Wiley Practitioner's Guide to GAAS 2020. Joanne M. Flood

A. Obtain the necessary Section 324 report(s), either from the client or directly from the service organization. Read and Assess the Implication of the Type 1 or Type 2 Report B. Read the service auditor’s report and assess its implications for the audit of the entity’s financial statements, including:Whether the service auditor prepares a type I or type II reportThe nature of the opinions rendered and whether these included any modifications to the standard reporting languageThe timing of the engagement, that is,The date “as of” which the description of controls appliesThe period of time covered by the tests of operating effectiveness of controls, if control risk is to be assessed below the maximum B. Read the description of the service organization’s controls and evaluate the effect of the following on the audit of the entity’s financial statements:Whether the description includes all significant transactions, processes, computer applications, or business units that affect the audit of the entity’s financial statementsWhether the description includes all five components of internal controlWhether the description is sufficiently detailed to understand how the service organization’s processing affects the entity’s financial statements, including estimates and disclosuresChanges to service organization controlsInstances of noncompliance with service organization controlsWhether the description of controls is adequate to provide an understanding of those elements of the entity’s accounting information system maintained by the service organization B. List all complementary user organization controls identified in the type 1 or type 2 report that the service auditor assumed were maintained by the entity. Cross-reference this list to the audit work performed to:Understand the design of these complementary user controls and whether they have been placed in operation, andIf applicable, tests of operating effectiveness of these controls. Tests of Operating Effectiveness (if applicable) B. Review the service auditor’s description of the tests of controls and assess their adequacy for your purposes. Consider:The link between the financial statement assertion and the control objectiveThe link between the control objective and the controls testedThe nature, timing, and extent of the tests performed B. Evaluate the results of the tests of controls and determine whether they support assessing control risk below the maximum.