AT 801: Reporting on Controls at a Service Organization
EFFECTIVE DATE AND APPLICABILITY
| Original Pronouncement |
Statements on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization. |
| Effective Date |
This statement currently is effective. |
| Applicability |
Examination engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities’ internal control over financial reporting. |
DEFINITION OF TERMS
Carve-out method. A method for reviewing the services provided by a subservice organization, where management’s definition identifies the nature of the services performed and excludes its control objectives and controls from the scope of the service auditor’s engagement.
Complementary user entity controls. Controls that the management of a subservice entity assumes will be implemented by entities using the services of the subservice entity.
Control objectives. The purpose of specific controls.
Controls at a service organization. The policies and procedures used by a service organization that are likely to be relevant to the internal control over the financial reporting of user entities.
Controls at a subservice organization. The policies and procedures used by a subservice organization that are likely to be relevant to the internal control over the financial reporting of user entities.
Criteria. The standard against which the service auditor evaluates subject matter.
Inclusive method. A method of reviewing the services provided by a subservice organization, where management’s definition of the organization’s system includes a description of the services provided by the subservice organization and its control objectives and related controls.
Internal audit function. A service organization’s internal auditors and others who perform activities similar to those performed by internal auditors.
Report on management’s description of a service organization’s system and the suitability of the design of controls. A report that includes management’s description of a service organization’s system, a written assertion about whether management’s description fairly presents the system, and whether controls were suitably designed to achieve control objectives, as well as a service auditor’s report expressing an opinion on the preceding items.
Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. A report that includes management’s description of a service organization’s system, a written assertion about whether management’s description fairly presents the system, and whether controls were suitably designed to achieve control objectives, as well as a service auditor’s report expressing an opinion on the preceding items and a description of the tests of controls and related results.
Service auditor. A practitioner who reports on the controls of a service organization.
Service organization. Either an organization or a segment of an organization that provides services to user entities; the services are likely to be relevant to the internal control over financial reporting of user entities.
Service organization’s system. The policies and procedures used by the management of a service organization to provide user entities with the services addressed by a service auditor’s report.
Subservice organization. A service organization that is used by another service organization to perform some services that it provides to user entities; these services are likely to be relevant to the internal controls over financial reporting of user entities.
Test of controls. A procedure to evaluate the operating effectiveness of controls in achieving the control objectives described in management’s description of the system of a service organization.
User auditor. An auditor who audits and reports on the financial statements of an entity.
User entity. An entity that makes use of a service organization.
OBJECTIVES OF AT SECTION 801
According to AT 801.06, the objectives of the service auditor are to obtain reasonable assurance about whether, in all material respects, based on suitable criteria:
- Management’s description of the service organization’s system fairly presents the system that was designed and implemented throughout the specified period.
- The controls related to the control objectives stated in management’s description of the service organization’s system were suitably designed throughout the specified period.
- When included in the scope of the engagement, the controls operated effectively to provide reasonable assurance that the control objectives stated in management’s description of the service organization’s system were achieved throughout the specified period.
The service auditor also has the objective of reporting in accordance with his or her findings.
FUNDAMENTAL REQUIREMENTS
Management and Those Charged with Governance
The service auditor should determine the appropriate person within the management of the service organization or governance structure with whom to interact.
Acceptance and Continuance
The service auditor should accept or continue an engagement to report on the controls of a service organization if:
1. The auditor has the competency and capability to perform the engagement.
2. The auditor’s initial knowledge of the engagement indicates that the criteria used will be suitable, he or she will have access to appropriate evidence, and the scope of the engagement will not be so limited that it will be unlikely to be useful.
3. Management agrees to the terms of the engagement by its acceptance of responsibility for a description of the service organization’s system and related assertion, having a reasonable basis for its assertion, selecting and stating the criteria to be used, specifying the control objectives, identifying risks that threaten achievement of the control objectives, providing the auditor with access to all information and people requested by the auditor, making written representations, and providing a written assertion that will be included in management’s description of the service organization’s system.
If management refuses to provide a written assertion, the service auditor should withdraw from the engagement. If there is a legal or regulatory restriction on withdrawing, then the service auditor should disclaim an opinion.
If management requests a scope change before the engagement is complete, the service auditor should be satisfied regarding the reason for the change before agreeing to it.
Assessing the Suitability of the Criteria
The service auditor should ascertain whether management has used suitable criteria
1. To prepare the description of the organization’s system
2. To evaluate whether controls were designed to achieve control objectives
3. For a type 2 report, to evaluate whether controls operated effectively throughout the specified period to achieve control objectives
The service auditor should determine the following when assessing the suitability of criteria to evaluate whether management’s description of a system is fairly presented:
1. Whether the description of the system presents how it was designed and implemented, including the following items (if applicable):
a. The types of services provided
b. The procedures by which services are provided
c. The related accounting records
d. How the system captures and addresses significant events and conditions
e. The process by which reports and other information are prepared for user entities
f. The control objectives and controls designed to achieve the objectives of the system
g. Other aspects of the controls, risk assessment, and other systems that are relevant to the services provided
2. For a type 2 report, whether the system description includes relevant details of changes to the system during the period addressed by the description
3. Whether the description of the system does not omit or distort relevant information
When assessing the suitability of criteria, the service auditor should determine if the criteria address whether any risks threatening the control objectives have been identified, and if the identified controls would provide reasonable assurance that these risks would not keep the control objectives from being achieved. When making this assessment, the service auditor should verify whether the criteria include whether the controls were consistently applied throughout the period, including whether these controls were applied by those with appropriate competence and authority.
The service auditor should evaluate materiality for management’s description of the organization’s system, the suitability of the controls, and (for a type 2 report) the operating effectiveness of the controls needed to achieve the objectives stated in the description.
Obtaining an Understanding of the Service Organization’s System
The service auditor should acquire an understanding of the organization’s system, including those controls included in the engagement scope.
Obtaining Evidence Regarding Management’s Description of the Service Organization’s System
The service auditor should read management’s description of the organization’s system and evaluate whether those elements of the description that are within the engagement scope are presented fairly. This assessment should address whether
1. The control objectives stated in the description are reasonable
2. The controls stated in the description were implemented
3. Any complementary user entity controls are adequately described
4. Any services performed by a subservice organization are adequately described, as well as whether the inclusive or carve-out methods were used
The service auditor should use inquiries and other procedures to determine whether the system has been implemented.
Obtaining Evidence Regarding the Design of Controls
The service auditor should determine which controls are needed to achieve the control objectives for the system, and assess whether these controls were suitably designed by identifying those risks threatening control objectives and evaluating the linkage of the controls with those risks.
Obtaining Evidence Regarding the Operating Effectiveness of Controls
For a type 2 engagement, the service auditor tests those controls that he or she has determined are needed to achieve the control objectives of the system, as well as assess their effectiveness throughout the period. The service auditor should inquire about control changes implemented during the period covered by the service auditor’s report. If the changes are significant, he or she should ascertain whether they are included in management’s description of the system. If not, the service auditor should describe the changes in his or her report. If any superseded controls were relevant for meeting control objectives, the service auditor should test the controls prior to the change. If it is not possible to do so, the service auditor should determine the impact on his or her report.
When designing and testing controls, the service auditor should do the following:
1. Perform other procedures to procure evidence about how a control was applied, the consistency of application, and by whom or by what means it was applied
2. Determine whether the controls depend on other controls, and whether he or she should obtain evidence about the effectiveness of those other controls
3. Determine a method for selecting items to be tested to meet procedure objectives
To determine the extent of tests of controls and whether sampling can be used, the service auditor should consider the characteristics of the population of controls to be tested.
The service auditor should investigate any deviations identified, and ascertain the following:
1. Whether deviations are within the expected rate of deviation
2. Whether additional testing is needed to conclude whether the controls related to the objectives operated effectively in the specified period
3. Whether the testing provides a basis for concluding that a control did not operate effectively in the specified period
If the service auditor learns that any identified deviations were the result of intentional acts, he or she should assess the risk that management’s description of the system is not fairly presented, that the controls are not suitably designed, and (in a type 2 engagement) that the controls are not operating effectively.
Using the Work of the Internal Audit Function
If there is an internal audit function within the service organization, the service auditor should understand its responsibilities in order to determine whether it can be relevant to the engagement. This includes an evaluation of:
1. The technical competence and objectivity of the internal auditors
2. Whether they perform their work with due professional care
3. Whether there will be effective communication between the service auditor and the internal auditors
If the work of the internal auditor is likely to be adequate for the purposes of the engagement, the service auditor should evaluate the impact of internal audit work in terms of the work performed by the internal auditors, the significance of that work to the service auditor’s conclusions, and the amount of subjectivity used by the internal auditors in their work.
To ascertain the adequacy of specific work done by the internal auditors for use by the service auditor, the service auditor should evaluate whether:
1. The work was done by auditors with adequate training and proficiency.
2. The work was properly supervised and documented.
3. There is sufficient evidence from which to draw conclusions.
4. Conclusions reached and reports written are appropriate in the circumstances.
5. Exceptions were properly resolved.
When the service auditor uses the work of the internal audit function, he or she should not reference that work in the opinion, since the service auditor has sole responsibility for the opinion. For a type 2 report, the service auditor should describe his or her use of the internal auditors in the report section that describes tests of controls and the results thereof.
Written Representations
The service auditor should obtain from management the following written representations:
1. Reaffirmation of the assertion in management’s description of the service organization’s system.
2. That management has provided the service auditor with all relevant information and access.
3. That management has disclosed any situations where there:
a. Are instances of legal or regulatory noncompliance or uncorrected errors
b. Is knowledge of actual or suspected management or employee acts that may adversely affect the fairness of the description of the organization’s system or the achievement of its control objectives
c. Are any control design deficiencies
d. Are instances where controls have not operated as described
e. Are subsequent events that could have a significant effect on management’s assertion
If there is a subservice organization providing services to a service organization, and management uses the inclusive method, then the service auditor should obtain written representations from the management of the subservice organization.
Written representations should be organized as a representation letter that is addressed to the service auditor, and the letter should be dated as of the same date as the service auditor’s report.
If management does not provide written representations, the service auditor should discuss the matter with management, evaluate the effect of the refusal on his or her assessment of the integrity of management, and take such actions as disclaiming an opinion or withdrawing from the engagement.
Other Information
The service auditor should use other information to identify inconsistencies with or misstatements in management’s description of the service organization’s system. If there are inconsistencies or misstatements, the service auditor should discuss the matter with management. This may call for further appropriate action.
Subsequent Events
The service auditor should inquire of management whether there have been any events during the period between management’s description of the organization’s system and the date of the auditor’s report that could have a significant effect on management’s assertion. The service auditor should disclose such items in his or her report.
The service auditor is not responsible for events subsequent to the date of his or her report.
Documentation
The service auditor should prepare documentation that is sufficient to enable an experienced service auditor with no previous connection to the engagement to understand:
1. The nature, timing, and extent of any procedures used
2. The results of procedures performed and evidence obtained
3. Significant findings or issues, conclusions reached, and the judgments made in reaching those conclusions
The service auditor should record the following when documenting procedures performed:
1. The characteristics of items or matters being tested
2. Who performed the work and when he or she did so
3. Who reviewed the work and when he or she did so
If the service auditor used the internal audit staff, he or she should document the conclusions reached regarding the adequacy of the internal audit function and the procedures completed to do so.
The service auditor should document the discussion of significant findings or issues with management, as well as the names of the persons involved and the date of each discussion.
The service auditor should document how he or she addressed any inconsistency in the information examined and the final conclusion.
The service auditor should assemble all engagement documentation into an engagement file and complete the related administration no later than 60 days after the release date of the service auditor’s report. The service auditor should not delete or discard documentation after assembling the final engagement file. If the service auditor must modify or add to the existing documentation after the file has been completed, he or she should document the reasons for the change, and when and by whom they were made and reviewed.
Preparing the Service Auditor’s Report
The service auditor’s type 2 report should contain the following information:
1. A title that includes the word independent
2. An addressee
3. Identification of the following items:
a. Management’s description of the service organization’s system and the function performed by that system
b. Any parts of management’s description of the system that are not addressed by the service auditor’s report
c. Any information included in a document containing the service auditor’s report that is not addressed by the report
d. The criteria
e. Any services performed by a subservice organization, and whether the carve-out or inclusive methods were used: If the carve-out method was employed, a statement that management’s description of the organization’s system does not include the control objectives and related controls located at subservice organizations, and that the service auditor’s procedures do not address the subservice organization. If the inclusive method was employed, a statement that management’s description of the organization’s system includes the subservice organization’s control objectives and related controls, and that the service auditor’s procedures addressed the subservice organization.
4. If management’s description of the organization’s system notes the need for complementary user entity controls, a statement that the service auditor has not evaluated the suitability of the design or effectiveness of complementary user entity controls, and that the stated control objectives can only be achieved if complementary user entity controls are suitably designed and operate effectively (as well as the controls of the service organization)
5. A reference to the assertion by management, as well as a statement that management is responsible for:
a. Preparing the description of the service organization’s system and the assertion
b. Providing the services covered by the description of the service organization’s system
c. Specifying the control objectives and stating them in the description of the system
d. Identifying the risks that threaten the accomplishment of the control objectives.
e. Selecting the criteria
f. Designing, implementing, and documenting controls that are designed and operate effectively enough to achieve the objectives stated in the description of the organization’s system
6. A statement that the service auditor’s responsibility is to express an opinion on the fairness of the presentation of management’s description of the system of the service organization, and on the suitability of the design and operating effectiveness stated in the description, based on the examination by the service auditor
7. A statement that the examination was conducted in accordance with the attestation standards established by the AICPA, and that those standards require the service auditor to plan and perform this examination in order to obtain reasonable assurance as to whether management’s description of the organization’s system is fairly presented and controls suitably designed and operated during the specified period in order to achieve related control objectives
8. A statement that an examination of management’s description of the organization’s system and the suitability of the design and effectiveness of the controls in achieving control objectives involves the performance of procedures to obtain evidence about the fairness of the presentation of the description and suitability of the design and effectiveness of the controls to achieve the related control objectives stated in the description
9. A statement that the examination included assessing the risks that management’s description is not fairly presented and that the controls were not suitably designed or operated effectively to achieve the related control objectives
10. A statement that the examination included testing the effectiveness of the controls that the service auditor considered necessary to provide reasonable assurance that the related control objectives were achieved
11. A statement that an examination engagement of this type also includes the evaluation of the overall presentation of management’s description of the service organization’s system, as well as the suitability of the control objectives stated in the description
12. A statement that the service auditor believes that the examination provides a reasonable basis for his or her opinion
13. A statement about the inherent limitations of controls
14. The service auditor’s opinion on whether, in all material respects, based on the criteria described in management’s assertion:
a. Management’s description of the system fairly presents the system that was designed and implemented throughout the period.
b. The controls related to the control objectives statement in management’s description were suitably designed to provide reasonable assurance that the control objectives would be achieved if they operated effectively throughout the specified period.
c. The controls the service auditor tested operated effectively throughout the specified period.
d. The application of complementary user entity controls is necessary to achieve the control objectives stated in management’s description, then make reference to this condition.
15. A reference to a description of the service auditor’s tests of controls and the results, including:
a. The identification of tested controls and the nature of the tests in enough detail to enable user auditors to determine the effects of such tests on their risk assessments
b. The identification of any deviations in the operation of controls included in the description, the extent of the testing that identified the deviations, and the number and nature of deviations noted
16. A statement restricting the use of the service auditor’s report to the management of the service organization, user entities of the service organization during the period covered by the report, and the independent auditors of those user entities
17. The date of the report
18. The name of the service auditor and the city and state where the auditor maintains the office that is responsible for the engagement
The service auditor’s type 1 report should contain the following information:
1. A title that includes the word independent
2. An addressee
3. Identification of the following items:
a. Management’s description of the service organization’s system and the function performed by that system
b. Any parts of management’s description of the system that are not addressed by the service auditor’s report
c. Any information included in a document containing the service auditor’s report that is not addressed by the report
d. The criteria
e. Any services performed by a subservice organization, and whether the carve-out or inclusive methods were used: If the carve-out method was employed, a statement that management’s description of the organization’s system does not include the control objectives and related controls located at subservice organizations, and that the service auditor’s procedures do not address the subservice organization. If the inclusive method was employed, a statement that management’s description of the organization’s system include the subservice organization’s control objectives and related controls and that the service auditor’s procedures addressed the subservice organization.
4. If management’s description of the organization’s system notes the need for complementary user entity controls, a statement that the service auditor has not evaluated the suitability of the design or effectiveness of complementary user entity controls, and that the stated control objectives can only be achieved if complementary user entity controls are suitably designed and operate effectively (as well as the controls of the service organization)
5. A reference to the assertion by management, as well as a statement that management is responsible for:
a. Preparing the description of the service organization’s system and the assertion
b. Providing the services covered by the description of the service organization’s system
c. Specifying the control objectives and stating them in the description of the system
d. Identifying the risks that threaten the accomplishment of the control objectives
e. Selecting the criteria
f. Designing, implementing, and documenting controls that are designed and operate effectively enough to achieve the objectives stated in the description of the organization’s system
6. A statement that the service auditor’s responsibility is to express an opinion on the fairness of the presentation of management’s description of the system of the service organization, and on the suitability of the design and operating effectiveness stated in the description, based on the examination by the service auditor
7. A statement that the examination was conducted in accordance with the attestation standards established by the AICPA, and that those standards require the service auditor to plan and perform this examination in order to obtain reasonable assurance as to whether management’s description of the organization’s system is fairly presented and controls suitably designed and operated during the specified period in order to achieve related control objectives
8. A statement that the service auditor has not performed any procedures regarding the operating effectiveness of controls and, therefore, expresses no opinion about them
9. A statement that an examination of management’s description of the organization’s system and the suitability of the design and effectiveness of the controls in achieving control objectives involves the performance of procedures to obtain evidence about the fairness of the presentation of the description and suitability of the design and effectiveness of the controls to achieve the related control objectives stated in the description
10. A statement that the examination included assessing the risks that management’s description is not fairly presented and that the controls were not suitbly designed or operated effectively to achieve the related control objectives
11. A statement that an examination engagement of this type also includes the evaluation of the overall presentation of management’s description of the service organization’s system, as well as the suitability of the control objectives stated in the description
12. A statement that the service auditor believes that the examination provides a reasonable basis for his or her opinion
13. A statement about the inherent limitations of controls
14. The service auditor’s opinion on whether, in all material respects, based on the criteria described in management’s assertion:
a. Management’s description of the system fairly presents the system that was designed and implemented as of the specified date.
b. The controls related to the control objectives statement in management’s description were suitably designed to provide reasonable assurance that the control objectives would be achieved if they operated effectively as of the specified date.
c. The application of complementary user entity controls is necessary to achieve the control objectives stated in management’s description, then make reference to this condition.
15. A statement restricting the use of the service auditor’s report to the management of the service organization, user entities of the service organization as of the end of the period covered by the report, and the independent auditors of those user entities.
16. The date of the report.
17. The name of the service auditor and the city and state where the auditor maintains the office that is responsible for the engagement.
The service auditor should date the report no earlier than the date on which he or she obtained sufficient appropriate evidence to support the opinion.
The service auditor should modify his or her opinion, as well as modify the service auditor’s report to clearly describe all of the reasons for a modification under the following circumstances:
1. Management’s description of the system is not fairly presented.
2. The controls are not suitably designed to provide reasonable assurance that the control objectives would be achieved.
3. For a type 2 report, the controls do not operate effectively throughout the specified period to achieve the stated control objectives.
4. The service auditor is unable to obtain sufficient evidence.
If the service auditor plans to disclaim an opinion due to lack of evidence, and has concluded that some aspects of the description are not fairly presented, or some controls were not suitably designed to provide reasonable assurance regarding control objectives, or (for a type 2 report) some controls did not operate effectively throughout the specified period, then he or she should identify these findings in his or her report.
If the service auditor plans to disclaim an opinion, then he or she should not identify the procedures performed, nor describe characteristics of the engagement in the report.
Other Communication Responsibilities
If the service auditor is aware of incidents of legal or regulatory noncompliance, fraud, or uncorrected errors attributable to management or other personnel that are not trivial and which may affect user entities, then he or she should determine the effect of these incidents on the description of the organization’s system, control objectives, and the service auditor’s report. Further, the service auditor should take appropriate action if this information has not been communicated to affected user entities.
ILLUSTRATIONS
The following reports are adapted from SSAE 16.
1. An illustration of the wording of a Type 2 service auditor’s report.
2. An illustration of the wording of a Type 1 service auditor’s report.
Illustration 1. Type 2 Service Auditor’s Report
Independent Service Auditor’s Report on a Description of a Service Organization’s System and the Suitability of the Design and Operating Effectiveness of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization’s description of its [type or name of] system for processing user entities’ transactions [or identification of the function performed by the system] through the period [date] to [date] [description] and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the descriptions.
Service Organization’s Responsibilities
On page XX of the description, XYZ Service Organization has provided an assertion about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the description and the assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively to achieve the related control objectives stated in the description throughout the period [date] to [date].
An examination of a description of a service organization’s system and the suitability of the design and operating effectiveness of the service organization’s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description and the suitability of the design and operating effectiveness of those controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at page [aa]. We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Inherent Limitations
Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions [or identification of the function performed by the system]. Also, the projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail.
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization’s assertion on page [aa],
1. The description fairly presents the [type or name of] system that was designed and implemented throughout the period [date] to [date].
2. The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date].
3. The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period [date] to [date].
Descriptions of Tests of Controls
The specific controls tested and the nature, timing, and results of those tests are listed on pages [yy–zz].
Restricted Use
This report, including the description of tests of controls and results thereof on pages [yy–zz], is intended solely for the information and use of XYZ Service Organization, user entities of XYZ Service Organization’s [type or name of] system during some or all of the period [date] to [date], and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when assessing the risks of material misstatements of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than these specified parties.
Smith and Jones
Honolulu, Hawaii
March 1, 20X3
Following is a modification of the scope paragraph in a type 2 service auditor’s report if the description refers to the need for complementary user entity controls. (New language is shown in boldface italics):
We have examined XYZ Service Organization’s description of its [type or name of] system for processing user entities’ transactions [or identification of the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description. The description indicates that certain control objectives specified in the description can be achieved only if complementary user entity controls contemplated in the design of XYZ Service Organization’s controls are suitably designed and operating effectively, along with related controls at the service organization. We have not evaluated the suitability of the design or operating effectiveness of such complementary user entity controls.
Following is a modification of the applicable subparagraphs of the opinion paragraph of a type 2 service auditor’s report if the application of complementary user entity controls is necessary to achieve the related control objectives stated in the description of the service organization’s system (New language is shown in boldface italics):
2. The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that those control objectives would be achieved if the controls operated effectively throughout the period [date] to [date] and user entities applied the complementary user entity controls contemplated in the design of XYZ Service Organization’s controls throughout the period [date] to [date].
3. The controls tested, which together with the complementary user entity controls referred to in the scope paragraph of this report, if operating effectively, were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period [date] to [date].
Following is a modification of the paragraph that describes the responsibilities of management of the service organization for use in a type 2 service auditor’s report when the control objectives have been specified by an outside party. (New language is shown in boldface italics):
Illustration 2. Type 1 Service Auditor’s Report
Independent Service Auditor’s Report on a Description of a Service Organization’s System and the Suitability of the Design of Controls
To: XYZ Service Organization
Scope
We have examined XYZ Service Organization’s description of its [type or name of] system for processing user entities’ transactions [or identification of the function performed by the system] as of [date], and the suitability of the design of controls to achieve the related control objectives stated in the descriptions.
Service Organization’s Responsibilities
On page XX of the description, XYZ Service Organization has provided an assertion about the fairness of the presentation of the description and suitability of the design of the controls to achieve the related control objectives stated in the description. XYZ Service Organization is responsible for preparing the description and for its assertion, including the completeness, accuracy, and method of presentation of the description and the assertion, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design of the controls to achieve the related control objectives stated in the description, based on our examination. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants. Those standards require that we plan and perform our examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed to achieve the related control objectives stated in the description as of [date].
An examination of a description of a service organization’s system and the suitability of the design of the service organization’s controls to achieve the related control objectives stated in the description involves performing procedures to obtain evidence about the fairness of the presentation of the description of the system and the suitability of the design of the controls to achieve the related control objectives stated in the description. Our procedures included assessing the risks that the description is not fairly presented and that the controls were not suitably designed to achieve the related control objectives stated in the description. Our procedures also included assessing the risks that the description is not fairly presented and that the controls were not suitably designed to achieve the related control objectives stated in the description. An examination engagement of this type also includes evaluating the overall presentation of the description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organization and described at page [aa].
We did not perform any procedures regarding the operating effectiveness of the controls stated in the description and, accordingly, do not express an opinion thereon.
We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Inherent Limitations
Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions [or identification of the function performed by the system]. The projection to the future of any evaluation of the fairness of the presentation of the description, or conclusions about the suitability of the design of the controls to achieve the related control objectives is subject to the risk that controls at a service organization may become inadequate or fail.
Opinion
In our opinion, in all material respects, based on the criteria described in XYZ Service Organization’s assertion:
1. The description fairly presents the [type or name of] system that was designed and implemented as of [date], and
2. The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively as of [date].
Restricted Use
This report is intended solely for the information and use of XYZ Service Organization, user entities of XYZ Service Organization’s [type or name of] system as of [date], and the independent auditors of such user entities, who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when obtaining an understanding of user entities information and communication systems relevant to financial reporting. This report is not intended to be and should not be used by anyone other than these specified parties.
Smith and Jones
Honolulu, Hawaii
March 1, 20X3
Following is a modification of the scope paragraph in a type 1 report if the description of the service organization’s system refers to the need for complementary user entity controls. (New language is shown in boldface italics.)
Following is a modification of the applicable subparagraph in the opinion paragraph of a type 1 report if the application of complementary user entity controls is necessary to achieve the related control objectives stated in management’s description of the service organization’s system (new language is shown in boldface italics):
Following is a modification of the paragraph that describes management of XYZ Service Organization’s responsibilities to be used in a type 1 report when the control objectives have been specified by an outside party (new language is shown in boldface italics):
ILLUSTRATION 3. Modified Service Auditor’s Reports
The following examples of modified service auditor’s reports are for guidance only and are not intended to be exhaustive or applicable to all situations. They are based on the illustrative reports above.
Example 1: Qualified Opinion for a Type 2 Report—The Description of the Service Organization’s System Is Not Fairly Presented in All Material Respects
The following is an illustrative paragraph describing the basis for the qualified opinion. The paragraph would be inserted before the modified opinion paragraph. All other report paragraphs are unchanged.
Basis for Qualified Opinion
The accompanying description states on page [mn] that XYZ Service Organization uses operator identification numbers and passwords to prevent unauthorized access to the system. Based on inquiries of staff personnel and observation of activities, we have determined that operator identification numbers and passwords are employed in applications A and B but are not required to access the system in applications C and D.
Opinion
In our opinion, except for the matter described in the preceding paragraph, and based on the criteria described in XYZ Service Organization’s assertion on page [aa], in all material respects . . .
Example 2: Qualified Opinion—The Controls Are Not Suitably Designed to Provide Reasonable Assurance That the Control Objectives Stated in the Description of the Service Organization’s System Would Be Achieved if the Controls Operated Effectively
The following is an illustrative paragraph describing the basis for the qualified opinion. The paragraph would be inserted before the modified opinion paragraph. All other report paragraphs are unchanged.
Basis for Qualified Opinion
As discussed on page [mn] of the accompanying description, from time to time, XYZ Service Organization makes changes in application programs to correct deficiencies or to enhance capabilities. The procedures followed in determining whether to make changes, in designing the changes, and in implementing them do not include review and approval by authorized individuals who are independent from those involved in making the changes. There also are no specified requirements to test such changes or provide test results to an authorized reviewer prior to implementing the changes. As a result the controls are not suitably designed to achieve the control objective, “Controls provide reasonable assurance that changes to existing applications are authorized, tested, approved, properly implemented, and documented.”
Opinion
In our opinion, except for the matter described in the preceding paragraph, and based on the criteria described in XYZ Service Organization’s assertion on page [aa], in all material respects . . .
Example 3: Qualified Opinion for a Type 2 Report—The Controls Did Not Operate Effectively Throughout the Specified Period to Achieve the Control Objectives Stated in the Description of the Service Organization’s System
The following is an illustrative paragraph describing the basis for the qualified opinion. The paragraph would be inserted before the modified opinion paragraph. All other report paragraphs are unchanged.
Basis for Qualified Opinion
XYZ Service Organization states in its description that it has automated controls in place to reconcile loan payments received with the various output reports. However, as noted on page [mn] of the description of tests of controls and results thereof, this control was not operating effectively throughout the period [date] to [date] due to a programming error. This resulted in the nonachievement of the control objective, “Controls provide reasonable assurance that loan payments received are properly recorded” throughout the period January 1, 20X1, to April 30, 20X1. XYZ Service Organization implemented a change to the program performing the calculation as of May 1, 20X1, and our tests indicate that it was operating effectively throughout the period May 1, 20X1, to December 31, 20X1.
Opinion
In our opinion, except for the matter described in the preceding paragraph, and based on the criteria described in XYZ Service Organization’s assertion on page [aa], in all material respects . . .
Example 4: Qualified Opinion—The Service Auditor Is Unable to Obtain Sufficient Appropriate Evidence
The following is an illustrative paragraph describing the basis for the qualified opinion. The paragraph would be inserted before the modified opinion paragraph. All other report paragraphs are unchanged.
Basis for Qualified Opinion
XYZ Service Organization states in its description that it has automated controls in place to reconcile loan payments received with the output generated. However, electronic records of the performance of this reconciliation for the period from [date] to [date] were deleted as a result of a computer processing error and, therefore, we were unable to test the operation of this control for that period. Consequently, we were unable to determine whether the control objective, “Controls provide reasonable assurance that loan payments received are properly recorded” was achieved throughout the period [date] to [date].
Opinion
In our opinion, except for the matter described in the preceding paragraph, and based on the criteria described in XYZ Service Organization’s assertion on page [aa], in all material respects . . .
ILLUSTRATION 4. Report Paragraphs for Service Organizations That Use a Subservice Organization
Following are modifications of the illustrative type 2 report in Example 1 of Appendix A for use in engagements in which the service organization uses a subservice organization. (New language is shown in boldface italics; deleted language is shown by strikethrough.)
Example 1: Carve-Out Method
Scope
We have examined XYZ Service Organization’s description of its system for processing user entities’ transactions [or identification of the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the design and operating effectiveness of controls to achieve the related control objectives stated in the description.
XYZ Service Organization uses a computer processing service organization for all of its computerized application processing. The description on pages [bb–cc] includes only the controls and related control objectives of XYZ Service Organization and excludes the control objectives and related controls of the computer processing service organization. Our examination did not extend to controls of the computer processing service organization.
All other report paragraphs are unchanged.
Example 2: Inclusive Method
Scope
We have examined XYZ Service Organization’s and ABC Subservice Organization’s description of its [their] [type or name of] system for processing user entities’ transactions [or identification of the function performed by the system] throughout the period [date] to [date] (description) and the suitability of the design and operating effectiveness of XYZ Service Organization’s and ABC Subservice Organization’s controls to achieve the related control objectives stated in the description. ABC Subservice Organization is an independent service organization that provides computer processing services to XYZ Service Organization. XYZ Service Organization’s description includes a description of ABC Subservice Organization’s [type or name of] system used by XYZ Service Organization to process transactions for its user entities, as well as relevant control objectives and controls of ABC Subservice Organization.
XYZ Service Organization’s Responsibilities
On page XX of the description, XYZ Service Organization [and ABC Subservice Organization] has [have] provided an [their] assertions about the fairness of the presentation of the description and suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in the description. XYZ Service Organization and ABC Subservice Organization are is responsible for preparing the description and assertions, including the completeness, accuracy, and method of presentation of the description and assertions, providing the services covered by the description, specifying the control objectives and stating them in the description, identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and designing, implementing, and documenting controls to achieve the related control objectives stated in the description.
Inherent Limitations
Because of their nature, controls at a service organization or subservice organization may not prevent, or detect and correct, all errors or omissions in processing or reporting transactions. Also, the projection to the future of any evaluation of the fairness of the presentation of the description or any conclusions about the suitability of the design or operating effectiveness of the controls to achieve the related control objectives is subject to the risk that controls at a service organization or subservice organization may become ineffective or fail.
Opinion
In our opinion, in all material respects, based on the criteria specified in XYZ Service Organization’s and ABC Subservice Organization’s assertions on page [aa]:
1. The description fairly presents XYZ Service Organization’s the [type or name of] system and ABC Subservice Organization’s [type or name of] system used by XYZ Service Organization to process transactions for its user entities [or identification of the function performed by the service organization’s system] that [were] was designed and implemented throughout the period [date] to [date].
2. The controls related to the control objectives of XYZ Service Organization and ABC Subservice Organization stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date].
3. The controls of XYZ Service Organization and ABC Subservice Organization that we tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period [date] to [date].
All other report paragraphs are unchanged.
Illustration 5. Assertions by Management of a Service Organization
The assertion by management of the service organization may be included in management’s description of the service organization’s system or may be attached to the description. The following illustrative assertions are intended for assertions that are included in the description.
The following illustrative management assertions are for guidance only and are not intended to be exhaustive or applicable to all situations.
Example 1: Assertion by Management of a Service Organization for a Type 2 Report
XYZ Service Organization’s Assertion
We have prepared the description of XYZ Service Organization’s [type or name of] system (description) for user entities of the system during some or all of the period [date] to [date], and their user auditors who have a sufficient understanding to consider it, along with other information, including information about controls implemented by user entities of the system themselves, when assessing the risks of material misstatements of user entities’ financial statements. We confirm, to the best of our knowledge and belief, that:
1. The description fairly presents the [
type or name of] system made available to user entities of the system during some or all of the period [
date] to [
date] for processing their transactions [
or identification of the function performed by the system]. The criteria we used in making this assertion were that the description:
a. Presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including:
(1) The classes of transactions processed
(2) The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the system.
(3) The related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports presented to user entities of the system
(4) How the system captures and addresses significant events and conditions, other than transactions
(5) The process used to prepare reports or other information provided to user entities’ of the system
(6) Specified control objectives and controls designed to achieve those objectives
(7) Other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system
b. Does not omit or distort information relevant to the scope of the [type or name of] system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the [type or name of] system that each individual user entity of the system and its auditor may consider important in its own particular environment.
2. The description includes relevant details of changes to the service organization’s system during the period covered by the description when the description covers a period of time.
3. The controls related to the control objectives stated in the description were suitably designed and operated effectively throughout the period [
date] to [
date] to achieve those control objectives. The criteria we used in making this assertion were that
a. The risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization;
b. The controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved; and
c. The controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority.
Example 2: Assertion by Management of a Service Organization for a Type 1 Report
XYZ Service Organization’s Assertion
We have prepared the description of XYZ Service Organization’s [type or name of] system (description) for user entities of the system as of [date], and their user auditors who have a sufficient understanding to consider it, along with other information including information about controls implemented by user entities themselves, when obtaining an understanding of user entities’ information and communication systems relevant to financial reporting. We confirm, to the best of our knowledge and belief, that:
1. The description fairly presents the [
type or name of] system made available to user entities of the system as of [
date] for processing their transactions [
or identification of the function performed by the system]. The criteria we used in making this assertion were that the description:
a. Presents how the system made available to user entities of the system was designed and implemented to process relevant transactions, including:
(1) The classes of transactions processed.
(2) The procedures, within both automated and manual systems, by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, and transferred to the reports presented to user entities of the system.
(3) The related accounting records, supporting information, and specific accounts that are used to initiate, authorize, record, process, and report transactions; this includes the correction of incorrect information and how information is transferred to the reports provided to user entities of the system
(4) How the system captures and addresses significant events and conditions, other than transactions
(5) The process used to prepare reports or other information provided to user entities of the system
(6) Specified control objectives and controls designed to achieve those objectives
(7) Other aspects of our control environment, risk assessment process, information and communication systems (including the related business processes), control activities, and monitoring controls that are relevant to processing and reporting transactions of user entities of the system
b. Does not omit or distort information relevant to the scope of the [type or name of] system, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities of the system and the independent auditors of those user entities, and may not, therefore, include every aspect of the [type or name of] system that each individual user entity of the system and its auditor may consider important in its own particular environment
2. The controls related to the control objectives stated in the description were suitably designed as of [
date] to achieve those control objectives. The criteria we used in making this assertion were that:
a. The risks that threaten the achievement of the control objectives stated in the description have been identified by the service organization.
b. The controls identified in the description would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved.
