www.pwc.com/ca/controls
Navigating the
transition to
CSAE 3416
FAQs on the
new Canadian
Standard on
Assurance
Engagements
In response to changes in third-party assurance
standards in both the US and internationally, the
Auditing and Assurance Standards Board has issued a
new Canadian Standard on Assurance Engagements
called Reporting on Controls at a Service Organization
(CSAE 3416). This standard replaces the Auditor’s
Report on Controls at a Service Organization,
Section 5970 (S 5970), which has been the standard
in Canada for performing independent third-party
assurance engagements.
CSAE has been designed to provide standards and
guidance to an auditor who is reporting on the controls
at a service organization. This is relevant to situations
when the service (a specialized business task or
function) being provided to customers (or user entities)
impacts the user entity’s financial reporting processes.
In such situations, service organizations are often
subjected to audits of these processes.
1 FAQs on the new Canadian Standard on Assurance Engagements
How will the CSAE affect my organization?
CSAE 3416 (and S 5970) allows auditors to issue two types of
service auditor’s reports. In a type 1 report the service auditor
expresses an opinion on the fair presentation of the described
controls (i.e. does the description coincide with what actually
exists) and whether the controls included in the description are
suitably designed to meet the control objectives. Once controls
are determined to be suitably designed to achieve the control
objectives, their operating effectiveness can be assessed and
reported on, within a type 2 report.
In both of the above reports, the service organization is
responsible for the preparation of the system description
inserted into the report. This description includes the nature
of the service provided, how the service is performed, and the
service organization’s controls over the service and related
control objectives.
Why the need for change?
The CSAE is aligned with the new Statement on Standards
for Attestation Engagements (SSAE 16), Reporting on Controls
at a Service Organization, which was issued by the American
Institute of Certified Public Accountants’ (AICPA) Auditing
Standards Board (ASB). The SSAE 16 standard was released
in response to the new International Standard on Assurance
Engagements (ISAE 3402), which was created to provide a
reporting option for service organizations with the need to
deliver consistent reporting worldwide.
PwC 2
Are there any significant differences between
CSAE 3416, the new international standard
ISAE 3402, and the new US standard SSAE 16?
By aligning with the new SSAE, the CSAE materially aligns
with ISAE 3402 in most respects. The CSAE 3416 standard is
modeled after the US standard SSAE 16, with a six month
lag in effective date.
Will the new standard be as widely
accepted as the existing Section 5970?
As of December 15, 2011, S 5970 will be replaced by CSAE 3416.
It is expected that all current users and issuers of S 5970 reports
will move to CSAE 3416, except in instances where the service
organization wants to target a non-Canadian audience. In these
circumstances, the SSAE 16 or ISAE 3402 may be used.
When will the new standards be effective?
CSAE 3416 will be effective for service auditor’s reports for
periods ending on or after December 15, 2011. This is six
months after the effective date of the International Auditing and
Assurance Standards Board’s (IAASB) and the AICPA’s standard
for service auditors (June 15, 2011).
Can a single report be issued under
more than one standard?
Yes it can. The report can be tailored to meet the criteria of
multiple standards, with one standard being considered
the anchor standard.
3 FAQs on the new Canadian Standard on Assurance Engagements
Have significant changes been made to CSAE
3416 that will affect a service auditor’s
engagement? Will these changes lead to a
considerable change in the level of effort and
cost to issue a report under the new standard?
While the standard does include some new requirements
and changes to previous requirements as outlined in S 5970,
the change in the level of effort from a service organization’s
standpoint would depend on how prepared they are. Factors that
may affect the level of effort include the service organization’s
past experience with third-party assurance reporting and the
overall strength of the internal controls environment. The level
of effort for first time issuers of a third-party assurance report
under the new standard will be significantly higher. Please
refer to “A new level of trust and transparency – A perspective on
transitioning from Section 5970 to CSAE 3416” for more detail in
this area.
Can CSAE 3416 be used for reporting
on controls over subject matter
other than financial reporting?
No. While early exposure drafts considered the expansion of
scope beyond controls related to financial reporting, later drafts
removed this provision. CSAE 3416 (as well as S 5970) does
not apply to examinations of controls over subject matter other
than financial reporting. These types of engagements would
be performed under Section 5025, Standards for Assurance
Engagements Other than Audits of Financial Statements and other
historical financial information.
PwC 4
What types of activities can be performed
by service organizations to prepare
for the move to the new standard?
Is early adoption permitted?
While it is not expected that many organizations will adopt the
new Canadian standard early, we’re encouraging organizations
to begin aligning their existing reports and supporting processes
with the new requirements. If an organization chooses to adopt
early, we suggest they reach out to their service auditors to
discuss next steps in their transition.
Is the existing guidance to assist
with the performance of S 5970
engagements being rewritten? When
will the new guidance be available?
Yes. The existing AICPA guide, which is often used as a
reference in Canada (AICPA guide for Service Organizations
or SAS 70 guide), is being rewritten to reflect the requirements
and guidance in SSAE 16. This revised guide can be consulted
when performing CSAE 3416 engagements in the future, and is
expected to be available in the second quarter of 2011.
5 FAQs on the new Canadian Standard on Assurance Engagements
Can service organizations provide a
CSAE 3416 service auditor’s report on
their services to potential customers?
No. Given that the nature of services performed by individual
service organizations are different, service auditor’s reports are
designed to only include controls that services organizations
feel are relevant to their existing clients (and user auditors).
Additionally, any procedures performed by the service auditor
(used to formulate their opinion) only relate to the controls that
apply to existing customers. As a result, use of a CSAE 3416
report (or S 5970 report) is restricted to existing customers
(user entities) of the service organization and their auditors
and is not meant to be used for the purpose of marketing to
potential customers.
Will entities now become “certified” under
CSAE 3416 and similar standards?
No. The idea of certifying against CSAE 3416 and S 5970 (and
other similar standards) is a popular misconception, since thirdparty assurance reports (including CSAE 3416 and S 5970)
are meant primarily for auditor to auditor communication.
Neither of these represents a prescriptive framework against
which a service provider can be evaluated (unlike certification
frameworks such as ISO 27001 or PCI). As a result, a service
provider cannot be “certified” as CSAE 3416 compliant.
PwC 6
Who to call
National Controls Leader
Arturo Lopez
416 941 8219
[email protected]
Calgary & Vancouver
Toronto
Justin Abel
403 509 7522
[email protected]
Peter Hargitai
416 941 8464
[email protected]
Edmonton
Jennifer Johnson
416 947 8966
[email protected]
Kishan Dial
789 441 6864
[email protected]
Montréal
Tony Pedari
416 941 8226
[email protected]
Marc Fournier
514 205 5201
[email protected]
Johanna Sun
416 815 5216
[email protected]
Ottawa
Winnipeg
Anthony Dias
613 755 5945
[email protected]
Robert Reimer
204 926 2442
[email protected]
www.pwc.com/ca/controls
© 2011 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers
LLP, an Ontario limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited,
each member firm of which is a separate legal entity. 0935-02