System overviews
The contract between the user organization and the service organization
Reports by service organizations, internal auditors, or regulatory authorities on the service organization’s controls
Reports by the service auditor
The user auditor’s prior experience with the service organization (if the services and the service organization’s controls are highly standardized)
(AU-C 402.A1 and .A2)
The auditor’s understanding of internal control should be sufficient to “plan the audit.” Additional information from the service center or a service auditor’s report may not be needed if the auditor obtains at the user entity a sufficient understanding of the controls placed in operation by the service organizations to:
Identify types of potential misstatements
Consider factors that affect the risk of material misstatement
(AU-C 402.10 and .11)
If the user auditor cannot obtain a sufficient understanding from the user entity, the auditor should consider the following procedures:
Request specific information from the service organization.
Visit the service organization and perform procedures to obtain the necessary information.
Use another auditor to perform the necessary procedures.
Obtain and read a type 1 or type 2 service organization report.
(AU-C 402.12)
Before deciding to use a type 1 or type 2 report, the user auditor should be satisfied about:
The service auditor’s professional competence and independence
The adequacy of the standards used to issue the report
(AU-C 402.13)
When using a Type 1 or 2 report as audit evidence, the auditor should:
Determine whether the report is as of a date (type 1) or is for a period (type 2) that is appropriate for the audit’s progress,
Assess the efficiency and appropriateness of the report,
Evaluate whether complementary user entity controls identified by the service organization are relevant to addressing the user of national misstatements, and
If those controls are relevant, obtain an understanding of whether the user entity has designed and implemented those controls.
(AU-C 402.14)
Types of Service Auditor’s Reports
AU-C 402.08 defines two types of service auditor’s reports:
1 Report on controls placed in operationNOTE: This type of report can help in obtaining an understanding of internal control to plan the audit, but it is not usually in and of itself an adequate basis for reducing the assessed level of control risk below the maximum.
2 Report on controls placed in operation and tests of operating effectiveness
Both types of service auditor’s reports provide an opinion on whether:
The accompanying description presents fairly, in all material respects, the aspects of the service organization’s controls that may be relevant to a user organization’s internal control;
The controls have been placed in operation as of a date; and
The controls are suitably designed to provide reasonable assurance that the specified control objectives would be achieved.
The second type of service auditor’s report adds a list of tests of controls performed by the service auditor and an opinion on whether the controls tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified.
Before using a service auditor’s report, the user auditor should make inquiries about the service auditor’s professional reputation. Also, the user auditor should consider:
Discussing the audit procedures and their results with the service auditor
Reviewing the service auditor’s audit program
Reviewing the service auditor’s audit documentation
Reports on Controls Placed in Operation (Type 1)
This report has two elements:
1 The service auditor’s report on whether the service organization’s description of its controls presents fairly the controls placed in operation as of a specific date, and
2 The service auditor’s opinion that the controls have been suitably designed to provide reasonable assurance that the stated control objectives would be achieved if the controls were complied with satisfactorily.
This type of report generally helps in obtaining an understanding of the entity’s internal control sufficient to plan the audit. It does not allow the user auditor to reduce the assessed level of control risk below the maximum.
Report on Controls Placed in Operation and Tests of Operating Effectiveness (Type 2)
This report includes both elements of a type 1 report and adds a third; it refers to a list of tests performed by the service auditor of specific controls. The test period covered is described and is a minimum of six months. The user auditor is responsible for deciding what evidential matter is needed to reduce the assessed level of control risk. In some cases, the tests of operating effectiveness performed by the service auditor may provide such evidence. (Other potential sources of this evidence are tests of the user entity’s controls over the activities of the service organization, or tests of controls performed by the user auditor at the service organization.)
The user auditor selects the audit approach:
Is it more efficient to obtain evidential matter about the operating effectiveness to permit assessing control risk below the maximum? or
Is the more efficient approach to assess control risk at the maximum and plan other audit procedures suitable for that level of risk of material misstatement?
Considerations in Using a Service Auditor’s Report
A service auditor’s report with a “clean opinion” does not mean the
