PSAE 3402, or “Assurance Reports on Controls at a Service Organization”, is the current prevailing assurance engagement standard that helps both BPOs and auditors in the performance of their functions. For BPOs, PSAE 3402 enhances the confidence of their clients to their services. While for auditors, this standard helps them reduce their audit nature, timing and extend, so that they can focus more on the more important matters in their audits.

 

This standard, PSAE 3402, “deals with assurance engagements undertaken by a professional accountant in public practice to provide a report for use by user activities and their auditors on the controls at a service organization that provides a service to user entities that is likely to be relevant to user entities’ internal control as it relates to financial reporting.”

 

Who are the parties under PSAE 3402?

 

The standard normally relates four (4) parties, namely: (1) service organization, (2) user entity, (3) service auditor and (4) user auditor.

 

Based on the definition of PSAE 3402 given above, a service organization is defined on the latter part; that a service organization is a third-party organization (or segment of a third-party organization) that provides services to user entities that are likely to be relevant to user entities’ internal control as it relates to financial reporting. So basically, service organizations are companies in the BPO industries who are primarily engaged in accounting and/or IT outsourcing to user entities. User entities are entities that use a service organization in the outsource of their financial reporting-related functions and whose financial statements are being audited.

 

The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control as it relates to an audit of financial statements is known as the service auditor. User auditor, on the other hand, is the auditor who audits and reports on the financial statements of a user entity.

 

So basically, there are two (2) entities or organizations, each having its own auditor. However, each auditor provides different attestation service. A user auditor provides for the financial statement audit of the user entity. For it being statutory, it is mandatory. A service auditor only reports on controls it uses in the performance of its services. Since it is not required by law, it is not mandatory. However, to enhance a service organization’s credibility, it typically employs service auditor.

 

Reports under PSAE 3402

 

The service auditor issues a PSAE 3402 assurance report which will be used by the user auditor in assessing control risk, its test of control and its independent reporting.

 

There are two (2) types of reports issued by a service auditor: (1) Type I and (2) Type II. A Type I reportconveys reasonable assurance that, in all material respects, and based on suitable criteria, the service organization’s description fairly presents its system as designed and implemented as at the specified date and the controls related to the controls related to the control objectives stated in the service organization’s description of its system were suitably designed as at the specified date. Type II conveys reasonable assurance that, in all material respects, and based on suitable criteria, the service organization’s description fairly presents its system as designed and implemented throughout the specified period, the controls related to the controls related to the control objectives stated in the service organization’s description of its system were suitably designed throughout the specified period and the controls related to the control objectives stated in the service organization’s description of its system operated effectively throughout the specified period. Type II also includes a description of the tests of controls and the results thereof.

 

In summary, a Type I report provides the following:

• A description of the service organization’s system and controls supported by a management assertion and an auditor’s opinion on the fairness of that description, and whether the controls had been placed into operation; and,

• A management assertion and an auditor’s opinion on whether the controls are appropriately designed to meet the control objectives.

 

Together with above, a Type II reports adds a management assertion and an auditor’s opinion on the operating effectiveness of controls in addition to the opinions provided in a Type I report.

 

Under a related US AICPA standard, SSAE 18, we may find the term Service Organization Control (SOC) 1. SOC 1 is the term used under this standard for reports produced the same information as above. There are two other reports that a service auditor may provide aside from SOC 1: SOC 2 and SOC 3. SOC 2 reports on non-financial processing based on one or more of the Trust Services criteria on security, privacy, availability, confidentially and processing integrity, and including the description on the services provided and the controls tested. Distribution of this report would be restricted to users of the services. SOC 3is a report on non-financial processing based on the Trust Services criteria. Unlike SOC 2, a SOC 3 report can be distributed to anyone, but only contains management’s assertion that they have met the requirements of the chosen criteria and the auditor’s opinion on this assertion.

 

Benefits to BPOs and Audit

 

Primarily, PSAE 3402 report, Type II, is used by user organizations (clients of BPOs). The report provides valuable information regarding the service organization’s (the BPO) controls and the effectiveness and controls. The user organization received a detailed description of the service organization’s controls and an independent assessment of whether the controls were placed in operation, suitably designed and operating effectively.

 

Thereafter, the user organization should provide the report to its (user) auditor. This will greatly assist the user auditor in planning the audit of the user’s organization’s financial statements. Without this report, the user organization would likely have to incur additional costs in sending their auditors to the service organization to perform their procedures.

 

At the same time, service auditor’s report gives confidence. It is important to note the value it provides to service organizations. With the report, user organization may determine which controls are implemented in the service organization that gives the former the comfort that the service organization takes good care of the services they offer.

 

What QT&Co Can Provide

 

Our company, composed of professionals with extensive background in audit and IT, can help you determine the design and operating effectiveness of your controls or you service organization’s controls.

 

For more information, send us an email at qtco.cpas@gmail.com

​