ISAE (NIEA) 3402 - Assurance on Controls in Service Organizations

Decree 2496 of December 2015 provides for the application of ISAE 3402 - Assurance Reports on Controls in Service Organizations, in conjunction with International Auditing Standards NIA300, NIA315 and NIA402, and the Assurance Regulation of the Information ISAE 3000, whose application date will depend on the group in which each Company is classified.

Tax auditors that provide services to companies that belong to Group 1 that are issuers of securities or entities of public interest must apply ISAE 3402 as of January 1, 2016 for audit works that begin from the beginning of that same year. While, the tax auditors of companies that belong to Groups 1 and 2, that have more than 30,000 minimum legal monthly salary in force of assets or more than 200 workers, must apply this norm as of January 1, 2017 for the works of audit that begin from the beginning of the year 2017, although its early application is allowed voluntarily.

The objective of ISAE 3402 is for an independent auditor to provide a report on the reasonableness of the design and implementation, and on the operational effectiveness of controls established in an organization that provides services related to the treatment of financial information to another organization.

The most important aspects to take into account from this rule are:

1. Application of the ISAE 3000 regarding planning, documentation, evidence, acceptance commitment, among others.

2. The auditor should ensure that he or she obtains an understanding of the information system of the service organization, including the controls contemplated in the scope of the work.

3. The auditor should obtain sufficient evidence about the design and operation of the controls.

4. If the service organization has an internal audit area, the service auditor should obtain an understanding of the responsibility of the internal audit, its functions and the activities carried out in order to identify if this information is relevant to the commitment.

5. Confirmation of the Management of the Service Organization in which it recognizes and understands its responsibility regarding:

to. Prepare the description of your system including the control objectives together with the assertion of integrity, accuracy and method of presentation of said description.

b. Identify the risks to achieve the objectives of the control indicated in the description of the system, together with the design and implementation that will allow its achievement.

6. The service auditor should take into account the materiality in relation to the description of the system and the proper design and implementation of the controls.

7. The auditor should obtain sufficient knowledge about the service organization system including the controls included in the scope of work.

8. Depending on the scope of the work, the service auditor should obtain relative evidence not only on the design and implementation of the controls but also on the operational effectiveness of the controls.

Depending on the scope of the work, 2 types of reports are issued, which contain:

Type 1 report:

The description of the internal control system performed by the service organization.

If the controls were designed and implemented on the date specified by the service organization.

That the controls associated with the control objectives indicated in the system description made by the service organization have been designed and implemented.

Type 2 report:

All the requirements described in the type 1 report.

Description of the tests of controls carried out and their findings in order to give an opinion on the operative efficiency of the same.