Reports for Service Organizations
With the objective of optimizing costs and taking advantage of the advances in technology in general, companies in Brazil and in the world have decided to transfer the execution of some of their internal processes and activities to service organizations.
These activities can be just internal support or even strategic to the business. Even though they are outsourced, they still have, for the most part, a direct impact on the financial statements. Therefore, companies that have outsourced important activities and that generate impacts on their business continue to be responsible for ensuring the safety and reliability of these activities. The organizations that provide services because they start to operate these activities of their clients, are being demanded to undergo audits in the processes that execute for their clients. This demand comes from its clients and also from regulators and the market in general, which demands transparency and reliability.
For a long time, the market has been familiar with the SAS 70 report that served the purpose of service organizations to have their internal controls audited and to be able to present their audit results to their customers using this report.
This standard has long offered service organizations a way to present to their clients and auditors an independent audit firm's opinion on their internal controls on the processes performed for their clients.
ISAE3402
Since June 15, 2011, SAS70 has been discontinued and has evolved into a new global audit standard for service organizations.O International Auditing and Assurance Standards Board (IAASB) created the International Standard for Assurance Engagements (ISAE) No. 3402 (ISAE3402). ISAE 3402 provides an option for service provider organizations that require a globally recognized report. In Brazil, the Federal Accounting Council (CFC) approved the Brazilian Accounting Standard for Assurance Control Reports in a Service Provider Organization (NBC TO 3402), prepared according to its international equivalent ISAE3402.
In the United States SAS70 was replaced by the Standard on Standards for Attestation Engagements 16 (SSAE16). There are some differences between ISAE 3402 and SSAE16, however, these standards are substantially the same.
Relatórios SOC – “Service Organization Control”
The current reporting standard for service organizations, following the definitions in ISAE 3402 and SSAE 16 is called SOC 1. – “Service Organization Control No. 1”.
The result of completing the ISAE3402 exam is divided into 2 reports that include the auditor's opinion, which are:
Type 1 - Evaluates the structure of the company's internal controls and how management documents and tests this structure over a specific period of time.
Type 2 - Includes the evaluation of control documentation and operational effectiveness, through auditing tests and procedures.
Which outsourced activities require the SOC 1 report
- Services of data processing,
- Processing of payroll,
- Management of investment funds
- Processing of credit card operations;
- Other specific business processes that impact clients' financial statements.
PKF can offer the services of issuance of reports on the internal controls of a service organization following the standards defined in ISAE 3402 / SSAE 16 and NBC 3402, adopting the following approaches:
- Diagnostics of internal controls to service ISAE3402 (Gap Analysis)
The purpose of a diagnosis is to compare the internal controls, policies and procedures of the service organization with the defined control objectives set forth for ISAE3402.
The result of this diagnosis is an internal use report containing a plan of improvement actions in the controls and processes, with the purpose of helping the service organization to prepare for the ISAE3402 audit and the issuance of the SOC report
Issuance of SOC 1 Reports
Conducting the examinations according to ISAE 3402 / SSAE16 and NBC 3402, in order to issue the SOC 1 Type I or Type 2 reports.