Presentation on theme: "SAS #70 (as Amended by SAS #88)"— Presentation transcript:
1SAS #70 (as Amended by SAS #88) Service OrganizationsNSAA IT ConferenceSeptember 28, 2006Nashville, TNPresented by:Michael A. Billo, CISA, CGAPPA Department of Auditor GeneralIntroduce yourself, experience, years with department, etc.Ask participants to introduce themselves; participants’ expectations of courseHandout copy of SAS #88 from AICPA Journal of Accountancy
2Objectives To recognize the use of a service organization Will give guidance how to know if it’s a service organization.
3ObjectivesTo provide guidance in determining when controls at the service organization should be considered during the auditThis is the tricky part, but have developed a methodology to help you gauge.Will depend on the information system of your auditee.
4ObjectivesTo understand the difference between a Type 1 and Type 2 review (report)Clear cut differences between the 2 types of reports.Also will give guidance on the different sections of the report.
5Overview and PurposeSAS No. 70, as amended, is not applicable to every service provided by a service organization. It is applicable only if the service is part of the user organization’s information system.“Information System” definition follows – the generic one and the one from SAS 70 (with financial statement references removed).
6Information System… that which identifies, captures, and exchanges information (data) in a form and time frame that enables people to carry out their responsibilities.… not always directly related to an audit of financial statements; however, the guidance talks heavily about f/s audits.Definition is from SAS #94 para #7, Already getting the tie-in between SAS 70 and 94.SAS #70 is very I/C-based, dependent, reliant.
7For this presentation … Think of relevance of service organizations’ effects NOT ONLY on the financial statementsBUT…………..ALSOOn the Audit Objective(s) !Introduce importance of knowing the audit objective and audit universe.
8Information System Indicators from SAS #88: A service organization’s services are part of an entity’s information system if they affect any of the following:Here’s the wording about an information system from SAS 70 with references to … affecting financial statement reporting objectives removed.
9Information System (SAS #88) How the entity’s transactions are initiatedThe accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactionsBasically, it’s following a transaction or process from start to finish
10Information System (SAS #88) The accounting processing involved from the initiation of the transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access informationThe financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosuresNotice the importance of what’s happening from start to end (input, processing, output)
11So What is SAS 70 ?Ready for a plain and simple explanation/definition?
12“SAS #70”… a separate review engagement designed to provide information about control objectives that may be relevant to other audit engagements depending on the other audit engagements’ objectives.A plain and simple explanation
13Purpose of SAS 70 ReportsPrimary purpose is to provide information to auditors of user organizationsNot for public disclosure – too much detailed information could be a security risk
14Definitions User organization User auditor Service organization Service auditorNeed to keep this terminology clear
15User OrganizationThe entity that has engaged a service organization and who is being audited.The auditee!
16User Auditor The auditor of the user organization. The Department of the Auditor General’s auditors
17Service OrganizationThe entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.
18Service AuditorThe auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control.
19Examples of Service Organizations Trust departments of banks and insurance companiesTransfer agents, custodians, and recordkeepers for investment companiesMortgage servicers or depository institutions that service loans for othersAccording to AICPA – “Service organizations may provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity.”
20Examples of Service Organizations Application Service ProvidersInternet Service ProvidersOther Information Technology Entities
21Advantages of Service Organizations Controls at the service organization can be good – they do this kind of work all the time.Good controls are part of good customer service.Be on guard though – some service organizations are not mindful of controls – or at least controls are not as important as service!
22Internal ControlThe concept of an entity’s internal control is fundamental to SAS No. 70, and is defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, as amended (94). Internal control is a process – effected by an entity’s board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:SAS 94, paragraph 6.
23Internal Control (continued) Reliability of financial reportingEffectiveness and efficiency of operations,Compliance with applicable laws and regulations.Introduce operational and compliance
24Back to SAS #94These service organization controls may represent or affect a user organization’s:control environment,risk assessment,control activities,information and communication, ormonitoringcomponents of internal control.There’s those 5 components again!
25Internal Control (SAS #94) Components Control Environment sets the tone of an organization, influencing the control consciousness of its people.Risk Assessment is the entity’s identification and analysis of relevant risks to achievement of it objectives, forming a basis for determining how the risks should be managed.
26Internal Control (SAS #94) Components Control Activities are the policies and procedures that help ensure management directives are carried out.Information and Communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.Mention that #4 really is the key to the definition of an information system.
27Internal Control (SAS #94) Components Monitoring is a process that assesses the quality of internal control performance over time.
28Aspects of Control Environment Integrity and ethical valuesCommitment to competenceBoard of Directors or audit committee participationManagement’s philosophy and operating styleOrganizational structureAssignment of authority and responsibilityHuman resource policies and practices
29Aspects of Risk Assessment Changes in the operating environmentNew personnelNew or revamped systemsRapid growthNew technologyNew business models, products, or activitiesCorporate restructuringsExpanded foreign operationsNew accounting pronouncements
30Aspects of Information and Communication … procedures, whether automated or manual, and records established by the service organization to:Initiate, record, process, and report a user organization’s transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity.Provide an understanding of the individual roles and responsibilities pertaining to internal control over reporting.
31Aspects of Information and Communication (cont’d.) Auditor must understand:Classes of transactionsProcedures (automated & manual)The related accounting recordsHow the information system captures other events and conditionsThe financial reporting processTransactions significant to the f/sBy which transactions are initiated, recorded, processed, and reported from occurrence to f/sElectronic or manual, supporting information, specific accounts in the f/s… that are significant to the f/s… used to prepare the f/s, including significant accounting estimates and disclosures.
32Aspects of Monitoring Internal auditors Quality control External communicationsCustomer complaintsRegulators
33Objectives and Components There is a direct relationship between the objectives (which are what the entity strives to achieve) and the components (which represent what is needed to achieve the objectives).SAS No. 70 addresses the effect that a service organization may have on an entity’s (user organization’s) objectives.
34We will focus on the overall internal controls of the user organization, rather than specifically on the service organization’s internal controls – the overall assessment is the key!Internal controls relevant to the audit objective can be at the user organization and service organization. Rarely is I/C solely at the service organization. After all, whose responsibility is it for I/C? MANAGEMENT’S
35More DefinitionsControls – the policies and procedures an entity establishes to implement one or more aspects of the five components of internal control. Controls may exist at the user organization or at the service organization.… because when a user organization uses a service organization, certain controls at the service organization may be part of the user organization’s information system.
36More Definitions (continued) Service organization’s controls – Controls at a service organization that are part of a user organization’s information system.They do not include service organization controls that are not relevant to a user organization’s information system.
37More Definitions (continued) Control Objectives – Generally, financial statement reporting control objectives, but also may encompass compliance or operational control objectives.Reinforce that the guidance refers heavily to controls as they impact the f/s reporting objectives, but also references other control objectives like compliance and operational ones.
38Assertions are …Either explicit or implicit and can be classified according to the following broad categories:Existence or occurrenceCompletenessRights and obligationsValuation or allocationPresentation and disclosure
39Examples of Assertions in User Organization’s Financial Statements and Related Service Organization Control ObjectivesDescribe services provided for Examples 1-3, and 4-6.
40Example (1) Existence or occurrence Savings deposits and withdrawal transactions are received from authorized sources.Left side is the assertion –- right side is the control objective.
41Example (2) Completeness Savings deposit and withdrawal transactions received from the user organizations initially are recorded completely and accurately.Output data and documents are complete and accurate and distributed to authorized recipients timely.
42Example (3) Valuation or allocation Programmed interest and penalties are calculated in conformity with the description.Output data and documents are complete and accurate and distributed to authorized recipients timely.;
43Example (4) Completeness Investment purchases and sales are recorded completely, accurately and timely.
44Example (5) Valuation or allocation Investment income is recorded accurately and timely.
45Example (6) Rights and obligations Investment purchases and sales are recorded completely, accurately, and timely.
46When Is a Service Organization Important? In planning the audit when transactions, accounts, processes, or operations are subjected to controls that are, at least in part, physically and operationally separate from the user organization.If the service organization’s functionality does not affect your audit objectives or audit universe or you have sufficient audit coverage without considering the service organization – then you can document that the service organization has no impact on your audit and not pursue a further understanding of the service organization’s controls.However, as you will see later, if a SAS 70 report is available, you should request it to be conservative.
47How Do I Set Risk? Auditor may initially set control risk at maximum. Auditor may obtain evidence about the effectiveness of the design and operation of controls (TEST) to determine if a basis exists to set control risk below maximum.
48What is Control Risk?The risk that a material misstatement could occur in a management assertion and will not be prevented or detected on a timely basis by the entity’s internal control.It is also the process of evaluating the effectiveness of an entity’s internal control in preventing or detecting significant failure to meet compliance or operational objectives (assertions).
49What Must I do About Controls? Always gain an understanding of the design of controls and whether they have been placed in operation.Test those controls (if I want to reduce my control risk)Sometimes the interviews of personnel and observations of functioning of controls is sufficient evidential matter.Give concrete examples:- If your key control is that systems manuals are available on-site for use by tech staff – seeing that the manuals are current is enough.- If your key control is that all vouchers are signed by the controller prior to payments, then you need to select a sample of vouchers and test.
50What are Key Controls? Where are Key Controls? Controls that are considered critical by the user auditor to achieving specific control objectives
51You’ll have to use Auditor Judgment ! Whatever You Do….You’ll have to use Auditor Judgment !Look at your Audit UniverseConsider your Audit ObjectivesBalance and Gauge Your Audit Riskand then…
53So How Do I Do This?Use a step down / step through approach (some yes/no’s & if/then’s)You Must Know your audit objective and audit universe to do it!
54Step 1 What does the service organization do? Gain that initial understanding of the functionality and responsibilities of the service organization.
55Step 2Does the service organization’s function/process relate to my audit objective and/or my audit universe?If NO I don’t need to consider controls at the service organizationIf YES, I proceed to Step 3Give example of audit objective of looking at auditee’s investments and the service organization is only processing their payroll.
56Step 3How much activity (transactions, accounts, processes, operations and/or procedures) of the user organization are at the service organization?How much internal control did the user org. (auditee) give up to the service org.?Gauge activity by dollars, volume, and other relevant thresholds.
57Step 4Is the activity at the service organization minimal for the user organization?andIs the audit approach at the user organization sufficient to give adequate audit coverage?What gets us to adequacy? (may need a slide – slide that they fill in)Identifying and testing compensating key controls at the user organization.Identifying and testing manual controls at the user organization that would identify weaknesses at the service organization.100% authorization of transactions at the user organization and 100% review of all output from the service organization.
58Now What?If the answers to both questions in Step 4 are YES, I don’t need a SAS 70 of the service organization – I have enough to plan my audit and assess control risk.If the answers to both questions in Step 4 are NO, I need to do more to understand controls at the service organization.
59HOWEVER !!As government auditors – you may act conservatively and go the extra mile.Obtain the SAS 70, if available, just in case it contains BIG issues in the report.If a SAS 70 is not available, you may want to recommend obtaining one.You may want to make a finding, a letter of comment, verbal recommendation to management. Explain if the activity increases, this could be a problem in future years.Your audit approach is sufficient regardless of the SAS 70 results, but considering issues in the report may motivate the auditee to address them – bottom line – better internal control overall and less likely to be an issue in future years.A proactive approach is beneficial for planning in future years especially if the percentage changes between the amount of internal control at the service organization as compared to the amount of internal control at the user organization.
60Step 5If the answers to the questions in Step 4 are NO, I have to do more.Is there a SAS 70?If YES, obtain it and evaluate it.How do I evaluate it – let’s start with the degree of interaction between the user org’s I/C and the service org’s I/C.
61Degree of InteractionRefers to the extent to which a user organization is able to and elects to implement effective controls over the processing performed by the service organization.
62How Do I Understand Interaction? Start with a review of the contract – what contractually should the service organization be doing for the user organization?Does the contract mention responsibility for controls?Interview and observe.Sufficiency of procedures – what’s enough?
63What Is High Interaction? Services provided by the service organization are limited toRecording user organization transactionsProcessing the related dataUser organization retains responsibility for authorizing transactions and maintaining related accountability
64Example of High Interaction Employee benefit plan (EBP) uses a bank for a directed trustEBP makes investing decisions (bank not allowed to execute transactions without specific approval)EBP reconciles its own records of investments to the bank’s records
65Example of Moderate Interaction Same employee benefit plan (EBP) using a directed trustEBP authorizes transactionsEBP chooses not to generate independent investment records and relies on the bank’s statements
66Example of Low Interaction Same employee benefit plan (EBP) uses a discretionary trustBank is given broad authority to invest the plan’s assetsEBP has no way to generate independent records
67What If There’s No SAS 70?User auditor can ask the auditee (user organization) to request that a service auditor be engaged to perform procedures that will provide the necessary information.User auditor may visit the service organization and perform procedures there.Bullet 2 – with permission of the user organization and the service organization
68Agreed-upon procedures Another AlternativeAgreed-upon proceduresAICPA APR lists an agreed-upon procedure engagement as an alternative to have tests of controls performed.However, you would need to understand the control design in order to specify what tests needed to be performed.This alternative seems to be available when there is a type 1 report (no testing) describing the controls.The service organization hires the service auditor to perform testing.This is a “here’s what we did; here’s what we found situation – should be a report on key controls or else it doesn’t mean anything.Note that this is a deviation from a SAS 70 report format.
69What If You’ve Exhausted All Options? The AICPA says…“If the user auditor is unable to obtain sufficient evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation.”AICPA APR page 6
70If you need to settle a bar bet … AICPA APR says– “SAS 60 does not apply to a service auditor’s engagement because it provides guidance on identifying and communicating reportable conditions … during the audit of …financial statements.”By the way – did you know that the Guinness Book of World Records was first underwritten by the Guinness Brewing company to settle bar bets? - look up “Guinness” on google.com.This is important – don’t have to identify reportable conditions in the SAS 70, BUT if you’re the user auditor, you may have to report them in your audit.Evaluate and disposition as though you found it – it’s part of your audit process as the user auditor.
71Two Types of Service Auditors’ Reports Form and ContentObjective here is to help you understand how to recognize the types of SAS 70s; how to identify the sections of the report.
72Two Types of ReportsType 1 report – a report on controls placed in operationType 2 report – a report on controls placed in operation and tests of operating effectiveness
73What’s the Difference?Type 1 – concludes on the design of the controls only – no testingThis type of report is useful only in “gaining an understanding”Type 2 – includes tests of operating effectivenessThis type of report may allow user auditors to rely on controls to reduce risk
74Report FormatSection 1 – Service Auditor’s Report -- the auditor’s opinion (section 1)Section 2 – Service Organization’s Description of ControlsSection 3 – Information Provided by the Service AuditorSection 4 – Other Information Provided by the Service Organization
75Format of Type 1 and Type 2 Reports Are Flexible However, the organization and presentation of the reports always should differentiate between:The service auditor’s report (the opinion letter)The service organization’s description of controlsInformation provided by the service auditorOther information provided by the service organizationNeed to always clearly differentiate between the sections prepared by the service auditor and those prepared by the service organization.When going through this slide – verbally remind everyone of section 1, 2, 3, 4
76Types and Sections Recap Type 1 and type 2 – refer to the entire documentSections 1, 2, 3, 4 – refer to only parts of the documentService auditors report – refers to section 1
77Section 1 – The Service Auditor’s Report Letter issued by the service auditor expressing an opinion on theFairness of the presentation of the service organization’s description of controlsThe suitability of the design of the controls to achieve specified control objectivesIn a type 2 engagement – whether the specific controls were operating with sufficient effectiveness to achieve the related control objectivesThe term sufficient effectiveness is notable here – I have seen SAS 70 reports where there were errors noted in the testing performed. However, the auditors still expressed the opinion that the controls were operating with sufficient effectiveness to achieve objectives.- the idea in a SAS 70 report is for the service organization and the service auditors to provide sufficient detail in the report to allow the user auditor to understand the basis for the opinion. This level of detail also allows the user auditor to come to their own conclusion, if they disagree with the service auditor’s opinion. The user auditor may decide that the errors noted are of a concern to him or her (even though they were not to the service auditor) and then the user auditor would continue to assess control risk at high and keep substantive testing high.
78Section 1 Can Not Be Distributed Alone The service auditor’s report (section 1 – the letter issued by the service auditor) should not be distributed without the:Accompanying description of the service organization’s controls, andThe description of the service auditor’s tests of operating effectiveness and the results of those tests (when applicable)Note for future research: It might be really interesting to present the thought process that occurred during SAS 70 development. i.e., what were the comments to the exposure draft, what changed during the exposure period, etc.
79Section 2 – Service Organization’s Description of Controls The service organization’s description of controls generally is prepared by the service organization.The service organization is responsible for the completeness, accuracy, and method of presentation of the description.
80Section 2 – Description of Controls Service organization controls are considered relevant to a user organization’s internal control if they represent or affect a user organization’s internal control as it relates to audit objectives.
81Section 2 – Description of Controls The service organization’s description of controls should provide sufficient information to user auditors to understand how the service organization’s processing affects the components, BUT not so detailed as to potentially allow a reader to compromise security or other controls.The degree of detail of the description should be equivalent to the degree of detail a user auditor would require if a service organization were not used.
82Section 2 – Description of Controls The controls should be tailored to the service provided by the service organization, and if appropriate, help the user organization(s) achieve financial reporting, operational and compliance objectives.
83Section 2 - Computer Processing Most service organizations depend primarily on computer processing to perform contractual services.The description of controls should include a synopsis of the computer environment and the related general computer controls and objectives.
84Section 2 - General Computer Controls Program change controlsControls that restrict access to programs and data (physical and logical access controls)Controls that affect the processing of data (including application controls, such as program edits)
85What about business continuity and disaster/contingency planning? Plans are not Controls; therefore, control objectives should not include this topic.However, a service organization can include this topic in Section 4 (other information provided by the service organization).
86Section 3 – Information Provided by the Service Auditor a description of the tests of the operating effectiveness of controls and the results of those tests (only in a type 2 report)Other information provided by the service auditor (optional in both type 1 and type 2 reports)In a type 2 engagement the service auditor must describe the tests of operating effectiveness performed on the control objectives.In a type 1 or type 2 engagement, the service auditor may include recommendations for improvement in controls in this section.
87Section 3 – Information Provided by the Service Auditor Tests of Operating Effectiveness The following elements should be included in the description:The controls that were tested.The control objectives the controls were intended to achieve.An indication of the nature, timing, extent, and results of the tests applied in sufficient detail to enable user auditors to determine the effect of such tests on their assessment of control risk.
88Section 3 – Information Provided by the Service Auditor Other Information to Include Information that more fully describes the objectives of a service auditor’s engagement or information relating to regulatory requirements.Recommendations for improving the service organization’s controls.
89Section 4 – Other Information Provided by the Service Organization A service organization may wish to present other information, e.g., contingency plans, in this section that is NOT a part of the description of controls – and consequently, not covered by the service auditor’s opinion (section 1).
90Who Determines What Type of Review (1 or 2)? Type of engagement should be determined by the service organizationHowever, discussions between the management of the service organization and the management of the user organization(s) are advisableThe SAS states that it is the service organization’s responsibility to determine what type of review – after all, they are paying for the engagement. However, in practice, discussions between all involved parties usually occur before the decision for the type of review is decided. Organizations are not as well-versed as auditors in understanding the difference in the types of reviews and what may be most relevant to the issues at hand.When the Commonwealth of PA outsourced its IT function to Unisys Corp., the auditors met with the Commonwealth to work out the control objectives tested and included in the report.
91So … What Would We Talk About? Discussions between the service organization and user organization(s) could identify:Whether report will be type 1 or type 2The services or applications that will be covered by the reportControl objectives reviewed/testedTalk about Commonwealth outsourcing --
92Procedures in a Type 1 Engagement Review the description of controls prepared by the service organizationInquire of appropriate management and staffInspect documents to confirm management representationsObserve control activities
93Control objectives are usually specified by the service organization; however, they may be designated by an outside party, e.g., a regulatory agency or a user group
94If specified by the service organization – they should be reasonable in the circumstances and consistent with the service organization’s contractual obligations. If specified by an outside party, the outside party is responsible for their completeness and reasonableness.
95Using Type 1 and Type 2 Reports First – inquire about the professional reputation of the service auditor (guidance in SAS 70 AU section ).Determine whether a given type 1 or type 2 report will meet audit objectivesREAD the report the WHOLE REPORT !!!
96The report alone does NOT provide the user auditor with the understanding necessary to plan the audit!
97The auditor should consider the information in the type 1 or 2 report, and determine whether he or she has enough information to:
98Understand the aspects of the service organization’s controls that may affect the processing of the user organization’s transactions.Understand the flow of significant transactions through the service organization.Determine whether the control objectives are relevant to the user organization’s f/s assertions.Determine whether the service organization’s controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user organization’s f/s.
99The user auditor should also determine whether the service organization’s description is as of a date that is appropriate for the user auditor’s purpose.Careful on this -- controls may have changed!
100Goal of Type 1 Procedures Express an opinion on whether the –Description presents fairly, in all material respects,The service organization’s controlsPlaced in operation as of a specified dateDesign of controls would provide reasonable assurance that the control objectives would be achieved if those controls were complied with satisfactorilyNote: NO TESTING!!Stress that a type 1 report only opines on the design of the controls – not whether they are operating effectively. The user auditor would need to arrange for additional testing if they wanted to rely on controlsAlso point out – AICPA always protects its members – the service organization writes the description of controls. Then the service auditor opines only on what is in the description. Makes it easier to budget and bill for services – keeps scope focused. Prevents misunderstandings.The Description is only going to cover the control objectives specifically listed in the report.A SAS 70 type 1 report is always as of a certain date – the date that the service auditors visited the facilityUser auditors need to consider how old the info is
101Purpose of a Type 1 Report Provide user auditors with information about the controls at the service organizationInformation should assist the user auditor in obtaining a sufficient understanding of the user organizations internal control to plan the audit (in accordance with SAS 94)
102Type 1 - What Do We Do With This Understanding of Internal Controls? Identify the types of misstatements that may occur in the user organization’s financial statementsConsider the factors that affect the risk of material misstatementDesign substantive testsCannot reduce level of substantive testing – cannot reduce risk assessment – because there is no testing
103Type 2 – Something ExtraIn a type 2 engagement, the service auditor performs the procedures required for a type 1 engagement andAlso performs tests of specific controls to evaluate their operating effectiveness
104Goal of Type 2 Procedures Express an opinion on whether the:Controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.
105Type 2 – Use by the User Auditor Need to Consider: Report on the operating effectiveness of the controlsDescription of the tests of the operating effectiveness of controls that may be relevant to your audit objectivePer AICPA APR page 12: “When considering the operating effectiveness of the relevant controls at the service organization, the user auditor should read and consider both the service auditor’s –”
106Type 2 – Use by User Auditor Need to Determine Whether: The report provides adequate evidence of the nature, timing, extent and results of operating effectiveness for the user auditor to set control risk below maximum.The timing of the tests is appropriate for his/her purposes.The report identifies results of tests (exceptions and other information that could affect his/her considerations.
107Must Also Consider Controls at the User Organization Controls at the user organization should complement the controls at the service organizationUser control considerationsOften the SAS 70 report will detail the controls in place at the service organization and then list controls that must be in place at the user organizations in order to provide an adequate control structure overall.These are called: User Control Considerations.- In the Commonwealth’s GAAP and Single Audit we reviewed the SAS 70 report of Citibank. This detailed out the controls at Citibank but also was quite clear that the proper functioning of these controls was dependent upon controls at the user organizations (in this case in PA’s Department of Public Welfare).- I believe there were 12 user control considerations- In order to rely on the Citibank SAS 70 report, we had to ask that Office of the Budget, Bureau of Audits, test the functioning of the user controls in DPW.
108Complimentary Controls In some cases, a service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user organization.For example, user organizations authorize transactions before they are processed by the service organization.
109Type 2 – Use by User Auditor The results of the testing may be part of the evidence the user auditor relies on to:Assess control risk below the maximum for certain management assertions affected by the service organizationReduce the extent of substantive procedures performed for those assertions.
110Strong Warning!AICPA says: “Under no circumstances should the service auditor’s report (the letter issued by the service auditor) be the only basis for reducing the assessed level of control risk below the maximum.”AIPCA APR page 12You have to read and understand the ENTIRE report. You need to document which service organization controls are- relevant to your audit objectives,- what tests were done,-what results were achievedas part of your support of your reduced risk assessment.
111Never Eliminate Substantive Tests! Although a type 2 report (with testing) and other evidence may allow you to reduce your testing,“…Neither a type 1 nor a type 2 report is designed to provide a basis for assessing control risk sufficiently low to eliminate …substantive tests….”Quote from AICPA APR page 12.
112Miscellaneous Issues/Considerations Exceptions AICPA says: “exceptions noted by the service auditor or a report modification in the service auditor’s report do not automatically mean that the service auditor’s report will not be useful in planning the auditor of a user organization’s financial statements or in assessing control risk.”Give examples:the exceptions are in control objectives not relevant to the user audit.compensating controls exist.
113Miscellaneous Issues/Considerations Reportable Conditions If a user auditor sees reportable conditions in the SAS 70 reportMay be reportable conditions to the user organization – may need to include in report or management letterSee AICPA APR page 30May need to give examples here (also ask class for examples that they can think of):Instances where controls at the service organization may adversely affect the organization’s ability to record, process, summarize and report financial data consistent with management assertions.
114Miscellaneous Issues/Considerations Timing A SAS 70 report is “as of” a specific dateHow useful the SAS 70 report will be depends on how that date fits with your audit period.The date of the report is always as of a specific date – for both type 1 and type 2 reports. That means the service organization’s description of controls and the service auditor’s report on the effectiveness of those controls is as of a certain date.A SAS 70 report date that is outsied of the user organization’s audit period may still be useful: Providing a user auditor with a preliminary understanding of the controls at the service organization if the report is supplemented with information from other sources.If the service organization's description is as of a date that precedes the beginning of the period under audit, the user auditor should consider updating the info in the description of controls to determine whether there have been any changes in the controls.
115Keep in Mind…The shorter the period covered by the specific test and the longer the time elapsed since the performance of the test --- the less support for control risk reductionExample from Page 28 of APR:“…a report on a six-month testing period that covers only one or two months of the user organization’s financial reporting period offers less support for control risk reduction than a report in which the testing covers six months of the user organization’s financial reporting period.”Also from page 28:“If the service auditor’s testing period is completely outside the user organization’s financila reporting period, the user auditor should not relay on such tests as support for control risk reducaiton because they do not provide current audit period evidence of the the effectiveness of the controls, unless…”…unless you want to apply the SAS 55 criteria for taking credit for testing done in prior years.(AU sec and .72)From AU sec :“When considering evidential matter obtained from prior audits, the auditor should obtain evidential matter in the current period about whether changes have occurred in internal control.” When SAS 55 was first adopted, we used to do a current year sample of 5 transactions to take credit for the results of the 25 tested in the prior year.Do your bureau’s take advantage of this provision of SAS 55? How do you implement? How do you document?
116Does the description of controls need to be updated? If the service organization’s description of controls is as of a date that precedes the beginning of the audit period, the user auditor should consider updating the information in the description to determine if there are changes in the service organization’s controls relevant to the processing of the user organization’s transactions.
117Procedures to update may include: Discussions with user organization personnel who are in a position to know about changes at the service organization.A review of current documentation and correspondence issued by the service organization.Discussions with service organization personnel or with the service auditor.
118Miscellaneous Issues/Considerations Management Representation Letter In all engagements, a service auditor should obtain written representations from the service organization’s management.AU section provides guidance as to the types of representations the service auditor should obtain.
119Miscellaneous Issues/Considerations Internal Auditors A service organization may have an internal audit department that performs test of controls as part of its audit plan.The service auditor may determine it effective and efficient to use the work.Service auditor should then consider the guidance in SAS No. 65
120Miscellaneous Issues/Considerations Engagements to Report ONLY on General Computer Controls Service organizations may engage an auditor to report only on its controls related to computer processing.Generally appropriate if the service organization provides only computer hardware and system software.
121Service Organizations That Use Other Service Organizations Subservice OrganizationsChapter 5
122Apply what was learned previously to another level!
123One Big Difference The carve-out method (don’t include) The service organization determines whether its description will include controls of the subservice organization by using:The carve-out method (don’t include)The inclusive method (include)
124Questions and Comments Thank you for your attention!