Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting
This updated and improved guide is designed to help CPAs effectively perform service organization control (SOC) 1 engagements under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.
With the growth in business specialization, outsourcing to service organizations has become increasingly popular, increasing the demand for SOC 1SM engagements.
This guide will help you:
- Gain a deeper understanding of Service Organization Control Guidance and common practice issues, giving you the foundational knowledge to effectively perform engagements.
- Provide best in class services related to planning, performing, and reporting on a service auditor’s engagement.
- Successfully complete the transition from SAS No. 70, Service Organizations, to SSAE No. 16, Reporting on Controls at a Service Organization (issued in April 2010).
- Understand the kinds of information auditors of the financial statements of user entities need from a service auditor’s report.
- Implement SSAE No. 16 requirement regarding obtaining a written assertion from management of a service organization by providing illustrative management assertion for a type 1 and type 2 report.
- Provide management representation letters and control objectives for various types of service organizations.
In addition, this guide contains over 20 illustrative service auditor’s reports to help you with situations that may require modification of the report.
This guide has been fully conformed to reflect changes resulting from the clarified auditing standards.
Other Types of Internal Control Engagements 10
2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report .01-.20
Obtaining an Understanding of the Entity and Its Environment, Including the Entity’s Internal Control When the Entity Uses a Service Organization 01-.03
Service Organization Services to Which AU-C Section 402 Does Not Apply 04 Understanding Whether Controls at a Service Organization Affect a User Entity’s Internal Control 05-.11
Types of Service Auditor’s Reports 12
Obtaining Evidence of the Operating Effectiveness of Controls at a Service Organization 13-.18
Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity’s
Internal Control 19-.20
3 Planning a Service Auditor’s Engagement 01-.112
Responsibilities of Management of the Service Organization 01-.112
Defining the Scope of the Engagement 02 Determining the Type of Engagement to Be Performed .03-.06
Determining the Period to Be Covered by the Report .07-.09
Determining Whether Any Subservice Organizations Will Be Included In or Carved Out of the Description .10-.34
Selecting the Criteria for the Description of the System .35
Preparing the Description .36-.56
Specifying the Control Objectives .57-.77
Preparing Management’s Written Assertion 78-.98
Assessing the Suitability of Criteria 99-.100
Planning to Use the Work of the Internal Audit Function .101-.108
Coordinating Procedures With the Internal Audit Function .109-.112
Chapter Paragraph 4 Performing an Engagement Under AT Section 801 .01-.147
Obtaining and Evaluating Evidence About Whether the Description of the Service Organization’s System Is
Fairly Presented 01-.14
Other Information in the Description That Is Not Covered by the Service Auditor’s Report .11-.12
Materiality Relating to the Fair Presentation of the Description of the Service Organization’s System .13-.14
Evaluating Whether Control Objectives Relate to Internal Control Over Financial Reporting 15-.41
Implementation of Service Organization Controls .18-.23
Changes to the Scope of the Engagement 24-.27
Complementary User Entity Controls .28-.31
Subservice Organizations 32-.40
Other Matters Relating to Fair Presentation 41
Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls 42-.65
Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement .66-.67
Determining Which Controls to Test .68-.73
Designing and Performing Tests of Controls 74-.99
Nature of Tests of Controls 79-.89
Timing of Tests of Controls 90-.91
Extent of Tests of Controls .92-.95
Superseded Controls .96-.99
Selecting Items to Be Tested .100-.103
Using the Work of the Internal Audit Function 104-.115
Direct Assistance .114-.115
Evaluating the Results of Tests of Controls 116-.128
Controls That Did Not Operate During the Period
Covered by the Service Auditor’s Report .120-.126
Extending or Modifying the Period 129-.147
Management’s Written Representations for the Extended or Modified Period 139
Deficiencies That Occur During the Original, Extended, or Modified Period .140-.143
Examination Quality Control 144-.147
5 Reporting and Completing the Engagement .01-.102
Responsibilities of the Service Auditor .01-.64
Describing Tests of Controls and the Results of Tests .02-.13
Preparing the Service Auditor’s Report .14-.23
Chapter Paragraph 5 Reporting and Completing the Engagementcontinued Modifications to the Service Auditor’s Report .24-.64
Other Matters Related to the Service Auditor’s Report .65-.74
Intended Users of the Report 65-.67
Determining Whether an Entity Is an Indirect User Entity 68-.73
Report Date .74
Completing the Engagement 75-.93
Obtaining Written Representations 76-.87
Subsequent Events Up to the Date of the Service Auditor’s Report 88-.92
Subsequently Discovered Facts That Become Known to the Service Auditor After the Release of the Service Auditor’s Report .93
Service Auditor’s Recommendations for Improving Controls .94
Management’s Responsibilities During Engagement Completion 95-.102
Modifying Management’s Written Assertion 96-.99
Distribution of the Report by Management .100-.102
A Illustrative Type 2 Reports
B Illustrative Assertions By Management of a Service Organization and Management of a Subservice Organization for a Type 2 Engagement in Which the Inclusive Method Is Used to Present the Subservice Organization
C Illustrative Management Representation Letters
D Reporting on IT General Controls Only; Illustrative Management Assertions and Service Auditor’s Reports
E Illustrative Control Objectives for Various Types of Service Organizations
F Comparison of SOC 1, SOC 2, and SOC 3 Engagements and Related Reports
G Other Referenced Authoritative Standards H Schedule of Changes Made to the Text From the Previous
Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting profession nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession’s technical and ethical standards.
The AICPA’s founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public interest.