Canada: A New Level Of Trust & Transparency
A perspective on transitioning from Section 5970 to CSAE 3416

Why is the standard changing?

This paper focuses on the changes from the Section 5970 standard to the new CSAE 3416 standard, including comments on the impact of those updates on service organizations and service auditors.

Organizations that provide services that impact their customers' financial reporting processes are often subject to audits of these processes executed on behalf of their customers. The Auditor's Report on Controls at a Service Organization, Section 5970 has long been the governing standard in Canada for performing these audits, and giving the service organization a mechanism for providing an independent audit report to their customers and their customers' auditors. The requirements and guidance for Canadian auditors reporting under Section 5970 will be superseded by a new Canadian Standard on Assurance Engagements (CSAE 3416). Globally, many countries do not have their own standard for performing such audits, which led to the creation of an international standard, International Standard on Assurance Engagements 3402 (ISAE 3402). The international standard will provide a reporting option for service organizations with the need for a global attestation standard to deliver consistent reporting worldwide. Similarly, the current standard in the US, Statement on Auditing Standards No. 70 (SAS 70) is being replaced with Statement on Standards for Attestation Engagements (SSAE 16).

Although initial discussions on these new standards considered broadening the scope beyond financial reporting, the final standards focus on controls at service organizations likely to be relevant to a customer's internal control over financial reporting. While CSAE 3416, ISAE 3402 and SSAE 16 have some differences, they are substantially the same. CSAE 3416 is effective for reports with periods ending on or after December 15, 2011. However, ISAE 3402 and SSAE 16 both are effective for periods ending on or after June 15, 2011 (i.e. 6 months earlier than the CSAE 3416 effective date). CSAE 3416 allows for early adoption. While we do not anticipate that many companies will adopt the new Canadian standard early; we encourage companies to begin to align their existing reports with the new requirements.

This paper focuses on the changes from the Section 5970 standard to the new CSAE 3416 standard, including comments on the impact of those updates on service organizations and service auditors.

What are the key similarities and differences?

What is the expected impact of these changes?

1. Management assertion

Under the new standard, the service organization has some additional responsibilities. Most notable is the requirement to provide a written assertion, which will state that the controls are fairly presented, suitably designed and operating effectively to achieve the specified control objectives.

• Management's assertion will be included in, or attached to, management's description of the system and documented within the report.
• Management's assertion should be based on suitable criteria.
• • Management should select the criteria to be used to make their assertion and should state the criteria within the assertion.
  • A service auditor is precluded from issuing a report if management does not provide a written assertion.
  • The standard provides typical suitable criteria and a sample assertion, which should help with the implementation of this requirement.

• Management should have a reasonable basis for its assertion, which may be achieved through ongoing monitoring activities that provide evidence of the design and operating effectiveness of controls.

2. Description of the system

In addition to a written assertion, management is responsible for preparing its description of the service organization's system ("the system"). The system is defined as the policies and procedures designed, implemented, and documented by management to provide customers with the services covered by the service auditor's report. Management's description should identify (as applicable):

• The services covered by the report;
• The period covered by the report;
• A description of the classes of transactions processed;
• The control objectives and related controls;
• Complementary user controls (often referred to as user control considerations);
• Controls performed by the sub-service organization (for inclusive reports only);
• A description of changes to the system during the period covered by the report; and
• Other aspects of the service organization's control environment, risk assessment process, information and communication systems and monitoring of controls, as defined by the Committee of Sponsoring Organizations' (COSO) internal control framework, that could be relevant to user entities.

Management should consider the entire transaction lifecycle (as depicted below) when developing the description of the system.

3. Identification of risks to achieving control objectives

Similar to guidance under Section 5970, management's description of the system should specify control objectives and related controls. Management should identify the risks that threaten the achievement of the control objectives stated in management's description of the system. CSAE 3416 allows for management to have a formal or informal process for identifying the relevant risks and does not require that management explicitly include such risks within the report. However, our perspective on leading practice is that management conducts and formally documents their consideration of the relevant risks.

4. Treatment of sub-service organizations

Consistent with the prior standard, CSAE 3416 allows the service organization to describe the use of sub-service organizations through either an inclusive or carve-out method of presentation.

When using the inclusive method, management's description of the system should include a description of, and clearly distinguish, the services provided by the sub-service organization. Additionally, the sub-service organization is subject to the same requirements as the service organization and should provide the following:

• A description of the related control objectives and controls at the subservice organization;
• A written assertion, to be included in, or attached to, management's description of the service organization's system; and
• A letter of representation.

5. Using the work of internal audit (and other independent functions)

The service auditor may support their testing with the work of internal audit or other independent or objective controlrelated functions that has been performed independent of the service auditor's work. This presents an opportunity to further streamline CSAE 3416 reporting initiatives with other risk and compliance initiatives. If the service auditor relies upon this work in performing their tests of controls, additional disclosure is required within the report. Such disclosure is not required when internal audit or another controlrelated function is used in the more common direct assistance capacity (e.g., under the direction of the service auditor). This opportunity to use internal audit will allow the service auditor to better leverage controls that the service organization's management has already implemented to exercise a greater degree of governance, thereby resulting in greater opportunities for efficiency.

Key action Items

The following are key action items for the service organization to consider when implementing the new CSAE 3416 standard:

• Service auditor – Initiate discussions with service auditors to increase your understanding of the new standard and gain insight from the service auditor's perspective.
• Communication plan – Establish a plan for communication of the new standard and for education of customer service teams, program offices, contract teams, sales teams and customers. Re-visit and assess the impact on customer contracts, as necessary.
• Timing of adoption – The standard is effective for reports with periods ending on or after December 15, 2011. For example, a twelve-month report period ending December 31, 2011 would be issued under CSAE 3416. Assess the benefits and feasibility of early adoption.
• Management's assertion – Evaluate current control monitoring processes to determine if enhancements are necessary to support management's assertion.
• System description – Re-visit existing descriptions of controls within current Section 5970 reports as a foundation for developing management's description of the service organization's system, including control objectives, risks and related controls.
• Relevant risks – If not currently in place, conduct and formally document consideration of the relevant risks that threaten the achievement of the control objectives.
• Sub-service organizations – If sub-service organizations are to be included in management's description of the service organization's system, determine whether to use the inclusive or carve-out method. If using the inclusive method, initiate discussions with the sub-service organization regarding their requirements under the new standard.
• Internal audit – Begin aligning internal audit and other independent management functions to scope reporting requirements and potentially identify areas of leverage and reliance with their service auditor.

How we can help

We work with our clients to deliver customized services. Our risk-based third party assurance solutions are tailored to ensure the individual service providers can provide their customers with the right level of assurance with confidence.

PwC's Third Party Assurance professionals have been involved on committees during the development and rollout of the new CSAE 3416 standard. In addition, members of our global network have been involved in the development and rollout of the new international and US standards (ISAE 3402 and SSAE 16).

Leveraging experience from across our vast network, our Third Party Assurance professionals can help you define the optimal scope of the report under the new standards and assess your organization's readiness. We assist with preparing and issuing third party assurance reports, such as CSAE 3416, that drive compliance with regulatory and customer requirements while helping integrate a controls structure into the daily operating model.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.