Use LinkedIn or an email


Forgot your password? Reset

Don't have account? Signup

Signup for free

Use LinkedIn or an email

By signing up you agree to the Terms & Conditions and Privacy & Policy

Reset password

Enter email to reset password

Already have account? Login
Don't have account? Signup

"Applying ISRS4400 to report on POPIA compliance."


    SAIBA members that have obtained the designation Business Accountant in Practice (BAP) may perform and issue a factual findings report on POPIA compliance requirements.

    ISRS 4400

    Factual findings engagements are also known as Agreed-Upon-Procedures (AUP).

    In performing an AUP engagement a BAP(SA) is required to apply the International Standard on Related Services 4400 (ISRS 4400). ISRS 4400 establishes requirements and provides guidance for performing an AUP engagement. Under ISRS 4400, an AUP engagement involves a practitioner performing procedures that have been agreed to by the practitioner, the entity and any appropriate third parties, and reporting on the factual findings based on the procedures performed.

    In conducting an AUP engagement in accordance with ISRS 4400, the practitioner does not express an opinion. Users of the AUP report assess for themselves the factual findings based on the procedures performed and draw their own conclusions.

    In contrast, in an assurance engagement the practitioner conveys an opinion or conclusion on the outcome of the measurement or evaluation of the underlying subject matter against criteria.


    The Protection of Personal Information Act, No 4 of 2013 (POPIA) promotes the protection of personal information by public and private bodies.

    POPIA has been signed into law by the President on 19 November 2013 and published in the Government Gazette Notice 37067.

    The President has signed a proclamation declaring some parts of the Protection of Personal Information Act No 4 of 2013 effective from 11 April 2014.

    The National Assembly approved the appointment of members to the Information Regulator on 7 September 2016.  The Regulator will be responsible for education, monitor and enforce compliance, handle complaints, perform research and facilitate cross-border cooperation.

    Sections 2 to 38, 55 to 109, 111 and section 114(1), (2) and (3) of the Protection of Personal Information Act, 4 of 2013 (“POPIA”) commenced on 1 July 2020.

    These sections form the core provisions of POPIA and pertain to, amongst others, the processing of personal information, the processing of special personal information, the Information Officer, direct marketing by means of unsolicited communications, flow of information outside of South Africa and enforcement of POPIA.

    Opportunities for Business Accountants in Practice (SA)

    Assessing a clients readiness for POPIA

    All forms of processing of personal information must, in terms of section 114(1) of POPIA, conform with POPIA by 1 July 2021. All business and public entities have to ensure compliance by this date.

    The SAIB Guide to Engagements on the Protection of Personal Information Act, 4 of 2013 (“POPIA”) for Business Accountants in Practice was commissioned by SAIBA to provide guidance to members on performing services to clients in relation to clients’ readiness for POPIA.

    A BAP(SA)s may approach any entity offering them the ISRS4400 engagement and a report that demonstrates the clients readiness for POPIA.

    What SAIBA needs to do

    SAIBA is a legislative controlling body for accountants, accounting officers and independent reviewers. As a controlling body we are required to monitor and sanction compliance to standards of member conduct. We perform this function by ensuring compliance by our members to the IAASB’s engagement standards. We offer CPD and training courses to help guide members with their everyday challenge in the workplace. We lobby government and SME associations to allocate work to business accountants.

    What you need to do

    The firm should study the SAIBA Guide and the ISRS 4400 and ensure that all POPIA engagements are performed in terms of this standard. The firm should study any relevant laws, regulations, founding documents or contract terms to determine the qualifications of the persons required to perform the engagement, prior to performing the engagement.

    Members are required to register with www.saiba.academy and read www.accountingweekly.com to stay updated and do a specialist license to unlock additional advisory work.

    • Do a google search to identify the types of companies that are likely to need this particular service.
    • Write an email or letter to them and explain how you can help them.
    • Do the SAIBA CPD and relevant license related to the particular service.
    • Perform the service for your new client.
    • Alternatively contact a SAIBA Strategic Alliance partner.

    Additional resources

    SAIBA has provided a number of guides, videos and PowerPoint slides that will assist accountants with understanding their responsibilities in terms the various types of engagements: