Académique Documents
Professionnel Documents
Culture Documents
PRONOUNCEMENT:
AICPA Proposed Statement on Standards for Attestation Engagements, Reporting on Controls at a Service Organization TBA; however, it is proposed to be concurrent with the effective date of proposed International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Third Party Service Organization
the service auditor currently expresses an opinion as of a specific date. Under the proposed SSAE, the service auditors report would contain an opinion on the fairness of the description of the service organizations system and on the suitability of the design of the controls for a period (not as of a specific date). Management of the service organization would be required to provide the service auditor with a written assertion about the following matters as a condition of engagement performance: (1) the fairness of the presentation of the description of the service organizations system; (2) the suitability of the design of the controls to achieve the related control objectives stated in the service organizations description; and (3) in a type 2 engagement, the operating effectiveness of those controls to achieve the related control objectives stated in the description. A service auditor would be able to report on controls at a service organization other than the controls that are relevant to user entities financial reporting. When obtaining an understanding of the service organizations system, the service auditor would be required to obtain information to identify risks that, due to intentional acts by service organization personnel: (1) the description of the service organizations system is not fairly presented; or (2) the control objectives stated in the description were not achieved. When assessing the operating effectiveness of controls in a type 2 engagement, evidence obtained by service auditors in prior engagements about the satisfactory operation of controls in prior periods does not provide a basis for a reduction in testing in the current period (even if supplemented with evidence obtained during the current period). A service auditors report would identify the customers to whom use of the report is restricted as follows: (1) customers as of the date of the service organizations description covered by the report in a type 1 report; or (2) customers of the service organizations system during some or all of the period covered by the service auditors report in a type 2 report.
The proposed SSAE has been drafted using the ED of International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Third Party Service Organization, as a base. To the extent practicable, differences between the proposed SSAE and the ISAE 3402 ED have been eliminated. Yet, in other instances, the ASB has made certain changes so that the guidance provided in the proposed SSAE is tailored more appropriately for the U.S. environment.
Management of the service organization provides a written assertion that will accompany the description of the service organizations system provided to user entities.
Inquire about interests and relationships that may create a threat to the specialists objectivity; Obtain a sufficient understanding of the specialists field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialists work and to evaluate the adequacy of that work; Establish a written understanding with the specialist regarding the following matters: (1) the nature, scope, and objectives of the specialists work; (2) the respective roles of the service auditor and the specialist; and (3) the nature, timing, and extent of communication between the service auditor and the specialist and the form of report, if any, to be provided by the specialist; and Evaluate the adequacy of the work performed by the specialist. The proposed SSAE indicates that if the service auditor uses the work of a specialist, the service auditor should not make any reference to that work in his or her opinion.
Determine an effective method for selecting the items to be tested to meet the objectives of the procedure. Consider, in connection with determining the extent of tests of controls and whether sampling is appropriate, the following: (1) the characteristics of the population of the controls to be tested; (2) the nature of the controls; (3) the frequency of their application (e.g., monthly or daily); and (4) the expected rate of deviation. Investigate the nature and cause of any deviations identified and consider whether the deviations may be the result of intentional acts by service organization personnel. Inquire about changes in the service organizations controls that were implemented during the period covered by the service auditors report.
Documentation
The proposed SSAE indicates that the service auditor should prepare documentation that would enable an experienced service auditor, having no previous connection with the engagement, to understand the following: The nature, timing, and extent of the procedures performed. The results of the procedures and the evidence obtained. Significant matters arising during the engagement, the conclusions reached, and significant professional judgments made in reaching those conclusions. Discussions with service organization personnel and others of significant matters, including when and with whom the discussions took place. If information regarding a significant finding or issue was identified that is inconsistent with the service auditors final conclusion, how the service auditor addressed the inconsistency in forming the final conclusion. If the service auditor finds it necessary to modify the engagement documentation or add new documentation after the assembly of the final engagement file, the service auditor should document the following: The date the changes were made; The individual who made the changes;
2009 CCH. All Rights Reserved. 5
The individual who reviewed the changes and the date of the review, if applicable; The specific reasons for making the changes; and The effect of the changes on the service auditors conclusions.
Exhibit 1: Summary of Elements to be Included in Type1 and Type 2 Reports Type 1 Report 1. A title that clearly indicates that the report is an independent service auditors report. 2. An addressee. 3. Appropriate description of the service organizations system prepared by management, including: (1) identification of those parts not covered by the service auditors report; (2) modifying language addressing complementary user entity controls, if applicable; and (3) identification of services performed by a subservice organization and whether the inclusive method or the carve-out method was used in relation to them. 4. Managements assertion. 5. Identification of the criteria. 6. A statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to the future any evaluation of the description or any conclusions about the effectiveness of controls in achieving control objectives. 7. A description of the service organizations and the service auditors responsibilities. 8. A statement that the engagement was performed in accordance with SSAEs. 9. A summary of the service auditors procedures to obtain reasonable assurance. Yes Yes Yes Type 2 Report Yes Yes Yes
Exhibit 1 (Continued) Type 1 Report 10. A statement that the service auditor has not performed any procedures regarding the operating effectiveness of controls and, therefore, expresses no opinion thereon. 11. The service auditors opinion on whether, in all material respects, based on the criteria specified in managements assertion: a. The description of the service organizations system fairly presents the service organizations system that was designed and implemented (as of the specified date in type 1 report; throughout the specified period in a type 2 report). b. The controls related to the control objectives stated in the description of the service organizations system were suitably designed to provide reasonable assurance that those control objectives would be achieved if the controls operated effectively (as of the specified date in type 1 report; throughout the specified period in a type 2 report). (Note: Modifying language should be added if the application of complementary user entity controls is necessary to achieve the described control objectives.) c. The controls the service auditor tested operated effectively throughout the specified period. (Note: Modifying language should be added if the application of complementary user entity controls is necessary to achieve the described control objectives.) 12. A paragraph at the end of the report that contains the following elements: a. A statement restricting the use the service auditors report to management of the service organization, customers of the service organizations system as of the end of the period covered by the service auditors report, and their auditors. b. A statement restricting the use of the service auditors report and a description of tests of controls and results thereof to management of the service organization, customers of the service organizations system during some or all of the period covered by the service auditors report, and their auditors. Yes Type 2 Report No
Yes
Yes
Yes
Yes
No
Yes
Yes
No
No
Yes
Exhibit 1 (Continued) Type 1 Report c. A statement that the report is not intended to be and should not be used by anyone other than these specified parties 13. A separate section after the opinion, or an attachment, that describes the service auditors tests of controls and the results thereof. 14. The date of the service auditors report. 15. The name of the service auditor and the city where the service auditor maintains the office that has responsibility for the engagement. Yes Type 2 Report Yes
No
Yes
Yes Yes
Yes Yes
The proposed SSAE also discusses various circumstances under which the service auditors opinion should be modified.
About the Author George Georgiades, CPA, has more than 28 years of experience in public accounting, including seven years with an international public accounting firm. He currently has his own firm and consults exclusively with CPA firms on technical accounting and auditing issues. He is a member of the American Institute of Certified Public Accountants and the California Society of Certified Public Accountants and is the author of GAAS Practice Manual and GAAP Financial Statement Disclosures Manual.
GAAS UPDATE SERVICE is published semimonthly by CCH, 4025 W. Peterson Ave., Chicago, Illinois 60646. Periodicals postage paid at Chicago, Illinois, and at additional mailing offices. POSTMASTER: SEND ADDRESS CHANGES TO GAAS UPDATE SERVICE, 4025 W. PETERSON AVE., CHICAGO, IL 60646. Printed in the U.S.A. 2009 CCH. All Rights Reserved.
MUPS