SAE 3402 Service Org

SAE 3402
Assurance Reports on Controls at a
Service Organisation
(Effective for service auditors’ assurance
reports covering periods ending on or after april 1, 2011)

Contents
Paragraph(s)
Introduction
Scope of this SAE ................................................................................. 1-6
Effective Date ........................................................................................... 7
Objectives ................................................................................................ 8
Definitions ................................................................................................ 9
Requirements
Framework for Assurance Engagements ............................................... 10
Ethical Requirements .............................................................................. 11
Management and Those Charged with Governance .............................. 12
Acceptance and Continuance ............................................................ 13-14
Assessing the Suitability of the Criteria.............................................. 15-18
Materiality ................................................................................................ 19
Obtaining an Understanding of the Service
Organization’s System ............................................................................ 20
Obtaining Evidence Regarding the Description ................................. 21-22
Obtaining Evidence Regarding Design of Controls ................................ 23
Obtaining Evidence Regarding Operating Effectiveness of Controls 24-29
The Work of an Internal Audit Function ............................................. 30-37
Written Representations .................................................................... 38-40
Other Information ............................................................................... 41-42
Subsequent Events ............................................................................ 43-44
Documentation ................................................................................... 45-52
Preparing the Service Auditor’s Assurance Report ........................... 53-55
Other Communication Responsibilities ................................................... 56
Application and Other Explanatory Material
Scope of this SAE ............................................................................. A1-A2
Definitions ......................................................................................... A3-A4
Ethical Requirements .............................................................................. A5
Management and Those Charged with Governance .............................. A6
Acceptance and Continuance ......................................................... A7-A12
Assessing the Suitability of the Criteria......................................... A13-A15
Materiality ...................................................................................... A16-A18
Obtaining an Understanding of the Service
Organization’s System .................................................................. A19-A20
Obtaining Evidence Regarding the Description ............................ A21-A24
Obtaining Evidence Regarding Design of Controls ...................... A25-A27
Obtaining Evidence Regarding Operating Effectiveness
of Controls ..................................................................................... A28-A36
The Work of an Internal Audit Function ....................................... A37-A41
Written Representations ............................................................... A42-A43
Other Information .......................................................................... A44-A45
Documentation ...................................................................................... A46
Preparing the Service Auditor’s Assurance Report ...................... A47-A52
Other Communication Responsibilities ................................................. A53
Appendix 1: Example Service Organization’s Assertions
Appendix 2: Example Service Auditor’s Assurance Reports
Appendix 3: Example Modified Service Auditor’s Assurance Reports

Standard on Assurance Engagements (SAE) 3402, “Assurance Reports
on Controls at a Service Organization,” should be read in the context of
the “Preface to the Standards on Quality Control, Auditing, Review,
Other Assurance and Related Services”.

SAE 3402 2
Introduction
Scope of this SAE
1. This Standard on Assurance Engagements (SAE) deals with assurance
engagements undertaken by a professional accountant in public practice1 to
provide a report for use by user entities and their auditors on the controls at a
service organization that provides a service to user entities that is likely to be
relevant to user entities’ internal control as it relates to financial reporting. It
complements SA 4022, in that reports prepared in accordance with this SAE are
capable of providing appropriate evidence under SA 402. (Ref: Para. A1)
2. The “Framework for Assurance Engagements” states that an assurance
engagement may be a “reasonable assurance” engagement or a “limited
assurance” engagement; that an assurance engagement may be either an
“assertion-based” engagement or a “direct reporting” engagement; and, that the
assurance conclusion for an assertion-based engagement can be worded either
in terms of the responsible party’s assertion or directly in terms of the subject
matter and the criteria.3. This SAE only deals with assertion-based engagements
that convey reasonable assurance, with the assurance conclusion worded
directly in terms of the subject matter and the criteria4.
3. This SAE applies only when the service organization is responsible for,
or otherwise able to make an assertion about, the suitable design of controls.
This SAE does not deal with assurance engagements:
(a) To report only on whether controls at a service organization operated as
described, or
(b) To report only on controls at a service organization other than those
related to a service that is likely to be relevant to user entities’ internal
control as it relates to financial reporting (for example, controls that
affect user entities’ production or quality control). (Ref: Para. A2)
4. In addition to issuing an assurance report on controls, a service auditor
may also be engaged to provide reports such as the following, which are not
dealt with in this SAE:

1 As per the Framework for Assurance Engagements, issued by the Institute of Chartered
Accountants of India, the term “professional accountant in public practice (practitioner)” refers to
the member of the Institute of Chartered Accountants of India who is in practice in terms of section
2 of the Chartered Accountants Act, 1949. The term is also used to refer to a firm of chartered
accountants in public practice.
2 SA 402, “Audit Considerations Relating to an Entity Using a Service Organization”.
3 Framework for Assurance Engagements, paragraphs 9, 10 and 56.
4 Paragraphs 13 and 53(k) of this SAE.

3 SAE 3402
(a) A report on a user entity’s transactions or balances maintained by a
service organization; or
(b) An agreed-upon procedures report on controls at a service organization.
Relationship with Other Professional Pronouncements
5. Framework for Assurance Engagements provides requirements in
relation to such topics as engagement acceptance, planning, evidence, and
documentation that apply to all assurance engagements, including engagements
in accordance with this SAE. This SAE expands on how such requirements are
to be applied in a reasonable assurance engagement to report on controls at a
service organization. The Framework for Assurance Engagements, which also
defines and describes the elements and objectives of an assurance engagement,
provides the context for understanding this SAE.
6. Compliance with Framework for Assurance Engagements requires,
among other things, that the service auditor comply with the Code of Ethics of
the Institute of Chartered Accountants of India, and implement quality control
procedures that are applicable to the individual engagement5.
Effective Date
7. This SAE is effective for service auditors’ assurance reports covering
periods ending on or after April 1, 2011.
Objectives
8. The objectives of the service auditor are:
(a) To obtain reasonable assurance about whether, in all material respects,
based on suitable criteria:
(i) The service organization’s description of its system fairly
presents the system as designed and implemented throughout
the specified period (or in the case of a type 1 report, as at a
specified date);
(ii) The controls related to the control objectives stated in the
service organization’s description of its system were suitably
designed throughout the specified period (or in the case of a
type 1 report, as at a specified date);
(iii) Where included in the scope of the engagement, the controls
operated effectively to provide reasonable assurance that the
5 Framework for Assurance Engagements, paragraph 4. Members attention is also drawn to ISAE

3000(Revised), paragraphs 20 and 31-36.

SAE 3402 4
 control objectives stated in the service organization’s
description of its system were achieved throughout the
specified period.
(b) To report on the matters in (a) above in accordance with the service
auditor’s findings.
Definitions
9. For purposes of this SAE, the following terms have the meanings
attributed below:
(a) Carve-out method – Method of dealing with the services provided by a
subservice organization, whereby the service organization’s description
of its system includes the nature of the services provided by a
subservice organization, but that subservice organization’s relevant
control objectives and related controls are excluded from the service
organization’s description of its system and from the scope of the
service auditor’s engagement. The service organization’s description of
its system and the scope of the service auditor’s engagement include
controls at the service organization to monitor the effectiveness of
controls at the subservice organization, which may include the service
organization’s review of an assurance report on controls at the
subservice organization.
(b) Complementary user entity controls – Controls that the service
organization assumes, in the design of its service, will be implemented
by user entities, and which, if necessary to achieve control objectives
stated in the service organization’s description of its system, are
identified in that description.
(c) Control objective – The aim or purpose of a particular aspect of
controls. Control objectives relate to risks that controls seek to mitigate.
(d) Controls at the service organization – Controls over the achievement of
a control objective that is covered by the service auditor’s assurance
report. (Ref: Para. A3)
(e) Controls at a subservice organization – Controls at a subservice
organization to provide reasonable assurance about the achievement of
a control objective.
(f) Criteria – Benchmarks used to evaluate or measure a subject matter
including, where relevant, benchmarks for presentation and disclosure.
(g) Inclusive method – Method of dealing with the services provided by a

5 SAE 3402
 subservice organization, whereby the service organization’s description
of its system includes the nature of the services provided by a
subservice organization, and that subservice organization’s relevant
control objectives and related controls are included in the service
organization’s description of its system and in the scope of the service
auditor’s engagement. (Ref: Para. A4)
(h) Internal audit function – An appraisal activity established or provided as
a service to the service organization. Its functions include, amongst
other things, examining, evaluating and monitoring the adequacy and
effectiveness of internal control.
(i) Internal auditors – Those individuals who perform the activities of the
internal audit function. Internal auditors may belong to an internal audit
department or equivalent function.
(j) Report on the description and design of controls at a service
organization (referred to in this SAE as a “type 1 report”) – A report that
comprises:
(i) The service organization’s description of its system;
(ii) A written assertion by the service organization that, in all
material respects, and based on suitable criteria:
a. The description fairly presents the service
organization’s system as designed and implemented
as at the specified date;
b. The controls related to the control objectives stated in
the service organization’s description of its system
were suitably designed as at the specified date; and
(iii) A service auditor’s assurance report that conveys reasonable
assurance about the matters in (ii)a.-b. above.
(k) Report on the description, design and operating effectiveness of
controls at a service organization (referred to in this SAE as a “type 2
report”) – A report that comprises:
(i) The service organization’s description of its system;
(ii) A written assertion by the service organization that, in all
material respects, and based on suitable criteria:
a. The description fairly presents the service
organization’s system as designed and implemented
throughout the specified period;

SAE 3402 6
 b. The controls related to the control objectives stated in
the service organization’s description of its system
were suitably designed throughout the specified
period; and
c. The controls related to the control objectives stated in
the service organization’s description of its system
operated effectively throughout the specified period;
and
(iii) A service auditor’s assurance report that:
a. Conveys reasonable assurance about the matters in
(ii)a.-c. above; and
b. Includes a description of the tests of controls and the
results thereof.
(l) Service auditor – A professional accountant in public practice who, at
the request of the service organization, provides an assurance report on
controls at a service organization.
(m) Service organization – A third-party organization (or segment of a third-
party organization) that provides services to user entities that are likely
to be relevant to user entities’ internal control as it relates to financial
reporting.
(n) Service organization’s system (or the system) – The policies and
procedures designed and implemented by the service organization to
provide user entities with the services covered by the service auditor’s
assurance report. The service organization’s description of its system
includes identification of: the services covered; the period, or in the case
of a type 1 report, the date, to which the description relates; control
objectives; and related controls.
(o) Service organization’s assertion – The written assertion about the
matters referred to in paragraph 9(k)(ii) (or paragraph 9(j)(ii) in the case
of a type 1 report).
(p) Subservice organization – A service organization used by another
service organization to perform some of the services provided to user
entities that are likely to be relevant to user entities’ internal control as it
relates to financial reporting.
(q) Test of controls – A procedure designed to evaluate the operating
effectiveness of controls in achieving the control objectives stated in the
service organization’s description of its system.

7 SAE 3402
(r) User auditor – An auditor who audits and reports on the financial
statements of a user entity6.
(s) User entity – An entity that uses a service organization.
Requirements
Framework for Assurance Engagements
10. The service auditor shall not represent compliance with this SAE unless
the service auditor has complied with the requirements of this SAE and the
requirements of the Framework for Assurance Engagements.
Ethical Requirements
11. The service auditor shall comply with relevant ethical requirements,
including those pertaining to independence, relating to assurance engagements.
(Ref: Para. A5)
Management and Those Charged with Governance
12. Where this SAE requires the service auditor to inquire of, request
representations from, communicate with, or otherwise interact with the service
organization, the service auditor shall determine the appropriate person(s) within
the service organization’s management or governance structure with whom to
interact. This shall include consideration of which person(s) have the appropriate
responsibilities for and knowledge of the matters concerned. (Ref: Para. A6)
Acceptance and Continuance
13. Before agreeing to accept, or continue, an engagement the service
auditor shall:
(a) Determine whether:
(i) The service auditor has the capabilities and competence to perform
the engagement; (Ref: Para. A7)
(ii) The criteria to be applied by the service organization to prepare the
description of its system will be suitable and available to user entities
and their auditors; and
(iii) The scope of the engagement and the service organization’s
description of its system will not be so limited that they are unlikely to
be useful to user entities and their auditors.

6 In the case of a subservice organization, the service auditor of a service organization that uses

the services of the subservice organization is also a user auditor.

SAE 3402 8
(b) Obtain the agreement of the service organization that it acknowledges and
understands its responsibility:
(i) For the preparation of the description of its system, and
accompanying service organization’s assertion, including the
completeness, accuracy and method of presentation of that
description and assertion; (Ref: Para. A8)
(ii) To have a reasonable basis for the service organization’s assertion
accompanying the description of its system; (Ref: Para. A9)
(iii) For stating in the service organization’s assertion the criteria it used to
prepare the description of its system;
(iv) For stating in the description of its system:
a. The control objectives; and
b. Where they are specified by law or regulation, or another party
(for example, a user group or a professional body), the party
who specified them;
(v) For identifying the risks that threaten achievement of the control
objectives stated in the description of its system, and designing and
implementing controls to provide reasonable assurance that those
risks will not prevent achievement of the control objectives stated in
the description of its system, and therefore that the stated control
objectives will be achieved; and (Ref: Para. A10)
(vi) To provide the service auditor with:
a. Access to all information, such as records, documentation and
other matters, including service level agreements, of which the
service organization is aware that is relevant to the description of
the service organization’s system and the accompanying service
organization’s assertion;
b. Additional information that the service auditor may request from
the service organization for the purpose of the assurance
engagement; and
c. Unrestricted access to persons within the service organization
from whom the service auditor determines it necessary to obtain
evidence.
Acceptance of a Change in the Terms of the Engagement
14. If the service organization requests a change in the scope of the
engagement before the completion of the engagement, the service auditor shall

9 SAE 3402
be satisfied that there is a reasonable justification for the change. (Ref: Para.
A11-A12)
Assessing the Suitability of the Criteria
15. As required by Framework for Assurance Engagements, the service
auditor shall assess whether the service organization has used suitable criteria in
preparing the description of its system, in evaluating whether controls are
suitably designed, and, in the case of a type 2 report, in evaluating whether
controls are operating effectively.7.
16. In assessing the suitability of the criteria to evaluate the service
organization’s description of its system, the service auditor shall determine if the
criteria encompass, at a minimum:
(a) Whether the description presents how the service organization’s system
was designed and implemented, including, as appropriate:
(i) The types of services provided, including, as appropriate, classes of
transactions processed;
(ii) The procedures, within both information technology and manual
systems, by which services are provided, including, as appropriate,
procedures by which transactions are initiated, recorded, processed,
corrected as necessary, and transferred to the reports and other
information prepared for user entities;
(iii) The related records and supporting information, including, as
appropriate, accounting records, supporting information and specific
accounts that are used to initiate, record, process and report
transactions; this includes the correction of incorrect information and
how information is transferred to the reports and other information
prepared for user entities;
(iv) How the service organization’s system deals with significant events
and conditions, other than transactions;
(v) The process used to prepare reports and other information for user
entities;
(vi) The specified control objectives and controls designed to achieve
those objectives;
(vii) Complementary user entity controls contemplated in the design of the
controls; and

7 Framework for Assurance Engagements, paragraphs 33-36.

SAE 3402 10
 (viii) Other aspects of the service organization’s control environment, risk
assessment process, information system (including the related
business processes) and communication, control activities and
monitoring controls that are relevant to the services provided.
(b) In the case of a type 2 report, whether the description includes relevant
details of changes to the service organization’s system during the period
covered by the description.
(c) Whether the description omits or distorts information relevant to the scope
of the service organization’s system being described, while acknowledging
that the description is prepared to meet the common needs of a broad
range of user entities and their auditors and may not, therefore, include
every aspect of the service organization’s system that each individual user
entity and its auditor may consider important in its particular environment.
17. In assessing the suitability of the criteria to evaluate the design of
controls, the service auditor shall determine if the criteria encompass, at a
minimum, whether:
(a) The service organization has identified the risks that threaten achievement
of the control objectives stated in the description of its system; and
(b) The controls identified in that description would, if operated as described,
provide reasonable assurance that those risks do not prevent the stated
control objectives from being achieved.
18. In assessing the suitability of the criteria to evaluate the operating
effectiveness of controls in providing reasonable assurance that the stated
control objectives identified in the description will be achieved, the service auditor
shall determine if the criteria encompass, at a minimum, whether the controls
were consistently applied as designed throughout the specified period. This
includes whether manual controls were applied by individuals who have the
appropriate competence and authority. (Ref: Para. A13-A15)
Materiality
19. When planning and performing the engagement, the service auditor
shall consider materiality with respect to the fair presentation of the description,
the suitability of the design of controls and, in the case of a type 2 report, the
operating effectiveness of controls. (Ref: Para. A16-A18)
Obtaining an Understanding of the Service Organization’s System
20. The service auditor shall obtain an understanding of the service
organization’s system, including controls that are included in the scope of the

11 SAE 3402
engagement. (Ref: Para. A19-A20)
Obtaining Evidence Regarding the Description
21. The service auditor shall obtain and read the service organization’s
description of its system, and shall evaluate whether those aspects of the
description included in the scope of the engagement are fairly presented,
including whether: (Ref: Para. A21-A22)
(a) Control objectives stated in the service organization’s description of its
system are reasonable in the circumstances; (Ref: Para. A23)
(b) Controls identified in that description were implemented;
(c) Complementary user entity controls, if any, are adequately described; and
(d) Services performed by a subservice organization, if any, are adequately
described, including whether the inclusive method or the carve-out method
has been used in relation to them.
22. The service auditor shall determine, through other procedures in
combination with inquiries, whether the service organization’s system has been
implemented. Those other procedures shall include observation, and inspection
of records and other documentation, of the manner in which the service
organization’s system operates and controls are applied. (Ref: Para. A24)
Obtaining Evidence Regarding Design of Controls
23. The service auditor shall determine which of the controls at the service
organization are necessary to achieve the control objectives stated in the service
organization’s description of its system, and shall assess whether those controls
were suitably designed. This determination shall include: (Ref: Para. A25-A27)
(a) Identifying the risks that threaten the achievement of the control objectives
stated in the service organization’s description of its system; and
(b) Evaluating the linkage of controls identified in the service organization’s
description of its system with those risks.
Obtaining Evidence Regarding Operating Effectiveness of Controls
24. When providing a type 2 report, the service auditor shall test those
controls that the service auditor has determined are necessary to achieve the
control objectives stated in the service organization’s description of its system,
and assess their operating effectiveness throughout the period. Evidence
obtained in prior engagements about the satisfactory operation of controls in
prior periods does not provide a basis for a reduction in testing, even if it is
supplemented with evidence obtained during the current period. (Ref: Para. A28-
A32)

SAE 3402 12
25. When designing and performing tests of controls, the service auditor
shall:
(a) Perform other procedures in combination with inquiry to obtain evidence
about:
(i) How the control was applied;
(ii) The consistency with which the control was applied; and
(iii) By whom or by what means the control was applied;
(b) Determine whether controls to be tested depend upon other controls
(indirect controls) and, if so, whether it is necessary to obtain evidence
supporting the operating effectiveness of those indirect controls; and (Ref:
Para. A33-A34)
(c) Determine means of selecting items for testing that are effective in meeting
the objectives of the procedure. (Ref: Para. A35-A36)
26. When determining the extent of tests of controls, the service auditor
shall consider matters including the characteristics of the population to be tested,
which includes the nature of controls, the frequency of their application (for
example, monthly, daily, a number of times per day), and the expected rate of
deviation.
Sampling
27. When the service auditor uses sampling, the service auditor shall: (Ref:
Para. A35-A36)
(a) Consider the purpose of the procedure and the characteristics of the
population from which the sample will be drawn when designing the
sample;
(b) Determine a sample size sufficient to reduce sampling risk to an
appropriately low level;
(c) Select items for the sample in such a way that each sampling unit in the
population has a chance of selection;
(d) If a designed procedure is not applicable to a selected item, perform the
procedure on a replacement item; and
(e) If unable to apply the designed procedures, or suitable alternative
procedures, to a selected item, treat that item as a deviation.
Nature and Cause of Deviations
28. The service auditor shall investigate the nature and cause of any
deviations identified and shall determine whether:

13 SAE 3402
(a) Identified deviations are within the expected rate of deviation and are
acceptable; therefore, the testing that has been performed provides an
appropriate basis for concluding that the control is operating effectively
throughout the specified period;
(b) Additional testing of the control or of other controls is necessary to reach a
conclusion on whether the controls relative to a particular control objective
are operating effectively throughout the specified period; or (Ref: Para.
A25)
(c) The testing that has been performed provides an appropriate basis for
concluding that the control did not operate effectively throughout the
specified period.
29. In the extremely rare circumstances when the service auditor considers
a deviation discovered in a sample to be an anomaly and no other controls have
been identified that allow the service auditor to conclude that the relevant control
objective is operating effectively throughout the specified period, the service
auditor shall obtain a high degree of certainty that such deviation is not
representative of the population. The service auditor shall obtain this degree of
certainty by performing additional procedures to obtain sufficient appropriate
evidence that the deviation does not affect the remainder of the population.
The Work of an Internal Audit Function8
Obtaining an Understanding of the Internal Audit Function
30. If the service organization has an internal audit function, the service
auditor shall obtain an understanding of the nature of the responsibilities of the
internal audit function and of the activities performed in order to determine
whether the internal audit function is likely to be relevant to the engagement.
(Ref: Para. A37)
Determining Whether and to What Extent to Use the Work of the Internal
Auditors
3 1. The service auditor shall determine:
(a) Whether the work of the internal auditors is likely to be adequate for
purposes of the engagement; and
(b) If so, the planned effect of the work of the internal auditors on the nature,
timing or extent of the service auditor’s procedures.
32. In determining whether the work of the internal auditors is likely to be
adequate for purposes of the engagement, the service auditor shall evaluate:
8 This SAE does not deal with instances when individual internal auditors provide direct assistance

to the service auditor in carrying out audit procedures.

SAE 3402 14
(a) The objectivity of the internal audit function;
(b) The technical competence of the internal auditors;
(c) Whether the work of the internal auditors is likely to be carried out with due
professional care; and
(d) Whether there is likely to be effective communication between the internal
auditors and the service auditor.
33. In determining the planned effect of the work of the internal auditors on
the nature, timing or extent of the service auditor’s procedures, the service
auditor shall consider: (Ref: Para. A38)
(a) The nature and scope of specific work performed, or to be performed, by
the internal auditors;
(b) The significance of that work to the service auditor’s conclusions; and
(c) The degree of subjectivity involved in the evaluation of the evidence
gathered in support of those conclusions.
Using the Work of the Internal Audit Function
34. In order for the service auditor to use specific work of the internal
auditors, the service auditor shall evaluate and perform procedures on that work
to determine its adequacy for the service auditor’s purposes. (Ref: Para. A39)
35. To determine the adequacy of specific work performed by the internal
auditors for the service auditor’s purposes, the service auditor shall evaluate
whether:
(a) The work was performed by internal auditors having adequate technical
training and proficiency;
(b) The work was properly supervised, reviewed and documented;
(c) Adequate evidence has been obtained to enable the internal auditors to
draw reasonable conclusions;
(d) Conclusions reached are appropriate in the circumstances and any reports
prepared by the internal auditors are consistent with the results of the work
performed; and
(e) Exceptions relevant to the engagement or unusual matters disclosed by the
internal auditors are properly resolved.
Effect on the Service Auditor’s Assurance Report
36. If the work of the internal audit function has been used, the service
auditor shall make no reference to that work in the section of the service auditor’s
assurance report that contains the service auditor’s opinion. (Ref: Para. A40)

15 SAE 3402
37. In the case of a type 2 report, if the work of the internal audit function
has been used in performing tests of controls, that part of the service auditor’s
assurance report that describes the service auditor’s tests of controls and the
results thereof shall include a description of the internal auditor’s work and of the
service auditor’s procedures with respect to that work. (Ref: Para. A41)
Written Representations
38. The service auditor shall request the service organization to provide
written representations: (Ref: Para. A42)
(a) That reaffirm the assertion accompanying the description of the system;
(b) That it has provided the service auditor with all relevant information and
access agreed to;9 and
(c) That it has disclosed to the service auditor any of the following of which it is
aware:
(i) Non-compliance with laws and regulations, fraud, or uncorrected
deviations attributable to the service organization that may affect one
or more user entities;
(ii) Design deficiencies in controls;
(iii) Instances where controls have not operated as described; and
(iv) Any events subsequent to the period covered by the service
organization’s description of its system up to the date of the service
auditor’s assurance report that could have a significant effect on the
service auditor’s assurance report.
39. The written representations shall be in the form of a representation
letter addressed to the service auditor. The date of the written representations
shall be as near as practicable to, but not after, the date of the service auditor’s
assurance report.
40. If, having discussed the matter with the service auditor, the service
organization does not provide one or more of the written representations
requested in accordance with paragraph 38(a) and (b) of this SAE, the service
auditor shall disclaim an opinion. (Ref: Para. A43)
Other Information
41. The service auditor shall read the other information, if any, included in a
document containing the service organization’s description of its system and the

9 Paragraph 13(b)(vi) of this SAE.

SAE 3402 16
service auditor’s assurance report, to identify material inconsistencies, if any,
with that description. While reading the other information for the purpose of
identifying material inconsistencies, the service auditor may become aware of an
apparent misstatement of fact in that other information.
42. If the service auditor becomes aware of a material inconsistency or an
apparent misstatement of fact in the other information, the service auditor shall
discuss the matter with the service organization. If the service auditor concludes
that there is a material inconsistency or a misstatement of fact in the other
information that the service organization refuses to correct, the service auditor
shall take further appropriate action. (Ref: Para. A44-A45)
Subsequent Events
43. The service auditor shall inquire whether the service organization is
aware of any events subsequent to the period covered by the service
organization’s description of its system up to the date of the service auditor’s
assurance report that could have a significant effect on the service auditor’s
assurance report. If the service auditor is aware of such an event, and
information about that event is not disclosed by the service organization, the
service auditor shall disclose it in the service auditor’s assurance report.
44. The service auditor has no obligation to perform any procedures
regarding the description of the service organization’s system, or the suitability of
design or operating effectiveness of controls, after the date of the service
auditor’s assurance report.
Documentation
45. The service auditor shall prepare documentation that is sufficient to
enable an experienced service auditor, having no previous connection with the
engagement, to understand:
(a) The nature, timing, and extent of the procedures performed to comply with
this SAE and applicable legal and regulatory requirements;
(b) The results of the procedures performed, and the evidence obtained; and
(c) Significant matters arising during the engagement, and the conclusions
reached thereon and significant professional judgments made in reaching
those conclusions.
46. In documenting the nature, timing and extent of procedures performed,
the service auditor shall record:
(a) The identifying characteristics of the specific items or matters being tested;

17 SAE 3402
(b) Who performed the work and the date such work was completed; and
(c) Who reviewed the work performed and the date and extent of such review.
47. If the service auditor uses specific work of the internal auditors, the
service auditor shall document the conclusions reached regarding the evaluation
of the adequacy of the work of the internal auditors, and the procedures
performed by the service auditor on that work.
48. The service auditor shall document discussions of significant matters
with the service organization and others including the nature of the significant
matters discussed and when and with whom the discussions took place.
49. If the service auditor has identified information that is inconsistent with
the service auditor’s final conclusion regarding a significant matter, the service
auditor shall document how the service auditor addressed the inconsistency.
50. The service auditor shall assemble the documentation in an
engagement file and complete the administrative process of assembling the final
engagement file on a timely basis after the date of the service auditor’s
assurance report10.
51. After the assembly of the final engagement file has been completed, the
service auditor shall not delete or discard documentation before the end of its
retention period. (Ref: Para. A46)
52. If the service auditor finds it necessary to modify existing engagement
documentation or add new documentation after the assembly of the final
engagement file has been completed and that documentation does not affect the
service auditor’s report, the service auditor shall, regardless of the nature of the
modifications or additions, document:
(a) The specific reasons for making them; and
(b) When and by whom they were made and reviewed.
Preparing the Service Auditor’s Assurance Report
Content of the Service Auditor’s Assurance Report
53. The service auditor’s assurance report shall include the following basic
elements: (Ref: Para. A47)
(a) A title that clearly indicates the report is an independent service auditor’s
assurance report.
(b) An addressee.

10 Standard on Quality Control (SQC) 1, paragraphs 74-76, provide further guidance.

SAE 3402 18
(c) Identification of:
(i) The service organization’s description of its system, and the service
organization’s assertion, which includes the matters described in
paragraph 9(k)(ii) for a type 2 report, or paragraph 9(j)(ii) for a type 1
report.
(ii) Those parts of the service organization’s description of its system, if
any, that are not covered by the service auditor’s opinion.
(iii) If the description refers to the need for complementary user entity
controls, a statement that the service auditor has not evaluated the
suitability of design or operating effectiveness of complementary user
entity controls, and that the control objectives stated in the service
organization’s description of its system can be achieved only if
complementary user entity controls are suitably designed or operating
effectively, along with the controls at the service organization.
(iv) If services are performed by a subservice organization, the nature of
activities performed by the subservice organization as described in
the service organization’s description of its system and whether the
inclusive method or the carve-out method has been used in relation to
them. Where the carve-out method has been used, a statement that
the service organization’s description of its system excludes the
control objectives and related controls at relevant subservice
organizations, and that the service auditor’s procedures do not extend
to controls at the subservice organization. Where the inclusive method
has been used, a statement that the service organization’s description
of its system includes control objectives and related controls at the
subservice organization, and that the service auditor’s procedures
extended to controls at the subservice organization.
(d) Identification of the criteria, and the party specifying the control objectives.
(e) A statement that the report and, in the case of a type 2 report, the
description of tests of controls are intended only for user entities and their
auditors, who have a sufficient understanding to consider it, along with
other information including information about controls operated by user
entities themselves, when assessing the risks of material misstatements of
user entities’ financial statements. (Ref: Para. A48)
(f) A statement that the service organization is responsible for:
(i) Preparing the description of its system, and the accompanying
assertion, including the completeness, accuracy and method of

19 SAE 3402
 presentation of that description and that assertion;
(ii) Providing the services covered by the service organization’s
description of its system;
(iii) Stating the control objectives (where not identified by law or
regulation, or another party, for example, a user group or a
professional body); and
(iv) Designing and implementing controls to achieve the control objectives
stated in the service organization’s description of its system.
(g) A statement that the service auditor’s responsibility is to express an opinion
on the service organization’s description, on the design of controls related
to the control objectives stated in that description and, in the case of a type
2 report, on the operating effectiveness of those controls, based on the
service auditor’s procedures.
(h) A statement that the engagement was performed in accordance with SAE
3402, “Assurance Reports on Controls at a Service Organization,” which
requires that the service auditor comply with ethical requirements and plan
and perform procedures to obtain reasonable assurance about whether, in
all material respects, the service organization’s description of its system is
fairly presented and the controls are suitably designed and, in the case of a
type 2 report, are operating effectively.
(i) A summary of the service auditor’s procedures to obtain reasonable
assurance and a statement of the service auditor’s belief that the evidence
obtained is sufficient and appropriate to provide a basis for the service
auditor’s opinion, and, in the case of a type 1 report, a statement that the
service auditor has not performed any procedures regarding the operating
effectiveness of controls and therefore no opinion is expressed thereon.
(j) A statement of the limitations of controls and, in the case of a type 2 report,
of the risk of projecting to future periods any evaluation of the operating
effectiveness of controls.
(k) The service auditor’s opinion, expressed in the positive form, on whether, in
all material respects, based on suitable criteria:
(i) In the case of a type 2 report:
a. The description fairly presents the service organization’s system
that had been designed and implemented throughout the
specified period;
b. The controls related to the control objectives stated in the

SAE 3402 20
 service organization’s description of its system were suitably
designed throughout the specified period; and
c. The controls tested, which were those necessary to provide
reasonable assurance that the control objectives stated in the
description were achieved, operated effectively throughout the
specified period.
(ii) In the case of a type 1 report:
a. The description fairly presents the service organization’s system
that had been designed and implemented as at the specified
date; and
b. The controls related to the control objectives stated in the
service organization’s description of its system were suitably
designed as at the specified date.
(l) The date of the service auditor’s assurance report, which shall be no earlier
than the date on which the service auditor has obtained sufficient
appropriate evidence on which to base the opinion.
(m) Practitioner’s Signature-The report should be signed by the practitioner
in his personal name. Where the firm is appointed, the report should be
signed in the personal name of the engagement partner and in the name
of the firm. The partner/proprietor signing the assurance report also
needs to mention the membership number assigned by the Institute of
Chartered Accountants of India (the Institute). If
Partnership/proprietorship firm is appointed, the registration number of
the firm, as may be allotted by the Institute, also needs to be mentioned
in the assurance reports signed by them.
(n) The place of signature – the report should name specific location, which
is ordinarily the city where the report is signed.
54. In the case of a type 2 report, the service auditor’s assurance report
shall include a separate section after the opinion, or an attachment, that
describes the tests of controls that were performed and the results of those tests.
In describing the tests of controls, the service auditor shall clearly state which
controls were tested, identify whether the items tested represent all or a selection
of the items in the population, and indicate the nature of the tests in sufficient
detail to enable user auditors to determine the effect of such tests on their risk
assessments. If deviations have been identified, the service auditor shall include
the extent of testing performed that led to identification of the deviations
(including the sample size where sampling has been used), and the number and

21 SAE 3402
nature of the deviations noted. The service auditor shall report deviations even if,
on the basis of tests performed, the service auditor has concluded that the
related control objective was achieved. (Ref: Para. A18 and A49)
Modified Opinions
55. If the service auditor concludes that: (Ref: Para. A50-A52)
(a) The service organization’s description does not fairly present, in all material
respects, the system as designed and implemented;
(b) The controls related to the control objectives stated in the description were
not suitably designed, in all material respects;
(c) In the case of a type 2 report, the controls tested, which were those
necessary to provide reasonable assurance that the control objectives
stated in the service organization’s description of its system were achieved,
did not operate effectively, in all material respects; or
(d) The service auditor is unable to obtain sufficient appropriate evidence, the
service auditor’s opinion shall be modified, and the service auditor’s
assurance report shall contain a clear description of all the reasons for the
modification.
Other Communication Responsibilities
56. If the service auditor becomes aware of non-compliance with laws and
regulations, fraud, or uncorrected errors attributable to the service organization
that are not clearly trivial and may affect one or more user entities, the service
auditor shall determine whether the matter has been communicated
appropriately to affected user entities. If the matter has not been so
communicated and the service organization is unwilling to do so, the service
auditor shall take appropriate action. (Ref: Para. A53)
***
Application and Other Explanatory Material
Scope of this SAE (Ref: Para. 1 and 3)
A1. Internal control is a process designed to provide reasonable assurance
regarding the achievement of objectives related to the reliability of financial
reporting, effectiveness and efficiency of operations and compliance with
applicable laws and regulations. Controls related to a service organization’s
operations and compliance objectives may be relevant to a user entity’s internal
control as it relates to financial reporting. Such controls may pertain to assertions
about presentation and disclosure relating to account balances, classes of
transactions or disclosures, or may pertain to evidence that the user auditor

SAE 3402 22
evaluates or uses in applying auditing procedures. For example, a payroll
processing service organization’s controls related to the timely remittance of
payroll deductions to government authorities may be relevant to a user entity as
late remittances could incur interest and penalties that would result in a liability
for the user entity. Similarly, a service organization’s controls over the
acceptability of investment transactions from a regulatory perspective may be
considered relevant to a user entity’s presentation and disclosure of transactions
and account balances in its financial statements. The determination of whether
controls at a service organization related to operations and compliance are likely
to be relevant to user entities’ internal control as it relates to financial reporting is
a matter of professional judgment, having regard to the control objectives set by
the service organization and the suitability of the criteria.
A2. The service organization may not be able to assert that the system is
suitably designed when, for example, the service organization is operating a
system that has been designed by a user entity or is stipulated in a contract
between a user entity and the service organization. Because of the inextricable
link between the suitable design of controls and their operating effectiveness, the
absence of an assertion with respect to the suitability of design will likely
preclude the service auditor from concluding that the controls provide reasonable
assurance that the control objectives have been met and thus from opining on
the operating effectiveness of controls. As an alternative, the practitioner may
choose to accept an agreed-upon procedures engagement to perform tests of
controls, or an assurance engagement to conclude on whether, based on tests of
controls, the controls have operated as described.
Definitions (Ref: Para. 9(d) and 9(g))
A3. The definition of “controls at the service organization” includes aspects
of user entities’ information systems maintained by the service organization, and
may also include aspects of one or more of the other components of internal
control at a service organization. For example, it may include aspects of a
service organization’s control environment, monitoring, and control activities
when they relate to the services provided. It does not, however, include controls
at a service organization that are not related to the achievement of the control
objectives stated in the service organization’s description of its system, for
example, controls related to the preparation of the service organization’s own
financial statements.
A4. When the inclusive method is used, the requirements in this SAE also
apply to the services provided by the subservice organization, including obtaining
agreement regarding the matters in paragraph 13(b)(i)-(v) as applied to the
subservice organization rather than the service organization. Performing

23 SAE 3402
procedures at the subservice organization entails coordination and
communication between the service organization, the subservice organization,
and the service auditor. The inclusive method generally is feasible only if the
service organization and the subservice organization are related, or if the
contract between the service organization and the subservice organization
provides for its use.
Ethical Requirements (Ref: Para. 11)
A5. The service auditor is subject to relevant independence requirements,
which ordinarily comprise Code of Ethics of the Institute. In performing an
engagement in accordance with this SAE, the Code of Ethics of the ICAI does
not require the service auditor to be independent from each user entity.
Management and Those Charged with Governance (Ref: Para. 12)
A6. Management and governance structures vary by jurisdiction and by
entity, reflecting influences such as different cultural and legal backgrounds, and
size and ownership characteristics. Such diversity means that it is not possible
for this SAE to specify for all engagements the person(s) with whom the service
auditor is to interact regarding particular matters. For example, the service
organization may be a segment of a third-party organization and not a separate
legal entity. In such cases, identifying the appropriate management personnel or
those charged with governance from whom to request written representations
may require the exercise of professional judgment.
Acceptance and Continuance
Capabilities and Competence to Perform the Engagement (Ref: Para.
13(a)(i))
A7. Relevant capabilities and competence to perform the engagement
include matters such as the following:
 Knowledge of the relevant industry;
 An understanding of information technology and systems;
 Experience in evaluating risks as they relate to the suitable design of
controls; and
 Experience in the design and execution of tests of controls and the
evaluation of the results.
Service Organization’s Assertion (Ref: Para. 13(b)(i))
A8. Refusal, by a service organization, to provide a written assertion,
subsequent to an agreement by the service auditor to accept, or continue, an
engagement, represents a scope limitation that causes the service auditor to

SAE 3402 24
withdraw from the engagement. If law or regulation does not allow the service
auditor to withdraw from the engagement, the service auditor disclaims an
opinion.
Reasonable Basis for Service Organization’s Assertion (Ref: Para. 13(b)(ii))
A9. In the case of a type 2 report, the service organization’s assertion
includes a statement that the controls related to the control objectives stated in
the service organization’s description of its system operated effectively
throughout the specified period. This assertion may be based on the service
organization’s monitoring activities. Monitoring of controls is a process to assess
the effectiveness of controls over time. It involves assessing the effectiveness of
controls on a timely basis, identifying and reporting deficiencies to appropriate
individuals within the service organization, and taking necessary corrective
actions. The service organization accomplishes monitoring of controls through
ongoing activities, separate evaluations, or a combination of both. The greater
the degree and effectiveness of ongoing monitoring activities, the less need for
separate evaluations. Ongoing monitoring activities are often built into the normal
recurring activities of a service organization and include regular management
and supervisory activities. Internal auditors or personnel performing similar
functions may contribute to the monitoring of a service organization’s activities.
Monitoring activities may also include using information communicated by
external parties, such as customer complaints and regulator comments, which
may indicate problems or highlight areas in need of improvement. The fact that
the service auditor will report on the operating effectiveness of controls is not a
substitute for the service organization’s own processes to provide a reasonable
basis for its assertion.
Identification of Risks (Ref: Para. 13(b)(v))
A10. As noted in paragraph 9(c), control objectives relate to risks that
controls seek to mitigate. For example, the risk that a transaction is recorded at
the wrong amount or in the wrong period can be expressed as a control objective
that transactions are recorded at the correct amount and in the correct period.
The service organization is responsible for identifying the risks that threaten
achievement of the control objectives stated in the description of its system. The
service organization may have a formal or informal process for identifying
relevant risks. A formal process may include estimating the significance of
identified risks, assessing the likelihood of their occurrence, and deciding about
actions to address them. However, since control objectives relate to risks that
controls seek to mitigate, thoughtful identification of control objectives when
designing and implementing the service organization’s system may itself
comprise an informal process for identifying relevant risks.

25 SAE 3402
Acceptance of a Change in the Terms of the Engagement (Ref: Para. 14)
A11. A request to change the scope of the engagement may not have a
reasonable justification when, for example, the request is made to exclude
certain control objectives from the scope of the engagement because of the
likelihood that the service auditor’s opinion would be modified; or the service
organization will not provide the service auditor with a written assertion and the
request is made to perform the engagement under Framework for Assurance
Engagements.
A12. A request to change the scope of the engagement may have a
reasonable justification when, for example, the request is made to exclude from
the engagement a subservice organization when the service organization cannot
arrange for access by the service auditor, and the method used for dealing with
the services provided by that subservice organization is changed from the
inclusive method to the carve-out method.
Assessing the Suitability of the Criteria (Ref: Para. 15-18)
A13. Criteria need to be available to the intended users to allow them to
understand the basis for the service organization’s assertion about the fair
presentation of its description of the system, the suitability of the design of
controls and, in the case of a type 2 report, the operating effectiveness of the
controls related to the control objectives.
A14. Framework for Assurance Engagements requires the service auditor,
among other things, to assess the suitability of criteria, and the appropriateness
of the subject matter11. The subject matter is the underlying condition of interest
to intended users of an assurance report. The following table identifies the
subject matter and minimum criteria for each of the opinions in type 2 and type 1
reports.
Subject Criteria Comment
matter
Opinion The service The description is The specific wording of
about organization’s fairly presented if it: the criteria for this opinion
the fair system that is (a) presents how may need to be tailored to
present- likely to be the service be consistent with criteria
ation of relevant to organization’s established by, for
the user entities’ system was example, law or
descript- internal control designed and regulation, user groups, or
ion of as it relates to implemented a professional body.
11 Framework for Assurance Engagements, paragraph 16(b). Members attention is also drawn to

ISAE 3000, paragraphs 18-19.

SAE 3402 26
the financial including, as Examples of criteria for
service reporting and appropriate, the this opinion are provided
organi- is covered by matters identified in in the illustrative service
zation’s the service paragraph 16(a)(i)- organization’s assertion in
system auditor’s (viii); (b) in the case Appendix 1. Paragraphs
(type 1 assurance of a type 2 report, A21-A24 offer further
and type report. includes relevant guidance on determining
2 details of changes whether these criteria are
reports) to the service met. (The subject matter
organization’s information12 for this
system during the opinion is the service
period covered by organization’s description
the description; and of its system and the
(c) does not omit or service organization’s
distort information assertion that the
relevant to the description is fairly
scope of the presented.)
service
organization’s
system being
described, while
acknowledging that
the description is
prepared to meet
the common needs
of a broad range of
user entities and
may not, therefore,
include every
aspect of the
service
organization’s
system that each
individual user
entity may consider
important in its own
particular
environment.

12 The “subject matter information” is the outcome of the evaluation or measurement of the subject

matter.

27 SAE 3402
Opinion The suitability The controls are When the
The
about of the design suitably designed criteria for
control
suitabi- and operating and operating this opinion
objectives,
lity of effectiveness effectively if: (a) the are met,
which are
design, of those service controls will
stated in
and controls that organization has have
the
operat- are necessary identified the risks provided
service
ing to achieve the that threaten reasonable
organizati
effective control achievement of the assurance
on’s
ness objectives control objectives that the
descriptio
(type 2 stated in the stated in the related
n of its
reports) service description of its control
system,
organization’s system; (b) the objectives
are part of
description of controls identified were
the criteria
its system. in that description achieved
for these
would, if operated throughout
opinions.
as described, the specified
The stated
provide reasonable period. (The
control
assurance that subject
objectives
those risks do not matter
will differ
prevent the stated information
from
control objectives forengagemethis
from being opinion
nt is
to
achieved; and (c) the service
engageme
the controls were organization’
nt. If, as
consistently applied s assertion
part of
as designed that controls
forming
throughout the are suitably
the
specified period. designed
opinion on
This includes and that they
the
whether manual aredescriptio
controls were operating
n, the
applied by effectively.)
service
individuals who auditor
have the concludes
appropriate the stated
competence and control
authority. objectives
are not
Opinion The suitability The controls are Meeting
fairly
about of the design suitably designed these criteria
presented

SAE 3402 28
suitabi- of those if: (a) the service does not, of then those
lity of controls that organization has itself, control
design are necessary identified the risks provide any objectives
(type 1 to achieve the that threaten assurance would not
reports) control achievement of the that the be
objectives control objectives related suitable as
stated in the stated in the control part of the
service description of its objectives criteria for
organization’s system; and (b) the were forming an
description of controls identified achieved opinion on
its system. in that description because no either the
would, if operated assurance design or
as described, has been operating
provide reasonable obtained effectiven
assurance that about the ess of
those risks do not operation of controls.
prevent the stated controls.
control objectives (The subject
from being matter
achieved. information
for this
opinion is
the service
organization’
s assertion
that controls
are suitably
designed.)

A15. Paragraph 16(a) identifies a number of elements that are included in the
service organization’s description of its system as appropriate. These elements
may not be appropriate if the system being described is not a system that
processes transactions, for example, if the system relates to general controls
over the hosting of an IT application but not the controls embedded in the
application itself.
Materiality (Ref: Para. 19 and 54)
A16. In an engagement to report on controls at a service organization, the
concept of materiality relates to the system being reported on, not the financial
statements of user entities. The service auditor plans and performs procedures

29 SAE 3402
to determine whether the service organization’s description of its system is fairly
presented in all material respects, whether controls at the service organization
are suitably designed in all material respects and, in the case of a type 2 report,
whether controls at the service organization are operating effectively in all
material respects. The concept of materiality takes into account that the service
auditor’s assurance report provides information about the service organization’s
system to meet the common information needs of a broad range of user entities
and their auditors who have an understanding of the manner in which that
system has been used.
A17. Materiality with respect to the fair presentation of the service
organization’s description of its system, and with respect to the design of
controls, includes primarily the consideration of qualitative factors, for example:
whether the description includes the significant aspects of processing significant
transactions; whether the description omits or distorts relevant information; and
the ability of controls, as designed, to provide reasonable assurance that control
objectives would be achieved. Materiality with respect to the service auditor’s
opinion on the operating effectiveness of controls includes the consideration of
both quantitative and qualitative factors, for example, the tolerable rate and
observed rate of deviation (a quantitative matter), and the nature and cause of
any observed deviation (a qualitative matter).
A18. The concept of materiality is not applied when disclosing, in the
description of the tests of controls, the results of those tests where deviations
have been identified. This is because, in the particular circumstances of a
specific user entity or user auditor, a deviation may have significance beyond
whether or not, in the opinion of the service auditor, it prevents a control from
operating effectively. For example, the control to which the deviation relates may
be particularly significant in preventing a certain type of error that may be
material in the particular circumstances of a user entity’s financial statements.
Obtaining an Understanding of the Service Organization’s System
(Ref: Para. 20)
A19. Obtaining an understanding of the service organization’s system,
including controls, included in the scope of the engagement, assists the service
auditor in:
 Identifying the boundaries of that system, and how it interfaces with other
systems.
 Assessing whether the service organization’s description fairly presents the
system that has been designed and implemented.

SAE 3402 30
 Determining which controls are necessary to achieve the control objectives
stated in the service organization’s description of its system.
 Assessing whether controls were suitably designed.
 Assessing, in the case of a type 2 report, whether controls were operating
effectively.
A20. The service auditor’s procedures to obtain this understanding may
include:
 Inquiring of those within the service organization who, in the service
auditor’s judgment, may have relevant information.
 Observing operations and inspecting documents, reports, printed and
electronic records of transaction processing.
 Inspecting a selection of agreements between the service organization and
user entities to identify their common terms.
 Reperforming control procedures.
Obtaining Evidence Regarding the Description (Ref: Para. 21-22)
A21. Considering the following questions may assist the service auditor in
determining whether those aspects of the description included in the scope of the
engagement are fairly presented in all material respects:
 Does the description address the major aspects of the service provided
(within the scope of the engagement) that could reasonably be expected to
be relevant to the common needs of a broad range of user auditors in
planning their audits of user entities’ financial statements?
 Is the description prepared at a level of detail that could reasonably be
expected to provide a broad range of user auditors with sufficient
information to obtain an understanding of internal control in accordance
with SA 31513? The description need not address every aspect of the
service organization’s processing or the services provided to user entities,
and need not be so detailed as to potentially allow a reader to compromise
security or other controls at the service organization.
 Is the description prepared in a manner that does not omit or distort
information that may affect the common needs of a broad range of user
auditors’ decisions, for example, does the description contain any

13 SA 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding

the Entity and Its Environment”.

31 SAE 3402
 significant omissions or inaccuracies in processing of which the service
auditor is aware?
 Where some of the control objectives stated in the service organization’s
description of its system have been excluded from the scope of the
engagement, does the description clearly identify the excluded objectives?
 Have the controls identified in the description been implemented?
 Are complementary user entity controls, if any, described adequately? In
most cases, the description of control objectives is worded such that the
control objectives are capable of being achieved through effective operation
of controls implemented by the service organization alone. In some cases,
however, the control objectives stated in the service organization’s
description of its system cannot be achieved by the service organization
alone because their achievement requires particular controls to be
implemented by user entities. This may be the case where, for example, the
control objectives are specified by a regulatory authority. When the
description does include complementary user entity controls, the
description separately identifies those controls along with the specific
control objectives that cannot be achieved by the service organization
alone.
 If the inclusive method has been used, does the description separately
identify controls at the service organization and controls at the subservice
organization? If the carve-out method is used, does the description identify
the functions that are performed by the subservice organization? When the
carve-out method is used, the description need not describe the detailed
processing or controls at the subservice organization.
A22. The service auditor’s procedures to evaluate the fair presentation of the
description may include:
 Considering the nature of user entities and how the services provided by
the service organization are likely to affect them, for example, whether user
entities are from a particular industry and whether they are regulated by
government agencies.
 Reading standard contracts, or standard terms of contracts, (if applicable)
with user entities to gain an understanding of the service organization’s
contractual obligations.
 Observing procedures performed by service organization personnel.
 Reviewing the service organization’s policy and procedure manuals and

SAE 3402 32
 other systems documentation, for example, flowcharts and narratives.
A23. Paragraph 21(a) requires the service auditor to evaluate whether the
control objectives stated in the service organization’s description of its system
are reasonable in the circumstances.
Considering the following questions may assist the service auditor in this
evaluation:
 Have the stated control objectives been designated by the service
organization or by outside parties such as a regulatory authority, a user
group, or a professional body that follows a transparent due process?
 Where the stated control objectives have been specified by the service
organization, do they relate to the types of assertions commonly embodied
in the broad range of user entities’ financial statements to which controls at
the service organization could reasonably be expected to relate? Although
the service auditor ordinarily will not be able to determine how controls at a
service organization specifically relate to the assertions embodied in
individual user entities’ financial statements, the service auditor’s
understanding of the nature of the service organization’s system, including
controls, and services being provided is used to identify the types of
assertions to which those controls are likely to relate.
 Where the stated control objectives have been specified by the service
organization, are they complete? A complete set of control objectives can
provide a broad range of user auditors with a framework to assess the
effect of controls at the service organization on the assertions commonly
embodied in user entities’ financial statements.
A24. The service auditor’s procedures to determine whether the service
organization’s system has been implemented may be similar to, and performed
in conjunction with, procedures to obtain an understanding of that system. They
may also include tracing items through the service organization’s system and, in
the case of a type 2 report, specific inquiries about changes in controls that were
implemented during the period. Changes that are significant to user entities or
their auditors are included in the description of the service organization’s system.
Obtaining Evidence Regarding Design of Controls (Ref: Para. 23 and
28(b))
A25. From the viewpoint of a user entity or a user auditor, a control is suitably
designed if, individually or in combination with other controls, it would, when
complied with satisfactorily, provide reasonable assurance that material
misstatements are prevented, or detected and corrected. A service organization

33 SAE 3402
or a service auditor, however, is not aware of the circumstances at individual
user entities that would determine whether or not a misstatement resulting from a
control deviation is material to those user entities. Therefore, from the viewpoint
of a service auditor, a control is suitably designed if, individually or in
combination with other controls, it would, when complied with satisfactorily,
provide reasonable assurance that control objectives stated in the service
organization’s description of its system are achieved.
A26. A service auditor may consider using flowcharts, questionnaires, or
decision tables to facilitate understanding the design of the controls.
A27. Controls may consist of a number of activities directed at the
achievement of a control objective. Consequently, if the service auditor evaluates
certain activities as being ineffective in achieving a particular control objective,
the existence of other activities may allow the service auditor to conclude that
controls related to the control objective are suitably designed.
Obtaining Evidence Regarding Operating Effectiveness of Controls
Assessing Operating Effectiveness (Ref: Para. 24)
A28. From the viewpoint of a user entity or a user auditor, a control is
operating effectively if, individually or in combination with other controls, it
provides reasonable assurance that material misstatements, whether due to
fraud or error, are prevented, or detected and corrected. A service organization
or a service auditor, however, is not aware of the circumstances at individual
user entities that would determine whether a misstatement resulting from a
control deviation had occurred and, if so, whether it is material. Therefore, from
the viewpoint of a service auditor, a control is operating effectively if, individually
or in combination with other controls, it provides reasonable assurance that
control objectives stated in the service organization’s description of its system
are achieved. Similarly, a service organization or a service auditor is not in a
position to determine whether any observed control deviation would result in a
material misstatement from the viewpoint of an individual user entity.
A29. Obtaining an understanding of controls sufficient to opine on the
suitability of their design is not sufficient evidence regarding their operating
effectiveness, unless there is some automation that provides for the consistent
operation of the controls as they were designed and implemented. For example,
obtaining information about the implementation of a manual control at a point in
time does not provide evidence about operation of the control at other times.
However, because of the inherent consistency of IT processing, performing
procedures to determine the design of an automated control, and whether it has
been implemented, may serve as evidence of that control’s operating
effectiveness, depending on the service auditor’s assessment and testing of
other controls, such as those over program changes.

SAE 3402 34
A30. To be useful to user auditors, a type 2 report ordinarily covers a
minimum period of six months. If the period is less than six months, the service
auditor may consider it appropriate to describe the reasons for the shorter period
in the service auditor’s assurance report. Circumstances that may result in a
report covering a period of less than six months include when (a) the service
auditor is engaged close to the date by which the report on controls is to be
issued; (b) the service organization (or a particular system or application) has
been in operation for less than six months; or (c) significant changes have been
made to the controls and it is not practicable either to wait six months before
issuing a report or to issue a report covering the system both before and after the
changes.
A31. Certain control procedures may not leave evidence of their operation
that can be tested at a later date and, accordingly, the service auditor may find it
necessary to test the operating effectiveness of such control procedures at
various times throughout the reporting period.
A32. The service auditor provides an opinion on the operating effectiveness
of controls throughout each period, therefore, sufficient appropriate evidence
about the operation of controls during the current period is required for the
service auditor to express that opinion. Knowledge of deviations observed in
prior engagements may, however, lead the service auditor to increase the extent
of testing during the current period.
Testing of Indirect Controls (Ref: Para. 25(b))
A33. In some circumstances, it may be necessary to obtain evidence
supporting the effective operation of indirect controls. For example, when the
service auditor decides to test the effectiveness of a review of exception reports
detailing sales in excess of authorized credit limits, the review and related follow
up is the control that is directly of relevance to the service auditor. Controls over
the accuracy of the information in the reports (for example, the general IT
controls) are described as “indirect” controls.
A34. Because of the inherent consistency of IT processing, evidence about
the implementation of an automated application control, when considered in
combination with evidence about the operating effectiveness of the service
organization’s general controls (in particular, change controls), may also provide
substantial evidence about its operating effectiveness.
Means of Selecting Items for Testing (Ref: Para. 25(c) and 27)
A35. The means of selecting items for testing available to the service auditor
are:

35 SAE 3402
(a) Selecting all items (100% examination). This may be appropriate for testing
controls that are applied infrequently, for example, quarterly, or when
evidence regarding application of the control makes 100% examination
efficient;
(b) Selecting specific items. This may be appropriate where 100% examination
would not be efficient and sampling would not be effective, such as testing
controls that are not applied sufficiently frequently to render a large
population for sampling, for example, controls that are applied monthly or
weekly; and
(c) Sampling. This may be appropriate for testing controls that are applied
frequently in a uniform manner and which leave documentary evidence of
their application.
A36. While selective examination of specific items will often be an efficient
means of obtaining evidence, it does not constitute sampling. The results of
procedures applied to items selected in this way cannot be projected to the entire
population; accordingly, selective examination of specific items does not provide
evidence concerning the remainder of the population. Sampling, on the other
hand, is designed to enable conclusions to be drawn about an entire population
on the basis of testing a sample drawn from it.
The Work of an Internal Audit Function
Obtaining an Understanding of the Internal Audit Function (Ref: Para. 30)
A37. An internal audit function may be responsible for providing analyses,
evaluations, assurances, recommendations, and other information to
management and those charged with governance. An internal audit function at a
service organization may perform activities related to the service organization’s
own system of internal control, or activities related to the services and systems,
including controls, that the service organization is providing to user entities.
Determining Whether and to What Extent to Use the Work of the Internal
Auditors (Ref: Para. 33)
A38. In determining the planned effect of the work of the internal auditors on
the nature, timing or extent of the service auditor’s procedures, the following
factors may suggest the need for different or less extensive procedures than
would otherwise be the case:
 The nature and scope of specific work performed, or to be performed, by
the internal auditors is quite limited.
 The work of the internal auditors relates to controls that are less significant
to the service auditor’s conclusions.

SAE 3402 36
 The work performed, or to be performed, by the internal auditors does not
require subjective or complex judgments.
Using the Work of the Internal Audit Function (Ref: Para. 34)
A39. The nature, timing and extent of the service auditor’s procedures on
specific work of the internal auditors will depend on the service auditor’s
assessment of the significance of that work to the service auditor’s conclusions
(for example, the significance of the risks that the controls tested seek to
mitigate), the evaluation of the internal audit function and the evaluation of the
specific work of the internal auditors. Such procedures may include:
 Examination of items already examined by the internal auditors;
 Examination of other similar items; and
 Observation of procedures performed by the internal auditors.
Effect on the Service Auditor’s Assurance Report (Ref: Para. 36-37)
A40. Irrespective of the degree of autonomy and objectivity of the internal
audit function, such function is not independent of the service organization as is
required of the service auditor when performing the engagement. The service
auditor has sole responsibility for the opinion expressed in the service auditor’s
assurance report, and that responsibility is not reduced by the service auditor’s
use of the work of the internal auditors.
A41. The service auditor’s description of work performed by the internal audit
function may be presented in a number of ways, for example:
 By including introductory material to the description of tests of controls
indicating that certain work of the internal audit function was used in
performing tests of controls.
 Attribution of individual tests to internal audit.
Written Representations (Ref: Para. 38 and 40)
A42. The written representations required by paragraph 38 are separate
from, and in addition to, the service organization’s assertion, as defined at
paragraph 9(o).
A43. If the service organization does not provide the written representations
requested in accordance with paragraph 38(c) of this SAE, it may be appropriate
for the service auditor’s opinion to be modified in accordance with paragraph
55(d) of this SAE.
Other Information (Ref: Para. 42)
A44. The Code of Ethics of the ICAI requires that a service auditor not be

37 SAE 3402
associated with information where the service auditor believes that the
information:
(a) Contains a materially false or misleading statement;
(b) Contains statements or information furnished negligently; or
(c) Omits or obscures information required to be included where such omission
or obscurity would be misleading14.
If other information included in a document containing the service organization’s
description of its system and the service auditor’s assurance report contains
future-oriented information such as recovery or contingency plans, or plans for
modifications to the system that will address deviations identified in the service
auditor’s assurance report, or claims of a promotional nature that cannot be
reasonably substantiated, the service auditor may request that information be
removed or restated.
A45. If the service organization refuses to remove or restate the other
information, further actions that may be appropriate include, for example:
 Requesting the service organization to consult with its legal counsel as to
the appropriate course of action.
 Describing the material inconsistency or material misstatement of fact in the
assurance report.
 Withholding the assurance report until the matter is resolved.
 Withdrawing from the engagement.
Documentation (Ref: Para. 51)
A46. SQC 1 requires firms to establish policies and procedures for the timely
completion of the assembly of engagement files15. An appropriate time limit
within which to complete the assembly of the final engagement file is ordinarily
not more than 60 days after the date of the service auditor’s report16.
Preparing the Service Auditor’s Assurance Report
Content of the Service Auditor’s Assurance Report (Ref: Para. 53)
A47. Illustrative examples of service auditors’ assurance reports and related
service organizations’ assertions are contained in Appendices 1 and 2.

14 The Code of Ethics of the ICAI, paragraph 110.2.
15 SQC 1, paragraph 74.
16 SQC 1, paragraph 75.

SAE 3402 38
Intended Users and Purposes of the Service Auditor’s Assurance Report
(Ref: Para. 53(e))
A48. The criteria used for engagements to report on controls at a service
organization are relevant only for the purposes of providing information about the
service organization’s system, including controls, to those who have an
understanding of how the system has been used for financial reporting by user
entities. Accordingly this is stated in the service auditor’s assurance report. In
addition, the service auditor may consider it appropriate to include wording that
specifically restricts distribution of the assurance report other than to intended
users, its use by others, or its use for other purposes.
Description of the Tests of Controls (Ref: Para. 54)
A49. In describing the nature of the tests of controls for a type 2 report, it
assists readers of the service auditor’s assurance report if the service auditor
includes:
 The results of all tests where deviations have been identified, even if other
controls have been identified that allow the service auditor to conclude that
the relevant control objective has been achieved or the control tested has
subsequently been removed from the service organization’s description of
its system.
 Information about causative factors for identified deviations, to the extent
the service auditor has identified such factors.
Modified Opinions (Ref: Para. 55)
A50. Illustrative examples of elements of modified service auditor’s
assurance reports are contained in Appendix 3.
A51. Even if the service auditor has expressed an adverse opinion or
disclaimed an opinion, it may be appropriate to describe in the basis for
modification paragraph the reasons for any other matters of which the service
auditor is aware that would have required a modification to the opinion, and the
effects thereof.
A52. When expressing a disclaimer of opinion because of a scope limitation,
it is not ordinarily appropriate to identify the procedures that were performed nor
include statements describing the characteristics of a service auditor’s
engagement; to do so might overshadow the disclaimer of opinion.
Other Communication Responsibilities (Ref: Para. 56)
A53. Appropriate actions to respond to the circumstances identified in
paragraph 56 may include:

39 SAE 3402
 Obtaining legal advice about the consequences of different courses of
action.
 Communicating with those charged with governance of the service
organization.
 Communicating with third parties (for example, a regulator) when required
to do so.
 Modifying the service auditor’s opinion, or adding an Other Matter
paragraph.
 Withdrawing from the engagement.

SAE 3402 40
 Appendix 1
(Ref. Para. A47)
Example Service Organization’s Assertions
The following examples of service organization’s assertions are for guidance only
and are not intended to be exhaustive or applicable to all situations.
Example 1: Type 2 Service Organization’s Assertion
Assertion by the Service Organization
The accompanying description has been prepared for customers who have used
[the type or name of] system and their auditors who have a sufficient
understanding to consider the description, along with other information including
information about controls operated by customers themselves, when assessing
the risks of material misstatements of customers’ financial statements. [Entity’s
name] confirms that:
(a) The accompanying description at pages [bb-cc] fairly presents [the type or
name of] system for processing customers’ transactions throughout the
period [date] to [date]. The criteria used in making this assertion were that
the accompanying description:
(i) Presents how the system was designed and implemented, including:
 The types of services provided, including, as appropriate,
classes of transactions processed.
 The procedures, within both information technology and manual
systems, by which those transactions were initiated, recorded,
processed, corrected as necessary, and transferred to the
reports prepared for customers.
 The related accounting records, supporting information and
specific accounts that were used to initiate, record, process and
report transactions; this includes the correction of incorrect
information and how information was transferred to the reports
prepared for customers.
 How the system dealt with significant events and conditions,
other than transactions.
 The process used to prepare reports for customers.
 Relevant control objectives and controls designed to achieve
those objectives.

41 SAE 3402
  Controls that we assumed, in the design of the system, would be
implemented by user entities, and which, if necessary to achieve
control objectives stated in the accompanying description, are
identified in the description along with the specific control
objectives that cannot be achieved by ourselves alone.
 Other aspects of our control environment, risk assessment
process, information system (including the related business
processes) and communication, control activities and monitoring
controls that were relevant to processing and reporting
customers’ transactions.
(ii) Includes relevant details of changes to the service organization’s
system during the period [date] to [date].
(iii) Does not omit or distort information relevant to the scope of the
system being described, while acknowledging that the description is
prepared to meet the common needs of a broad range of customers
and their auditors and may not, therefore, include every aspect of the
system that each individual customer may consider important in its
own particular environment.
(b) The controls related to the control objectives stated in the accompanying
description were suitably designed and operated effectively throughout the
period [date] to [date]. The criteria used in making this assertion were that:
(i) The risks that threatened achievement of the control objectives stated
in the description were identified;
(ii) The identified controls would, if operated as described, provide
reasonable assurance that those risks did not prevent the stated
control objectives from being achieved; and
(iii) The controls were consistently applied as designed, including that
manual controls were applied by individuals who have the appropriate
competence and authority, throughout the period [date] to [date].
Example 2: Type 1 Service Organization’s Assertion
The accompanying description has been prepared for customers who have used
[the type or name of] system and their auditors who have a sufficient
understanding to consider the description, along with other information including
information about controls operated by customers themselves, when obtaining
an understanding of customers’ information systems relevant to financial
reporting. [Entity’s name] confirms that:
(a) The accompanying description at pages [bb-cc] fairly presents [the type or

SAE 3402 42
 name of] system for processing customers’ transactions as at [date]. The
criteria used in making this assertion were that the accompanying
description:
(i) Presents how the system was designed and implemented, including:
 The types of services provided, including, as appropriate,
classes of transactions processed.
 The procedures, within both information technology and manual
systems, by which those transactions were initiated, recorded,
processed, corrected as necessary, and transferred to the
reports prepared for customers.
 The related accounting records, supporting information and
specific accounts that were used to initiate, record, process and
report transactions; this includes the correction of incorrect
information and how information is transferred to the reports
prepared customers.
 How the system dealt with significant events and conditions,
other than transactions.
 The process used to prepare reports for customers.
 Relevant control objectives and controls designed to achieve
those objectives.
 Controls that we assumed, in the design of the system, would be
implemented by user entities, and which, if necessary to achieve
control objectives stated in the accompanying description, are
identified in the description along with the specific control
objectives that cannot be achieved by ourselves alone.
 Other aspects of our control environment, risk assessment
process, information system (including the related business
processes) and communication, control activities and monitoring
controls that were relevant to processing and reporting
customers’ transactions.
(ii) Does not omit or distort information relevant to the scope of the
system being described, while acknowledging that the description is
prepared to meet the common needs of a broad range of customers
and their auditors and may not, therefore, include every aspect of the
system that each individual customer may consider important in its
own particular environment.
(b) The controls related to the control objectives stated in the accompanying

43 SAE 3402
 description were suitably designed as at [date]. The criteria used in making
this assertion were that:
(i) The risks that threatened achievement of the control objectives stated
in the description were identified; and
(ii) The identified controls would, if operated as described, provide
reasonable assurance that those risks did not prevent the stated
control objectives from being achieved.

SAE 3402 44
 Appendix 2
(Ref. Para. A47)
Example Service Auditor’s Assurance Reports
The following examples of reports are for guidance only and are not intended to
be exhaustive or applicable to all situations.
Example 1: Type 2 Service Auditor’s Assurance Report
Independent Service Auditor’s Assurance Report on the Description of Controls,
their Design and Operating Effectiveness
To: XYZ Service Organization
Scope
We have been engaged to report on XYZ Service Organization’s description at
pages [bb-cc] of its [type or name of] system for processing customers’
transactions throughout the period [date] to [date] (the description), and on the
design and operation of controls related to the control objectives stated in the
description17.
XYZ Service Organization’s Responsibilities
XYZ Service Organization is responsible for: preparing the description and
accompanying assertion at page [aa], including the completeness, accuracy and
method of presentation of the description and assertion; providing the services
covered by the description; stating the control objectives; and designing,
implementing and effectively operating controls to achieve the stated control
objectives.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on XYZ Service Organization’s
description and on the design and operation of controls related to the control
objectives stated in that description, based on our procedures. We conducted our
engagement in accordance with Standard on Assurance Engagements 3402,
“Assurance Reports on Controls at a Service Organization,” issued by the
Institute of Chartered Accountants of India. That standard requires that we
comply with ethical requirements and plan and perform our procedures to obtain
reasonable assurance about whether, in all material respects, the description is
fairly presented and the controls are suitably designed and operating effectively.

17 If some elements of the description are not included in the scope of the engagement, this is

made clear in the assurance report.

45 SAE 3402
An assurance engagement to report on the description, design and operating
effectiveness of controls at a service organization involves performing
procedures to obtain evidence about the disclosures in the service organization’s
description of its system, and the design and operating effectiveness of controls.
The procedures selected depend on the service auditor’s judgment, including the
assessment of the risks that the description is not fairly presented, and that
controls are not suitably designed or operating effectively. Our procedures
included testing the operating effectiveness of those controls that we consider
necessary to provide reasonable assurance that the control objectives stated in
the description were achieved. An assurance engagement of this type also
includes evaluating the overall presentation of the description, the suitability of
the objectives stated therein, and the suitability of the criteria specified by the
service organization and described at page [aa].
We believe that the evidence we have obtained is sufficient and appropriate to
provide a basis for our opinion.
Limitations of Controls at a Service Organization
XYZ Service Organization’s description is prepared to meet the common needs
of a broad range of customers and their auditors and may not, therefore, include
every aspect of the system that each individual customer may consider important
in its own particular environment. Also, because of their nature, controls at a
service organization may not prevent or detect all errors or omissions in
processing or reporting transactions. Also, the projection of any evaluation of
effectiveness to future periods is subject to the risk that controls at a service
organization may become inadequate or fail.
Opinion
Our opinion has been formed on the basis of the matters outlined in this report.
The criteria we used in forming our opinion are those described at page [aa]. In
our opinion, in all material respects:
(a) The description fairly presents the [the type or name of] system as
designed and implemented throughout the period from [date] to [date];
(b) The controls related to the control objectives stated in the description were
suitably designed throughout the period from [date] to [date]; and
(c) The controls tested, which were those necessary to provide reasonable
assurance that the control objectives stated in the description were
achieved, operated effectively throughout the period from [date] to [date].

SAE 3402 46
Description of Tests of Controls
The specific controls tested and the nature, timing and results of those tests are
listed on pages [yy-zz].
Intended Users and Purpose
This report and the description of tests of controls on pages [yy-zz] are intended
only for customers who have used XYZ Service Organization’s [type or name of]
system, and their auditors, who have a sufficient understanding to consider it,
along with other information including information about controls operated by
customers themselves, when assessing the risks of material misstatements of
customers’ financial statements.
For XYZ and Co.
Chartered Accountants
Firm’s Registration Number
Signature
(Name of the Member Signing the Audit Report)
(Designation18)
Membership Number

Place of Signature
Date

18 Partner or Proprietor, as the case may be.

47 SAE 3402
Example 2: Type 1 Service Auditor’s Assurance Report
Independent Service Auditor’s Assurance Report on the Description
of Controls and their Design
To: XYZ Service Organization
Scope
We have been engaged to report on XYZ Service Organization’s description at
pages [bb-cc] of its [type or name of] system for processing customers’
transactions as at [date] (the description), and on the design of controls related to
the control objectives stated in the description19.
We did not perform any procedures regarding the operating effectiveness of
controls included in the description and, accordingly, do not express an opinion
thereon.
XYZ Service Organization’s Responsibilities
XYZ Service Organization is responsible for: preparing the description and
accompanying assertion at page [aa], including the completeness, accuracy and
method of presentation of the description and the assertion; providing the
services covered by the description; stating the control objectives; and designing,
implementing and effectively operating controls to achieve the stated control
objectives.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on XYZ Service Organization’s
description and on the design of controls related to the control objectives stated
in that description, based on our procedures. We conducted our engagement in
accordance with Standard on Assurance Engagements 3402, “Assurance
Reports on Controls at a Service Organization,” issued by the Institute of
Chartered Accountants of India. That standard requires that we comply with
ethical requirements and plan and perform our procedures to obtain reasonable
assurance about whether, in all material respects, the description is fairly
presented and the controls are suitably designed in all material respects.
An assurance engagement to report on the description and design of controls at
a service organization involves performing procedures to obtain evidence about
the disclosures in the service organization’s description of its system, and the
design of controls. The procedures selected depend on the service auditor’s
judgment, including the assessment that the description is not fairly presented,

19 If some elements of the description are not included in the scope of the engagement, this is

made clear in the assurance report.

SAE 3402 48
and that controls are not suitably designed. An assurance engagement of this
type also includes evaluating the overall presentation of the description, the
suitability of the control objectives stated therein, and the suitability of the criteria
specified by the service organization and described at page [aa].
As noted above, we did not perform any procedures regarding the operating
effectiveness of controls included in the description and, accordingly, do not
express an opinion thereon.
We believe that the evidence we have obtained is sufficient and appropriate to
provide a basis for our opinion.
Limitations of Controls at a Service Organization
XYZ Service Organization’s description is prepared to meet the common needs
of a broad range of customers and their auditors and may not, therefore, include
every aspect of the system that each individual customer may consider important
in its own particular environment. Also, because of their nature, controls at a
service organization may not prevent or detect all errors or omissions in
processing or reporting transactions.
Opinion
Our opinion has been formed on the basis of the matters outlined in this report.
The criteria we used in forming our opinion are those described at page [aa]. In
our opinion, in all material respects:
(a) The description fairly presents the [the type or name of] system as
designed and implemented as at [date]; and
(b) The controls related to the control objectives stated in the description were
suitably designed as at [date].
Intended Users and Purpose
This report is intended only for customers who have used XYZ Service
Organization’s [type or name of] system, and their auditors, who have a sufficient
understanding to consider it, along with other information including information
about controls operated by customers themselves, when obtaining an
understanding of customers’ information systems relevant to financial reporting.

For XYZ and Co.
Chartered Accountants
Firm’s Registration Number

49 SAE 3402
 Signature
(Name of the Member Signing the Audit Report)
(Designation20)
Membership Number

Place of Signature
Date

20 Partner or Proprietor, as the case may be.

SAE 3402 50
 Appendix 3
(Ref. Para. A50)
Example Modified Service Auditor’s Assurance Reports
The following examples of modified reports are for guidance only and are not
intended to be exhaustive or applicable to all situations. They are based on the
examples of reports in Appendix 2.
Example 1: Qualified opinion – the service organization’s description of the
system is not fairly presented in all material respects
…
Service Auditor’s Responsibilities
…
We believe that the evidence we have obtained is sufficient and appropriate to
provide a basis for our qualified opinion.
Basis for Qualified Opinion
The accompanying description states at page [mn] that XYZ Service
Organization uses operator identification numbers and passwords to prevent
unauthorized access to the system. Based on our procedures, which included
inquiries of staff personnel and observation of activities, we have determined that
operator identification numbers and passwords are employed in Applications A
and B but not in Applications C and D.
Qualified Opinion
Our opinion has been formed on the basis of the matters outlined in this report.
The criteria we used in forming our opinion were those described in XYZ Service
Organization’s assertion at page [aa]. In our opinion, except for the matter
described in the Basis for Qualified Opinion paragraph:
(a) …
Example 2: Qualified opinion – the controls are not suitably designed to
provide reasonable assurance that the control objectives stated in the
service organization’s description of its system will be achieved if the
controls operate effectively
…
Service Auditor’s Responsibilities
…

51 SAE 3402
We believe that the evidence we have obtained is sufficient and appropriate to
provide a basis for our qualified opinion.
Basis for Qualified Opinion
As discussed at page [mn] of the accompanying description, from time to time
XYZ Service Organization makes changes in application programs to correct
deficiencies or to enhance capabilities. The procedures followed in determining
whether to make changes, in designing the changes and in implementing them,
do not include review and approval by authorized individuals who are
independent from those involved in making the changes. There are also no
specified requirements to test such changes or provide test results to an
authorized reviewer prior to implementing the changes.
Qualified Opinion
Our opinion has been formed on the basis of the matters outlined in this report.
The criteria we used in forming our opinion were those described in XYZ Service
Organization’s assertion at page [aa]. In our opinion, except for the matter
described in the Basis for Qualified Opinion paragraph:
(a) …
Example 3: Qualified opinion – the controls did not operate effectively
throughout the specified period (type 2 report only)
…
Service Auditor’s Responsibilities
…
We believe that the evidence we have obtained is sufficient and appropriate to
provide a basis for our qualified opinion.
Basis for Qualified Opinion
XYZ Service Organization states in its description that it has automated controls
in place to reconcile loan payments received with the output generated.
However, as noted at page [mn] of the description, this control was not operating
effectively during the period from dd/mm/yyyy to dd/mm/yyyy due to a
programming error. This resulted in the non-achievement of the control objective
“Controls provide reasonable assurance that loan payments received are
properly recorded” during the period from dd/mm/yyyy to dd/mm/yyyy. XYZ
implemented a change to the program performing the calculation as of [date],
and our tests indicate that it was operating effectively during the period from
dd/mm/yyyy to dd/mm/yyyy.

SAE 3402 52
Qualified Opinion
Our opinion has been formed on the basis of the matters outlined in this report.
The criteria we used in forming our opinion were those described in XYZ Service
Organization’s assertion at page [aa]. In our opinion, except for the matter
described in the Basis for Qualified Opinion paragraph:
…
Example 4: Qualified opinion – the service auditor is unable to obtain
sufficient appropriate evidence
…
Service Auditor’s Responsibilities
…
We believe that the evidence we have obtained is sufficient and appropriate to
provide a basis for our qualified opinion.
Basis for Qualified Opinion
XYZ Service Organization states in its description that it has automated controls
in place to reconcile loan payments received with the output generated.
However, electronic records of the performance of this reconciliation for the
period from dd/mm/yyyy to dd/mm/yyyy were deleted as a result of a computer
processing error, and we were therefore unable to test the operation of this
control for that period. Consequently, we were unable to determine whether the
control objective “Controls provide reasonable assurance that loan payments
received are properly recorded” operated effectively during the period from
dd/mm/yyyy to dd/mm/yyyy.
Qualified Opinion
Our opinion has been formed on the basis of the matters outlined in this report.
The criteria we used in forming our opinion were those described in XYZ Service
Organization’s assertion at page [aa]. In our opinion, except for the matter
described in the Basis for Qualified Opinion paragraph:
(a) …

53 SAE 3402