organisation would be disproportionately costly.
As a result of the above, not only will many be deterred from the use of proposed ISAE 3402 but there are dangers that the absence of specific standards will deter requests for service auditors to carry out limited assurance, agreed-upon-procedures or other engagements that may benefit user entities and auditors.
If proposed ISAE 3402 is not substantially amended, we recommend including in it more guidance to the effect that while it does not address other engagements (paragraph 3 of proposed ISAE 3402) nevertheless other engagements may be undertaken in the circumstances and that other IAASB standards may be relevant.
Reasonable assurance
Proposed ISA 3402 deals only with reasonable assurance engagements. We believe that limited assurance engagements may be valuable in certain circumstances and, in the absence of a separate standard, proposed ISAE 3402 should either deal with such engagements itself or include in it more guidance to the effect that, while it does not address a limited assurance engagement, nevertheless such engagements may be undertaken and that other IAASB standards may be relevant.
We are also concerned that because proposed ISAE 3402 deals only with reasonable assurance engagements, some user auditors may misinterpret the report of a service auditor and place too much reliance on it. We fear that they may interpret a report conveying reasonable assurance in relation to service entity controls as an identifiable part of the reasonable assurance that they themselves seek to obtain on the financial statements. In reality, the interaction between the service auditor's report and the work of the user auditor to obtain reasonable assurance on financial statements is a potentially complex matter that depends on the user auditor's methodology and the circumstances of each particular audit.
The danger of over-reliance on the work of a service auditor was present but much less with extant ISA 402 Audit Considerations Relating to Entities Using Service Organizations because the nature of the assurance conveyed by the service auditor's report was not fixed.
A radical solution to this potential problem would be to have proposed ISAE 3402 deal with limited rather than reasonable assurance engagements. This would have several other advantages, not least of which would be reducing the cost of Type A reports which, even when communicating reasonable assurance, provide ‘no basis upon which a user auditor may choose to rely on the operation of controls at the service organization without further work' .
If proposed ISAE 3402 dealt with limited assurance engagements it need not enter into the difficulties associated with the need (for a reasonable assurance engagement) to ‘cover similar matters and at a similar level of detail to the ISAs to the extent practicable and relevant' . These are considerable , especially at a time when ISAE 3000 is neither updated nor Clarified.
Type A reports required to be at a point in time
The Explanatory Memorandum explains that ‘the IAASB considers that there will be neither demand for nor benefit in a Type A report that covers a period of time.' The IAASB also fears that the provision of a Type A report that covers a period may be misleading because it could be interpreted as implying that there is some basis for reliance.
We do not think that these are valid reasons to exclude reports that cover a period.
Regarding demand, it is not the role of assurance standards to restrict commercial decisions of management. In many jurisdictions currently without a standard for such engagements, the use of proposed ISAE 3402 could precipitate interest in reports and increase demand for related assurance or agreed-upon procedures engagements. A service organisation should be able to progress towards a Type B report if it wishes without there being a gap in the available specific assurance standards.
The nature of a point in time report in proposed ISAE 3402 is itself open to misinterpretation. Firstly, the choice of a date is often arbitrary (eg the year end) and realistically controls do not all operate on a daily basis. More importantly, there are expectations about change in controls that are illustrated by the stance taken by extant pronouncements such as those in Canada and the US . In these pronouncements in relation to Type B reports:
‘the service auditor's opinions about the description of controls and the existence of controls are as at a specified date (usually year-end). The opinion about operating effectiveness on the other hand is for a specified period (usually the full year).
The Canadian and US pronouncements note an expectation that management's description of controls will include a description of changes to controls over the period, and require the service auditor to “ enquire about changes ... that may have occurred .” If significant changes are identified that are not included in management's description, the service auditor is required to include a description of those changes in the auditor's report. No modification to the auditor's opinion is required in this circumstance however “ because the description is fairly stated as of the date of the description .”
This analysis is used to support the approach in proposed ISAE 3402 under which the auditor's opinion on the description of controls and on the existence of controls in a Type B report refers explicitly to the entire period. It also reveals, however, that users expect a Type A report to be representative of the underlying circumstances. A material undisclosed degradation of the quality of controls immediately after the date of a report would destroy any value a Type A report might have.
Although paragraph 48 is not a requirement and in our view should be transferred to the A&OEM section, there remain in proposed ISAE 3402 requirements relating to subsequent events that do not differentiate between Type A and Type B reports. This reinforces our view that users expect a Type A report to retain its value despite nominally being restricted to a point in time.
We suggest therefore that user auditors are entitled to form their own views on the value of a Type A report, whether it is at a point in time or covers a period. We see no reason, therefore, to place the latter outside the scope of proposed ISAE 3402.
Form of the Standard
As illustrated by our comments under the heading Inclusion of requirements based on ISAs , we have found it difficult to address the issues identified for specific comment in the Explanatory Memorandum without also considering the relationship between ISAEs and with ISAs.
In this section of the response we comment further on:
- Using Clarity drafting conventions for ISAEs
- The relationship between ISAE 3000, other ISAEs and ISAs
Clarity drafting conventions for ISAEs
Proposed ISAE 3402 employs the Clarity drafting conventions developed for ISAs.
A conforming amendment is proposed to the Preface to the International Standards on Quality Control, Auditing, Review, Other Assurance and Related Services (the Preface) such that ‘objectives, requirements, application and other explanatory material, and introductory material and definitions . . . are to be interpreted in a directly analogous way to how they are explained in the context of ISAs and financial statement audits' .
At an early stage of the project that resulted in proposed ISAE 3402, an issues paper for the September 2006 IAASB meeting explained that ‘In drafting ISAE 3402 , the task force intends to apply the clarity format. Although ISAE 3000 is not currently in that format, the task force assumes that it will be converted before ISAE 3402 is finalized.'
We are concerned that the project went ahead with the adoption of Clarity drafting conventions not only because the above assumption has proved wrong but also because there is now not even a timetable to redraft ISAE 3000. This means that what appears to be a current pragmatic approach to redrafting (and the matters discussed below) could subsist for several years. We regret that while the Explanatory Memorandum referred to the form of the standard as a significant matter, it did not specifically welcome views on that.
A conforming amendment is proposed to the Preface to the International Standards on Quality Control, Auditing, Review, Other Assurance and Related Services (the Preface) such that for proposed ISAE 3402, the terms: ‘objectives, requirements, application and other explanatory material, and introductory material and definitions . . . are to be interpreted in a directly analogous way to how they are explained in the context of ISAs and financial statement audits' .
This places a considerable burden on service auditors (and other users) as, without a definitive statement for ISAEs, judgement has to be exercised to determine what interpretation is actually appropriate. This might be thought to be relatively easy for some terms, such as ‘definitions' but even that is not without difficulty – raising a question as to what is the relationship between words defined in ISAs and words defined (or not defined) in proposed ISAE 3402?
There are some Clarity terms where it is not at all easy to determine an appropriate interpretation, as illustrated by the following discussion of ‘objectives' . ISAs include the overall objectives of the auditor and objectives are stated in individual ISAs. The latter are to be used in planning and performing the audit to determine inter alia whether additional audit procedures are required. Proposed ISAE 3402 has only one type of objective, which is arguably at a level that is too high for there to be any equivalent use made of it. Does this mean that the service auditor need not carry out that determination.
Compliance with each ISA in the series is necessary unless the ‘entire ISA is not relevant' . As proposed ISAE 3402 is not subdivided into separate documents there is no such treatment available for its sections. A requirement in proposed ISAE 3402 can be rendered not relevant only if it is conditional and the condition does not exist. Although this includes implicit conditionality, when the circumstances envisioned in the requirement do not apply, the drafting of proposed ISAE 3402 is hampered by the absence of a mechanism to allow the service auditor to isolate aspects that are not relevant. For example, paragraph 21 requires that: ‘In making judgments about the effect of the internal audit function's work on the service auditor's procedures, the service auditor shall consider: [two matters] ' . This is intended to be in the context of reliance on the work of the internal audit function (as suggested by a heading), but there is no explicit condition precedent and, if an internal audit function is present, the requirement is applicable . Some mechanism should be put in place for proposed ISAE 3402 to allow it to make appropriate use of the approach in ISAs to determining the context and hence relevance of requirements.
In summary, we do not believe that is appropriate simply to suggest that a Clarified ISAE is analogous to an ISA. The solution is not just to write a specific section of the Preface but to consider also the form and drafting of proposed ISAE 3402.
Relationship between ISAE 3000, other ISAEs and ISAs
The Explanatory Memorandum explains that the IAASB believes that ‘because ISAE 3000 is a more general standard establishing the basic principles for the conduct of assurance engagements it is unlikely that practitioners will have difficulty in applying both ISAE 3000 and proposed ISAE 3402 notwithstanding their different forms.'
Proposed ISAE 3402 contains, nevertheless, 17 or so references to ISAE 3000 indicating that practitioners might have had difficulty without such assistance. It is also notable that, when it is unlikely that practitioners will have difficulty in applying that ISAE 3000, it was felt necessary to include in proposed ISAE 3402 several requirements that duplicate those in ISAE 3000.
In reality, proposed ISAE 3402 has been drafted as a self-standing standard including requirements and application material from several ISAs and referencing ISAE 3000 as necessary for completeness . This is a pragmatic approach but one that may, or may not, be appropriate in the long term for the ISAE series of standards.
We recognise that ISAE 3000 is not updated and it seems inevitable that, while the IAASB updates pronouncements on a piecemeal basis, there will be a need to include material in a proposed ISAE that ought to be considered for inclusion in ISAE 3000 (or a subject matter specific ISAE). We suggest that any such material in ISAE 3402 ought to be reconsidered when ISAE 3000 is redrafted as appropriate in the light of the Clarity drafting conventions developed for ISAs.
We further suggest that the IAASB should expose for comment its proposals on the way in which the series of ISAEs should be revised and redrafted before it embarks on a Clarity redraft of ISAE 3000 (and necessarily all other extant ISAEs).
Other issues
In this section of our response we comment briefly on specific paragraphs in proposed ISAE 3402.
Paragraph 2
In keeping with our comments on several proposed ISAs (including ISA 402), we do not agree with placing an onerous obligation on service auditors to adapt requirements to circumstances outside the intended scope of proposed ISAE 3402.
Paragraph 7
The effective date should be more specific as to which period is relevant especially for point in time Type A reports.
Paragraph 9(c)
The general term ‘control objectives' is defined in relation to controls at the service organisation. This definition causes problems in the text of proposed ISAE 3402 where it is also used with its natural language meaning. It would be better to use an approach consistent with that for ‘complementary user entity controls' by defining the term ‘service organization control objectives' .
Paragraph 9(k)
The definition of service auditor refers to an auditor. As audit-level knowledge is not a requirement (such as in ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of the Entity) the reference should not be to an auditor but to a practitioner (as used in ISAE 3000).
Paragraph 9(m)
Typo – insert ‘of' ‘. . .the service organization includes identification [of] the services covered . . .'
Paragraph 9(n) & (p)
A subservice organisation is a service organisation used by another service organisation. The user of the service auditor's report (on the subservice organisation) can be the service auditor (of the service organisation). However, proposed ISAE 3402 defines user auditor as one who audits and reports on the financial statements of a user entity. This means that the service auditor is not automatically a user auditor for a user service organisation in relation to a subservice organisation.
Thus the term ‘user auditors' in paragraph 57 is too restrictive where the service organisation is a subservice organisation. Similar issues arise with application material such as paragraphs A11, A13 and A15. We suggest a footnote be added to the relevant definition to resolve this.
Paragraph10
This requirement is unnecessary as it is already required by paragraph 3 of ISAE 3000. We suggest that inclusion in the introductory text is sufficient.
Paragraph 11
This requirement is unnecessary as it is already required by paragraph 4 of ISAE 3000. We suggest that inclusion in the introductory text is sufficient.
Paragraphs 14 and 15 to 17
As acknowledged in its wording, the requirement in paragraph 14 duplicates one in ISAE 3000 and is unnecessary. We are not convinced of the need to present minimum criteria in the form of requirements; especially where, as in paragraph 14, the detail is introduced by the words: ‘including as appropriate' . Given that the IAASB expects criteria to be developed by authoritative bodies, we suggest that service auditors should receive appropriate guidance on these issues but not be subject to requirements of this nature.
The Explanatory Memorandum does not deal with the case of a direct reporting engagement where the service auditor directly performs the evaluation or measurement of
the subject matter. As the work would be substantially different to that in proposed ISAE 3402, our recommendation in relation to extending its scope is restricted to those direct reporting engagements where the responsible party provides a representation.
As required by paragraph 12 of ISAE 3000.
and associated requirements, such as in paragraph 25 of proposed ISAE 3402 and in proposed ISA 402 (eg paragraph 14(e)).
Limited assurance engagements may take place but would be subject only to ISAE 3000.
The complexity may be difficult to appreciate and we note, from the issues paper presented to the IAASB meeting in September 2006, that only simple arguments were advanced in support of the view that proposed ISAE 3402 should be aimed at reasonable assurance engagements. Beginning with a counter argument, the task force suggested that: ‘It may be argued, however, that to meet the requirements of the ISAs, a user auditor does not need to be in a position to express an opinion on (i.e., obtain reasonable assurance about) the operating effectiveness of the user organization's controls and, therefore, it appears incongruous to require a service auditor to do so with respect to controls operating within the service organization. On the other hand, the user auditor needs to be able to design further audit procedures on the basis of controls operating effectively which, when those controls are not fully transparent to the user auditor, justifies the need for reasonable assurance. ' This argument does not make it clear that the operational effectiveness of controls is addressed by the service auditor in the context of the information being reported on, not the financial statements of user entities. The ‘ need for reasonable assurance ‘ of the user auditor may not be satisfied by the service auditor obtaining reasonable assonance.
This statement is worrying as it implies that, for a Type B report, a user auditor may choose to rely on the operation of controls at the service organisation without further work. This may be true at an extreme, but does not present the wider picture that reliance may be supported by, for example, the dual purpose nature of substantive procedures or tests of controls at the user entity.
The progression might be from a point in time Type A report through a period Type A report to a period Type B report. Under the current proposals, the period Type A report would only be subject to ISAE 3000.
We quote from IAASB agenda papers.
We note that proposed ISA 200 (Revised and Redrafted) Overall Objective of the Independent Auditor, and the Conduct of an Audit in Accordance with International Standards on Auditing is likely to be finalised so as to include requirements currently referred to in the Preface. Currently, conforming changes to the Preface arising from proposed ISA 200 are proposed to eliminate much of the material referenced by the above. We assume, therefore, that this matter will be revisited during finalisation of proposed ISAE 3402.
We have commented at length in our responses to proposed ISAs on the lack of precision in the drafting of requirements. In relation to proposed ISA 610 (Redrafted) The Auditor's Consideration of the Internal Audit Function we suggested that the scope of the pronouncement be changed so as to remove the need for detailed consideration of individual requirements where there was no intention to use the work of an existing internal audit function.
Paragraph 56(h) requires only reference to proposed ISAE 3402 in the assurance report.