Joanne M. Flood

Wiley Practitioner's Guide to GAAS 2020


Скачать книгу

AU-C 402.08. For definitions related to this standard, see Appendix A, “Definitions of Terms”: Complementary user entity controls, Report on management’s description of a service organization’s system and the suitability of the design of controls (referred to in this section as a type 1 report), Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls (referred to in this section as a type 2 report), Service auditor, Service organization, Service organization’s system, Subservice organization, User auditor, User entity.

      OBJECTIVES OF AU-C SECTION 402

      The objectives of the user auditor, when the user entity uses the services of a service organization, are to

      1 obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement.

      2 design and perform audit procedures responsive to those risks.

      (AU-C Section 402.07)

      REQUIREMENTS

      When an entity uses a service organization, part of the processing that the auditor usually finds in the client’s internal control is physically and operationally separate from that entity (the user entity). In some circumstances, the user entity may be able to implement effective internal controls. This occurs when the user entity authorizes all transactions and maintains accountability that would detect unauthorized transactions or activity.

      In other circumstances, the service organization’s procedures relevant to the user entity need to be included when the user auditor is obtaining an understanding of internal control in accordance with AU-C 315. One source of additional information to obtain this understanding is a service auditor’s report. (AU-C 402.12)

      The key factors for a user auditor to consider in deciding whether additional information, such as a service auditor’s report, is needed are:

       The nature and significance of the sources provided by the service organization

       The nature of the relationship between the user entity and the service organization, including contractual terms

       The degree of interaction between the activity at the service organization and that of the user organization

       The nature of the transactions processed

       The materiality of the transactions processed

      (AU-C 402.09)

      Information about a service organization’s controls may be obtained from various sources, including:

       User and technical manuals

       System overviews

       The contract between the user organization and the service organization

       Reports by service organizations, internal auditors, or regulatory authorities on the service organization’s controls

       Reports by the service auditor

       The user auditor’s prior experience with the service organization (if the services and the service organization’s controls are highly standardized)

      (AU-C 402.A1 and .A2)

      The auditor’s understanding of internal control should be sufficient to “plan the audit.” Additional information from the service center or a service auditor’s report may not be needed if the auditor obtains at the user entity a sufficient understanding of the controls placed in operation by the service organizations to:

       Identify types of potential misstatements

       Consider factors that affect the risk of material misstatement

      (AU-C 402.10 and .11)

      If the user auditor cannot obtain a sufficient understanding from the user entity, the auditor should consider the following procedures:

       Request specific information from the service organization.

       Visit the service organization and perform procedures to obtain the necessary information.

       Use another auditor to perform the necessary procedures.

       Obtain and read a type 1 or type 2 service organization report.

      (AU-C 402.12)

      Before deciding to use a type 1 or type 2 report, the user auditor should be satisfied about:

       The service auditor’s professional competence and independence

       The adequacy of the standards used to issue the report

      (AU-C 402.13)

      When using a Type 1 or 2 report as audit evidence, the auditor should:

       Determine whether the report is as of a date (type 1) or is for a period (type 2) that is appropriate for the audit’s progress,

       Assess the efficiency and appropriateness of the report,

       Evaluate whether complementary user entity controls identified by the service organization are relevant to addressing the user of national misstatements, and

       If those controls are relevant, obtain an understanding of whether the user entity has designed and implemented those controls.

      (AU-C 402.14)

      AU-C 402.08 defines two types of service auditor’s reports:

      1 Report on controls placed in operationNOTE: This type of report can help in obtaining an understanding of internal control to plan the audit, but it is not usually in and of itself an adequate basis for reducing the assessed level of control risk below the maximum.

      2 Report on controls placed in operation and tests of operating effectiveness

      Both types of service auditor’s reports provide an opinion on whether:

       The accompanying description presents fairly, in all material respects, the aspects of the service organization’s controls that may be relevant to a user organization’s internal control;

       The controls have been placed in operation as of a date; and

       The controls are suitably designed to provide reasonable assurance that the specified control objectives would be achieved.

      The second type of service auditor’s report adds a list of tests of controls performed by the service auditor and an opinion on whether the controls tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified.

      Before using a service auditor’s report, the user auditor should make inquiries about the service auditor’s professional reputation. Also, the user auditor should consider:

       Discussing the audit procedures and their results with the service auditor

       Reviewing the service auditor’s audit program

       Reviewing the service auditor’s audit documentation

      Reports on Controls Placed in Operation (Type