International Standard on Assurance Engagements(ISAE 3000) is typically applied to provide assurance of:
- internal controls
- sustainability, and
- compliance with laws and regulations
ISAE 3000 recognizes two types of reports, a type 1 and a type 2 report. A type 1 report provides assurance on the suitability of design and existence of controls and type 2 report provides assurance on suitability of design, existence and operational effectiveness.
An ISAE 3000 report generally consists of a description of the scope, the norm against which the report is tested, a description of the control framework and a detailed description of the risk management system and a control matrix consisting of the risks, the related control objectives and the related controls.
Example of the scope of ISAE 3000
Typically a practitioner applying ISAE 3000 in an engagement will issue a scope statement as follows. This illustrates the applicability of the standard in certain circumstances:
- Examining XYZ Service Organization’s (XYZ’s) description of its medical claims processing system throughout a certain period based on the criteria set out in a Description of a Service Organization’s System in a SOC 2® Report, and the suitability of the design and operating effectiveness of controls stated in the description to provide reasonable assurance that XYZ’s service commitments and system requirements were achieved based on the trust services criteria for security, availability, processing integrity, confidentiality and privacy.
Opportunities for business accountants
ISAE 3000, is the standard as prescribed by SAIBA when a BAP(SA) performs an assurance engagement on non-financial information. Entities may voluntarily request an BAP(SA) to perform an ISAE 3000 engagement, under the following circumstances:
- Allocation of royalties: The contractual clauses.
- Shared profits, shared cost saving: Joint venture agreements in relation to cost or profit sharing arrangements.
- Greenhouse gas emissions: Greenhouse Gas protocol to quantify greenhouse gas emissions.
- Risk assessment processes: Equator principles: when evaluating social and environmental risks in project financing for emerging markets.
- The Occupational Health and Safety Assessment Series 18000 to evaluate health and safety risks.
- Anti-bribery procedures: Ministry of Justice guidance in relation to Anti-Bribery and Corruption.
- OECD guidance on anti-bribery & corruption.
- Ethical investment arrangement and its functions.
- Standards as defined by independent bodies such as Transparency International and UN PRI.
- Cost saving achieved: Gershon guidelines on cost savings for certain public sector bodies.
- Governance arrangement: Objectives set by standards defining bodies such as the OECD.
- Management processes: Process objectives set by the company.
- Data and information security: AICPA SOC 2 and 3 frameworks for data centres and web trust.
- IT governance arrangements: Various IT Governance references.
- Internal controls over financial reporting: COSO report, as used for example in Sarbanes-Oxley opinions.
- Corporate governance procedures: KINGIV Corporate Governance Code.
- Internal controls over financial and operational controls: Company developed framework; eg by reference to COSO or Turnbull report
- And more.
However, some entities are part of a regulated environment that requires that only a registered auditor with the IRBA may perform the engagement:
What SAIBA needs to do
SAIBA is a legislative controlling body for accountants, accounting officers and independent reviewers. As a controlling body we are required to monitor and sanction compliance to standards of member conduct. We perform this function by ensuring compliance by our members to the IAASB’s engagement standards. We perform this function by requiring members to stay up to date with the latest developments in this area. We offer CPD and training courses to help guide members with their everyday challenge in the workplace. We lobby government and SME associations to allocate work to business accountants.
What you need to do
The firm should study ISAE 3000 and ensure that all assurance engagements on non-financial information are performed in terms of this standard. The firm should study any relevant laws, regulations, founding documents or contract terms to determine the qualifications of the persons required to perform the engagement, prior to performing the engagement. Members are required to register with www.saiba.academy and read www.accountingweekly.com to stay updated and do a specialist license to unlock additional advisory work.
In summary you can: