report has two elements:
1 The service auditor’s report on whether the service organization’s description of its controls presents fairly the controls placed in operation as of a specific date, and
2 The service auditor’s opinion that the controls have been suitably designed to provide reasonable assurance that the stated control objectives would be achieved if the controls were complied with satisfactorily.
This type of report generally helps in obtaining an understanding of the entity’s internal control sufficient to plan the audit. It does not allow the user auditor to reduce the assessed level of control risk below the maximum.
Report on Controls Placed in Operation and Tests of Operating Effectiveness (Type 2)
This report includes both elements of a type 1 report and adds a third; it refers to a list of tests performed by the service auditor of specific controls. The test period covered is described and is a minimum of six months. The user auditor is responsible for deciding what evidential matter is needed to reduce the assessed level of control risk. In some cases, the tests of operating effectiveness performed by the service auditor may provide such evidence. (Other potential sources of this evidence are tests of the user entity’s controls over the activities of the service organization, or tests of controls performed by the user auditor at the service organization.)
The user auditor selects the audit approach:
Is it more efficient to obtain evidential matter about the operating effectiveness to permit assessing control risk below the maximum? or
Is the more efficient approach to assess control risk at the maximum and plan other audit procedures suitable for that level of risk of material misstatement?
Considerations in Using a Service Auditor’s Report
A service auditor’s report with a “clean opinion” does not mean the service organization controls are effective for the user organization. It means that the control objectives listed and their related controls are described accurately. For example:
The report may not address all of the control objectives that the user auditor would find helpful. Key control objectives relating to transactions processed by service organizations are often defined in the description as responsibilities of the user organization, not of the service organization.
The description may state that the system was designed with the assumption that certain internal controls would be implemented by the user organization. In this case, the service auditor’s report includes “and user organizations applied the internal controls contemplated in the design of the service organization’s controls” in the scope and opinion paragraphs.
One criterion used by service auditors to determine whether a significant deficiency exists is whether user organizations would “generally be expected to have controls in place to mitigate such design deficiencies.” The user auditor needs to consider whether his or her client has these expected controls in place.
Obtaining a service auditor’s report and carefully reading the description are the starting point for obtaining an understanding of internal control and how it is integrated between the service organization and the user entity.
The user auditor should make inquiries concerning the service auditor’s professional reputation. The user auditor should consider the scope and results of the service auditor’s work to decide whether the report provides the needed information and evidential matter that the user auditor needs to achieve the audit objectives. In some cases, the user auditor may clarify his or her understanding of the service auditor’s procedures and conclusions by discussing the scope and results of the work with the service auditor and reviewing the service auditor’s audit program and workpapers.
If the user auditor cannot obtain sufficient evidence to achieve the audit objectives, the user auditor should issue a qualified opinion or disclaim an opinion because of a scope limitation. (AU-C 402.20)
To explain a modification of the user auditor’s opinion, a user auditor may make reference to the work of a service auditor. In that case, the user auditor’s report must indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (AU-C 402.22) However, if the report is not modified, the user auditor’s audit report on the financial statements should not refer to the report of the service auditor. (AU-C 402.21) The service auditor is not responsible for examining any portion of the financial statements.
When the user auditor wishes to reduce the assessed level of control risk and is using a service auditor’s report that reports the results of tests of controls over a specified time period, the user auditor should consider the appropriateness of the time period covered in evaluating the tests performed and results to assess the level of control risk for the user entity.
AU-C 402 ILLUSTRATION—AUDIT PROGRAM FOR AN AUDITOR’S REVIEW OF A SERVICE AUDITOR’S REPORT
Page of | ||||
Audit Program forConsideration of Type 1 and Type 2 Reports | ||||
Company: | Balance Sheet Date: | |||
Audit Objective | Audit Procedure for Consideration | N/A Performed By | Workpaper Index | |
Audit Objectives Determine whether a type 1 or type 2 report is required to:Obtain an understanding of the design of internal controls and whether they have been placed in operation (all audits)Assess control risk below the maximum for certain financial statement assertions (if applicable)Read and understand the type 1 or type 2 report to determine how service organization’s controls affect the:Types of potential misstatements to the entity’s financial statementsFactors that affect the risk of material misstatementDesign of substantive audit testsAssessment of control risk for individual assertions | ||||
Planning | ||||
A. | Identify transactions that are processed by a service organization. | |||
A. | Link the transactions identified in step 1 to the entity’s financial statements and relevant assertions. | |||
A. | Determine whether a type 1 or type 2 report is needed for each of the transactions identified in step 1.If a type 1 or type 2 report is not needed or is unavailable, then either:Perform alternative procedures to obtain the information necessary to plan the audit, orModify the auditor’s report for a scope limitation. |
|