SSAEs - Service Organzations

Question 1

Type I report

Answer 1

Report on management’s description of a service organization’s system and whether the control policies and procedures are suitably designed and placed in operation

Question 2

Type II Report - a report on controls placed in operation and tests of operating effectiveness.

Answer 2

Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

Question 3

User Auditors Objectives

Answer 3

1. Obtain an understanding of the nature and significance of the services provided by a service organization, including internal controls, sufficient to assess the risk of material misstatement
2. design and perform audit procedures that are responsive to those risks

Question 4

Responding to risk assessment

Answer 4

test of controls -

Question 5

Complementary user entity controls:

Answer 5

Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.

Question 6

Modified Opinion: Scope limitation

Answer 6

If the user auditor is unable to obtain sufficient appropriate audit evidence about the services provided by the service organization relevant to the user entity’s financial statements, the user auditor should modify the opinion for a scope limitation.

Question 7

When to reference the service auditor

Answer 7

unmodified opinion: Never

Modified opinion: optional

Question 8

Type 1 Report Structure

Answer 8

1. Scope – identify the nature of the engagement and the specific date involved.
2. Service organization’s responsibilities.
3. Service auditor’s responsibilities—reference the attestation standards established by the AICPA and describe an examination; also, disclaim an opinion on operating effectiveness.
4. Inherent limitations of internal control.
5. Opinion—(1) that the description fairly presents the system that was designed and implemented as of the specific date; and (2) that the controls related to the stated control objectives were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively as of the specific date.
6. Restricted use—distribution should be restricted to the service organization, user entities, and the user entities’ independent auditors.

Question 9

Service Auditor Independence requirements

Answer 9

Must be independent of service organization, but not necessarily independent of all user entities.

Question 10

Type II Reporting Structure

Answer 10

1. Scope—identify the nature of the engagement and the period involved.
2. Service organization’s responsibilities.
3. Service auditor’s responsibilities—reference the attestation standards established by the AICPA and describe an examination.
4. Inherent limitations of internal control.
5. Opinion—(1) that the description fairly presents the system that was designed and implemented throughout the period; (2) that the controls related to the stated control objectives were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period; and (3) that the controls tested operated effectively throughout the period.
6. Description of tests of controls—reference the pages of the service auditor’s report identifying the specific controls tested and the nature, timing, and results of those tests.
7. Restricted use—distribution should be restricted to the service organization, user entities, and the user entities’ independent auditors.