Access to controls reports
This article provides a brief explanation of who should be able to view reports on internal controls of service organisations and the assurance reports thereon (controls reports) and how difficulties in arranging access can be overcome.
Entities that outsource part of their operations to service organisations indicate that they sometimes encounter difficulties in accessing these service organisations’ controls reports presumably issued for the benefit of users including the entity outsourcing its operations.
Assurance reporting, as envisaged in the Faculty’s AAF 01/06 Assurance reports on internal controls of service organisations made available to third parties and similar frameworks such as ISAE 3402 (an equivalent international standard) and SSAE 16 (a US equivalent), presumes the existence of third party users interested in the internal controls of the service organisation that carries out outsourced operations for them. Indeed this is often the primary purpose of a service organisation commissioning an assurance report.
The framework for such assurance reports assumes a three-party relationship comprising:
- the issuing party (the service organisation),
- the users of the service provided by the service organisation who seek to rely on the report (customers or user organisations); and
- the independent reporting accountants (sometimes called ‘service auditors’).
The intended recipients of such controls reports are the existing customers of the service organisation with whom the service organisation has an existing direct contractual relationship. The normal situation envisaged by these assurance reporting frameworks is therefore for a service organisation to provide a copy of its controls report to existing customers, either proactively or upon request.
Where required, such reports may also be accessed by customers’ auditors e.g. for the purpose of ISA 402, Audit considerations relating to an entity using a service organisation. In such a scenario, the intended users or recipients of the controls report should ideally be set out in the engagement letter between the service organisation and the reporting accountants.
Customers of service organisations should also confirm, as required, when contracting with a service organisation whether they are entitled to a controls report in relation to the outsourced operations.
In summary, controls reports are primarily prepared and made available to the direct (or contractual) customers of the services covered by the report.
Other entities in the supply chain of outsourced services may have a genuine interest in, and be able to access a copy of, these controls reports, even if they are not legally direct customers.
However, this may require some negotiation as service organisations would need to be persuaded of the merits of so doing and agree with the reporting accountants on the basis on which the report is provided so as to fairly reflect the responsibilities and liability, if any, owed to the recipient of the controls report.
ICAEW's assurance resource
This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.