AUD 5.5 - Reporting On Controls At A Service Organization Flashcards
A service organizations services are considered to be part of what?
A user entity’s information system
Service organizations often have an auditor do what?
Perform an attestation examination engagement to report on the controls of the service organization that are relevant to the user entity’s internal control over financial reporting
ABC firm audits Party Solutions. Party Solutions uses Quick Payroll to process its payroll transactions. XYZ Firm audits Quick Payroll.
Who is the user entity, user auditor, service organization, and service auditor?
ABC Firm = user auditor
Party Solutions = user entity
Quick Payroll = service organization
XYZ Firm = service auditor
What are the objectives of a service auditor?
- Obtain reasonable assurance about whether managements description of the service organizations system fairly presents the system that was designed and implemented through the specified period
- Obtain reasonable assurance that the control related to the control objectives stated in managements description are suitably designed throughout the specified period
- Report in accordance with the service auditors findings
The service auditors should perform the following procedures:
Assess the suitability of the criteria
Understand the service organizations system
Beta evidence about the description of the service orgs. System
Obtain evidence about the design of controls
Obtain evidence about the operating effectiveness of controls (if a type 2)
Obtain written representation from management
Consider subsequent events
What report is used when evaluating the impact that certain relevant controls at the service organization have on the financials of the user entity?
SOC 1
What report is used to give assurance to a broad range of users regarding the controls in place at a service organization relevant to one or more of the Trust Service criteria of security, availability, processing integrity, confidentiality, and privacy?
SOC 2
This type of report that a service auditor may provide is a report on the design and implementation of a service organizations controls
Type 1 report
This type of report that the service auditor may provide is a report on the design, implementation, and operating effectiveness of a service organizations controls
Type 2 report
This type of report contains the following information:
1. Managements description of the service org’s system
2. Written assertion by management containing:
-system fairly presents the design and implementation of the system as of a specified date
-managements description were suitably designed to achieve the control objectives as of a specified date
3. The auditors opinion on managements assertion
Type 1 report
What paragraphs are included in the service auditors report on a service organizations design of controls that is really important?
The inherent limitations paragraph
The restricted use paragraph
The “other matter” paragraph used to explain we did not perform procedures regarding operating effectiveness of controls
This type of report contains the following information:
1. Managements description of the service org’s system
2. Written assertion by management containing:
-system fairly presents the design and implementation of the system as of a specified date
-controls were suitably designed to achieve the control objectives as of a specified date
-controls operated effectively to achieve the control objectives throughout a specified period
3. The auditors opinion on managements assertion
4. Description of the services auditors test of controls and results
Type 2 report
What paragraphs are included in the service auditors report on a service organizations design and operating effectiveness of controls that is really important?
The inherent limitations paragraph
The restricted use paragraph
The description of the tests of controls
When a user auditor receives this report from the service auditor, it may aid the user auditor in obtaining an understanding of the controls
SOC 1, Type 1 report
When a user auditor receives this report from a service auditor, it provides the user auditor with assurance about the design, implementation, and operating effectiveness of the service org’s internal controls and therefore reduces control risk:
SOC 2, Type 2 report