Reports on service organisation’s controls relevant to the security, availability, processing integrity, confidentiality or privacy of the information processed or stored for userentities in order for the user entity to be able to assess and manage the risks associated with outsourcing services provided to customers, will usually require a long-form restricted use report on design,descriptionand operating effectiveness of controls, detailing the tests conducted and the results of those tests. The services provided by service organisations in these circumstances may include:
cloud computing, managed IT security, customer on-line or telephonic support, sales force automation (order processing, information sharing, order tracking, contact management, customer management, sales forecast analysis or employee performance evaluation), health care or insurance claim management and processing or IT outsourcing services.
The primary practical difference for the assurance practitioner between an attestation and a direct engagement is the additional work effort fora direct engagement when planning the engagement and understanding the system and other engagement circumstances. In a direct engagement the assurance practitioner identifies, selectsor develops the control objectives which address the purpose or overall objectivesof the engagement andidentifiesthe controls which are designed to achieve those objectives. Thisdifference affects the assurance practitioner’s work effort inplanning a directengagement if the controls relevant to the control objectives have not been identified or documented and in understanding the entity’s system where a description of the system is not available.
Inathreeparty relationship, which is an element of an assurance engagement,48the responsible party may or may not be the engaging party, but is responsible for the controls which are the subject matter of the engagement and isaseparate party from the intended users. The responsible party and the intended users may both be internal to the entity, for example if the responsible party is at an operational level of management and the intended users are at the level of those charged with governance, such as the Board or Audit Committee.See Appendix2for a discussion of how each of these roles relate to an assurance engagementon controls.
insurance car insurance life insurance cheap car insurance car insurance quotes insurance quotes renters insurance auto insurance home insurance compare car insurance insurance companies homeowners insurance cheap insurance auto insurance quotes car insurance companies cheap auto insurance house insurance motorcycle insurance business insurance term life insurance life insurance quotes home insurance quotes liability insurance the general quote car insurance near me best car insurance car insurance online vehicle insurance auto insurance companies motorbike insurance the general auto insurance multi car insurance insurance companies near me commercial insurance auto insurance near me online insurance workers compensation insurance boat insurance cheap car insurance quotes compare insurance professional liability insurance affordable insurance compare car insurance quotes affordable car insurance small business insurance best auto insurance compare home insurance cheap insurance quotes motorcycle insurance quote cheap car insurance near me term life insurance quotes car insurance price very cheap car insurance full coverage insurance general liability insurance young driver insurance car insurance policy cheap home insurance errors and omissions insurance commercial vehicle insurance compare insurance quotes e&o e&o insurance house insurance quotes car insurance quotes online cheap insurance companies the general insurance quote commercial auto insurance insurance quotes online best insurance cheap insurance near me homeowners insurance quote very cheap car insurance no deposit liability insurance coverage cheap motorcycle insurance car policy compare life insurance compare auto insurance affordable auto insurance workers comp insurance cheap full coverage insurance business liability insurance commercial general liability insurance car insurance companies near me condo insurance cheap car insurance companies automobile insurance full coverage car insurance vehicle insurance online small business health insurance buy car insurance online buy car insurance online appliance car insurance for young drivers home and auto insurance renters insurance quotes business car insurance motor vehicle insurance cheap auto insurance near me cheap homeowners insurance liability car insurance car insurance for new drivers free insurance quotes life insurance quotes online auto quotes allstate car insurance quote car insurance brokers family life insurance whole life insurance quotes free car insurance quotes cheap house insurance affordable life insurance car insurance cost home appliance insurance cheap full coverage car insurance best term insurance low cost auto insurance insure my car new car insurance buy cheap auto insurance online online auto insurance general insurance quote full coverage auto insurance
Although, thisASAEdoes not apply to engagements on controls required to be conducted under ASAE3402, an engagement may include combined reporting under this ASAE and ASAE3402. A serviceorganisation may agree by contractual arrangementswith user entities to providean assurance report on controls for the purposes of both providing evidence for user entities’ financial report audit and to satisfy user entities’ obligations to customersor employees. Consequently, the assurance report may contain asection prepared under ASAE3402 whichconcludes on the operating effectiveness of controls at the service organisation that are likely to be relevant to user entities’ internal control as it relates to financial reporting and a section prepared under this ASAE which concludes on controls relevant to user entities’ operational needs, such as accessibility and availability of IT resources, or contractual commitments to customers or employees, such as security,confidentiality and privacy of personal informationor health and safety of workers engaged to produce products supplied.
Components of control are defined by the control framework applied. For examplethe components of control may comprise:
- infrastructure –physical facilities, equipment, IT hardware and IT networks
- software –IT operating system, software applications and utilities
- people –IT developers, testing and implementation personnel, system and database administrators, operators, users and managers
- procedures –automated and manual procedures involved in the system’s operation
- data –information processed, generated, stored, transmittedand managed, including transactions, files, messages, images, records, databases and tables.
In accepting an assurance engagement on controls, the assurance practitioner, in order to comply with relevant ethical requirements, considers whether the assurance practitioner hasprovided internal audit or consulting services with respect to the design or implementation of controls at the entity, as any such past or current engagements are likely to impact on the assurance practitioner’s independence and are likely topreclude acceptance of the engagement.