It means that the control objectives listed and their related controls are described accurately. For example:
The report may not address all of the control objectives that the user auditor would find helpful. Key control objectives relating to transactions processed by service organizations are often defined in the description as responsibilities of the user organization, not of the service organization.
The description may state that the system was designed with the assumption that certain internal controls would be implemented by the user organization. In this case, the service auditor’s report includes “and user organizations applied the internal controls contemplated in the design of the service organization’s controls” in the scope and opinion paragraphs.
One criterion used by service auditors to determine whether a significant deficiency exists is whether user organizations would “generally be expected to have controls in place to mitigate such design deficiencies.” The user auditor needs to consider whether his or her client has these expected controls in place.
Obtaining a service auditor’s report and carefully reading the description are the starting point for obtaining an understanding of internal control and how it is integrated between the service organization and the user entity.
The user auditor should make inquiries concerning the service auditor’s professional reputation. The user auditor should consider the scope and results of the service auditor’s work to decide whether the report provides the needed information and evidential matter that the user auditor needs to achieve the audit objectives. In some cases, the user auditor may clarify his or her understanding of the service auditor’s procedures and conclusions by discussing the scope and results of the work with the service auditor and reviewing the service auditor’s audit program and workpapers.
If the user auditor cannot obtain sufficient evidence to achieve the audit objectives, the user auditor should issue a qualified opinion or disclaim an opinion because of a scope limitation. (AU-C 402.20)
To explain a modification of the user auditor’s opinion, a user auditor may make reference to the work of a service auditor. In that case, the user auditor’s report must indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (AU-C 402.22) However, if the report is not modified, the user auditor’s audit report on the financial statements should not refer to the report of the service auditor. (AU-C 402.21) The service auditor is not responsible for examining any portion of the financial statements.
When the user auditor wishes to reduce the assessed level of control risk and is using a service auditor’s report that reports the results of tests of controls over a specified time period, the user auditor should consider the appropriateness of the time period covered in evaluating the tests performed and results to assess the level of control risk for the user entity.
AU-C 402 ILLUSTRATION—AUDIT PROGRAM FOR AN AUDITOR’S REVIEW OF A SERVICE AUDITOR’S REPORT
Page  |
||||
| Audit Program forConsideration of Type 1 and Type 2 Reports | ||||
| Company: | Balance Sheet Date: | |||
| Audit Objective | Audit Procedure for Consideration | N/A Performed By | Workpaper Index | |
| Audit Objectives Determine whether a type 1 or type 2 report is required to:Obtain an understanding of the design of internal controls and whether they have been placed in operation (all audits)Assess control risk below the maximum for certain financial statement assertions (if applicable)Read and understand the type 1 or type 2 report to determine how service organization’s controls affect the:Types of potential misstatements to the entity’s financial statementsFactors that affect the risk of material misstatementDesign of substantive audit testsAssessment of control risk for individual assertions | ||||
| Planning | ||||
| A. | Identify transactions that are processed by a service organization. | |||
| A. | Link the transactions identified in step 1 to the entity’s financial statements and relevant assertions. | |||
| A. | Determine whether a type 1 or type 2 report is needed for each of the transactions identified in step 1.If a type 1 or type 2 report is not needed or is unavailable, then either:Perform alternative procedures to obtain the information necessary to plan the audit, orModify the auditor’s report for a scope limitation. | |||
| A. | Obtain the necessary Section 324 report(s), either from the client or directly from the service organization. | |||
| Read and Assess the Implication of the Type 1 or Type 2 Report | ||||
| B. | Read the service auditor’s report and assess its implications for the audit of the entity’s financial statements, including:Whether the service auditor prepares a type I or type II reportThe nature of the opinions rendered and whether these included any modifications to the standard reporting languageThe timing of the engagement, that is,The date “as of” which the description of controls appliesThe period of time covered by the tests of operating effectiveness of controls, if control risk is to be assessed below the maximum | |||
| B. |
Read the description of the service organization’s controls and evaluate the effect of the following on the audit of the entity’s financial statements:Whether the description includes all significant transactions, processes, computer applications, or business units that affect the audit of the entity’s financial statementsWhether the description includes all five components of internal controlWhether the description is sufficiently detailed to understand how the service organization’s processing affects the entity’s financial statements, including estimates and disclosuresChanges to service organization controlsInstances of noncompliance with service organization controlsWhether the description of controls is adequate to provide an understanding of those elements of the entity’s accounting
| |||
