Canadian companies preparing for new international assurance standard for third party reporting

Canada is among several countries anticipated to be harmonizing their local assurance standards with a proposed new international assurance standard for third party reporting (the ISAE 3402 standard), according to a report by PricewaterhouseCoopers (PwC). 
“In recent years, the growing importance of outsourcing, coupled with a heightened focus by businesses on internal controls, has placed service organizations under greater scrutiny with respect to governance and assurance,” PwC’s report says.
“At the same time, it is becoming increasingly more complex and costly for service providers to produce several controls assurance reports under the different third party internal control standards of various countries.
“To address these challenges, the International Auditing and Assurance Standards Board proposed a new standard to enhance auditors’ considerations of internal controls at service organizations.”
A final report on ISAE 3402 is due in June 2009.
One key recommendation is to provide “consistent reporting globally, which will ease the burden for service organizations to both understand and support multiple reporting standards engagements,” PwC says.
Another recommendation is to expand the scope of an organization’s controls assurance reporting.
“While the [proposed new international] standard remains grounded in addressing the financial reporting requirements of users of service organizations, it is expected to open the door to allow reporting on controls beyond financial reporting in areas such as regulatory, compliance, operational and business resumption/disaster recovery planning controls,” PwC says.
“As a result, service organizations currently issuing separate reports over these non-financial types of controls may have an opportunity to consolidate reporting and compliance initiatives. This will add more market relevance to the reports.”
It could also cause auditors to scrutinize service organizations in areas that haven’t been considered before, PwC adds.
As service organizations expand the scope of their controls reporting, they “may have certain control activities tested by their auditors for the first time,” PwC says.
“Expanding the report beyond financial reporting may create a perceived concern or opportunity for the service organization,” PwC writes. “A perceived concern may exist if customers seek additional comfort in a particular area(s), but the service organization hasn’t historically incorporated the areas.”
PwC is advising the management of organizations to consider what processes it has in place to evaluate and assess the performance of its controls.
The full report, An International Assurance Standard for Third Party Reporting, can be accessed at:
http://www.pwc.com/extweb/pwcpublications.nsf/docid/BDE7A2F10192F3C8852575A70058EE39?WT.ac=HPen2B-20090529