Printer Friendly

Statement on auditing standards no. 70.

Note: Statements on Auditing Standards are issued by the Auditing Standards Board, the senior technical body of the Institute designated to issue pronouncements on auditing matters. Rule 202 of the Institute's Code of Professional Conduct requires compliance with these standards.

REPORTS ON/THE PROCESSING OF TRANSACTIONS BY SERVICE ORGANIZATIONS

(SUPERSEDES STATEMENT ON AUDITING STANDARDS NO. 44, AICPA, PROFESSIONAL STANDARDS, VOL. 1, AU SEC. 324)
 CONTENTS
 Introduction and Applicability/1-4
The User Auditor's Consideration of the
 Effect of the Service Organization
 on the Internal Control Structure
 of the User Organization and the
 Availability of Audit Evidence/5-17
 The Effect of a Service Organization
 on a User Organization's Internal
 Control Structure/6
Planning the Audit/7-10
Assessing Control Risk at the User
 Organization/I1-16
Audit Evidence From Substantive
 Audit Procedures Performed by
 Service Auditors/17
Considerations in Using a Service
 Auditors Report/18-21
Responsibilities of Service
 Auditors/22-58
 Reports on Policies and Procedures
 Placed in Operation/25-40
 Reports on Policies and Procedures
 Placed in Operation and Tests of
 Operating Effectiveness/41-56
 Written Representations of the
 Service Organization's
 Management/57
 Reporting on Substantive
 Procedures/58
 Effective Date/59


INTRODUCTION AND APPLICABILITY

1. This Statement provides guidance on the factors an independent auditor should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions. This Statement also provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors.

2. For purposes of this Statement, the following definitions apply:

* User organization--The entity that has engaged a service organization and whose financial statements are being audited

* User auditor--The auditor who reports on the financial statements of the user organization

* Service organization--The entity (or segment of an entity) that provides services to the user organization

* Service auditor--The auditor who reports on the processing of transactions by a service organization

* Report on policies and procedures placed in operation--A service auditor's report on a service organization's description of its control structure policies and procedures that may be relevant to a user organization's internal control structure, on whether such policies and procedures were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specixfic date

* Report on policies and procedures placed in operation and tests of operating effectiveness--A service auditor's report on a service organization's description of its control structure policies and procedures that may be relevant to a user organization's internal control structure,' on whether such policies and procedures were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the policies and procedures that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified

1. The guidance in this Statement is applicable to the audit of the financial statements of an entity that obtains either or both of the following services from another organization:

* Executing transactions and maintaining the related accountability

* Recording transactions and processing related data Service organizations that provide such services include, for example, bank trust departments that invest and hold assets for employee benefit plans or for others, mortgage bankers that service mortgages for others, and electronic data processing (EDP) service centers that process transactions and related data for others. The guidance in this Statement may also be relevant to situations in which an organization develops, provides, and maintains the software used by client organizations. The provisions of this Statement are not intended to apply to situations in which the services provided are limited to executing client organization transactions that are specifically authorized by the client, such as the processing of checking account transactions by a bank or the execution of securities transactions by a broker. This Statement also is not intended to apply to the audit of transactions arising from financial interests in partnerships, corporations, and joint ventures, such as working interests in oil and gas ventures, when proprietary interests are accounted for and reported to interest holders.

4. This Statement is organized into the following sections:

a. The user auditor's consideration of the effect of the service organization on the internal control structure of the user organization and the availability of evidence to--

* Obtain the necessary understanding of the user organization's internal control structure to plan the audit

* Assess control risk at the user organization

* Perform substantive procedures

b. Considerations in using a service auditor's report

c. Responsibilities of service auditors

THE USER AUDITOR'S CONSIDERATION OF THE EFFECT OF THE SERVICE ORGANIZATION ON THE INTERNAL CONTROL STRUCTURE OF THE USER ORGANIZATION AND THE AVAILABILITY OF AUDIT EVIDENCE

5. The user auditor should consider the discussion in paragraphs 6 through 21 when planning and performing the audit of an entity that uses a service organization to process its transactions.

The Effect of a Service Organizalion on a User Organizations Internal Control Structure

6. When a user organization uses a service organization, transactions that affect the user organization's financial statements are subjected to policies and procedures that are, at ]east in part, physically and operationally separate from the user organization. The relationship of the policies and procedures of the service organization to those of the user organization depends primarily on the nature of the services provided by the service organization. For example, when those services are limited to recording user transactions and processing the related data, and the user organization retains responsibility for authorizing transactions and maintaining the related accountability, there is a high degree of interaction between the policies and procedures at the service organization and those at the user organization. In these circumstances, it may be possible for the user organization to implement effective internal control structure policies and procedures for those transactions. When the service organization executes the user organization's transactions and maintains the related accountability, there is a lower degree of interaction and it may not be practicable for the user organization to implement effective internal control structure policies and procedures for those transactions. The degree of interaction, as well as the nature and materiality of the transactions processed by the service organization, are the most important factors in determining the significance of the service organization's policies and procedures to the user organization's internal control structure.

Planning the Audit

7. SAS No. 55, Consideration of the Internal Control Structure in a Financial Statement Audit (AICPA, Professional Standards, vol. 1, AU sec. 319), states that an auditor should obtain a sufficient understanding of each of the three elements of the entity's internal control structure to plan the audit. This understanding should include knowledge about the design of relevant policies, procedures, and records and whether they have been placed in operation by the entity. In planning the audit, such knowledge should be used to - * Identify types of potential misstatements.

* Consider factors that affect the risk of material misstatement.

* Design substantive tests.

8. If an entity uses a service organization, certain policies, procedures, and records of the service organization may be relevant to the user organization's ability to record, process, summarize, and report financial data consistent with the assertions embodied in the entity,s financial statements. In determining the significance of these policies, procedures, and records to planning the audit, the user auditor should consider factors such as--

* The significance of the financial statement assertions that are affected by the policies and procedures of the service organization.

* The inherent risk associated with the assertions affected by the policies and procedures of the service organization.

* The nature of the services provided by the service organization and whether they are highly standardized and used extensively by many user organizations or unique and used only by a few.

* The extent to which the user organization's internal control structure policies and procedures interact with the policies and procedures of the service organization.

* The user organization's internal control structure policies and procedures that are applied to the transactions affected by the service organization's activities.

* The terms of the contract between the user organization and the service organization (for example, their respective responsibilities and the extent of the service organization's discretion to initiate transactions).

* The service organization's capabilities, including its - --Record of performance.

--Insurance coverage.

--Financial stability.

* The user auditor's prior experience with the service organization.

* The extent of auditable data in the user organization's possession.

* The existence of specific regulatory requirements that may dictate the application of audit procedures beyond those required to comply with generally accepted auditing standards.

9 . The user auditor should also consider the available information about the service organization's policies and procedures, including (a) the information in the user organization's possession, such as user manuals, system overviews, and technical manuals, and (b) the existence of reports on the service organization's policies and procedures, such as reports by service auditors, internal auditors (the user organization's or the service organization's), or regulatory authorities.

10. After considering the above factors and evaluating the available information, the user auditor may conclude that he or she has the means to obtain a sufficient understanding of the internal control structure to plan the audit. If the user auditor concludes that information is not available to obtain a sufficient understanding to plan the audit, he or she may consider contacting the service organization, through the user organization, to obtain specific information or request that a service auditor be engaged to perform procedures that will supply the necessary information, or the user auditor may visit the service organization and perform such procedures. If the user auditor is unable to obtain sufficient evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation.

Assessing Control Risk at the User Organization

11. After obtaining an understanding of the internal control structure, the user auditor assesses control risk for the assertions embodied in the account balances and classes of transactions, including those that are affected by the activities of the service organization. In doing so, the user auditor may identify certain internal control structure policies and procedures that, if effective, would permit the user auditor to assess control risk below the maximum for particular assertions. Such policies and procedures may be applied at either the user organization or the service organization. The user auditor may conclude that it would be efficient to obtain evidential matter about the operating effectiveness of these policies and procedures to provide a basis for assessing control risk below the maximum.

12. A service auditor's report on policies and procedures placed in operation at the service organization should be helpful in providing a sufficient understanding to plan the audit of the user organization. Such a report, however, is not intended to provide any evidence of the operating effectiveness of the relevant policies and procedures that would allow the user auditor to reduce the assessed level of control risk below the maximum. Such evidential matter should be derived from one or more of the following:

a. Tests of the user organization's controls over the activities of the service organization (for example, the user auditor may test the user organization's independent performance of selected items processed by an EDP service center or test the user organization's reconciliation of output reports with source documents)

b. A service auditor's report on policies and procedures placed in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that describes relevant tests of controls

c. Appropriate tests of controls performed by the user auditor at the service organization

13. The user organization may establish effective controls over the service organization's activities that may be tested and that may enable the user auditor to reduce the assessed level of control risk below the maximum for some or all of the related assertions. Ira user organization, for example, uses an EDP service center to process payroll transactions, the user organization may establish internal control structure policies and procedures over input and output data to prevent or detect material misstatements. The user organization might perform the service organization's payroll calculations on a test basis. In this situation, the user auditor may perform tests of the user organization's controls over data processing that would provide a basis for assessing control risk below the maximum for the assertions related to payroll transactions. The user auditor may decide that obtaining evidence of the operating effectiveness of the service organization's policies and procedures, such as those over changes in payroll programs, is not necessary or efficient.

14. The user auditor may find that internal control structure policies and procedures relevant to assessing control risk below the maximum for particular assertions are applied only at the service organization. If the user auditor plans to assess control risk below the maximum for those assertions, he or she should evaluate the operating effectiveness of those policies and procedures by obtaining a service auditor's report that describes the results of the service auditor's tests of those policies and procedures (that is, a report on policies and procedures placed in operation and tests of operating effectiveness, or an agreed-upon procedures report) or by performing tests of controls at the service organization. If the user auditor decides to use a service auditor's report, the user auditor should consider the extent of the evidence provided by the report about the effectiveness of policies and procedures intended to prevent or detect material misstatements in the particular assertions. The user auditor remains responsible for evaluating the evidence presented by the service auditor and for determining its effect on the assessment of control risk at the user organization.

15. The user auditor's assessments of control risk regarding assertions about account balances or classes of transactions are based on the combined evidence provided by the service auditor's report and the user auditor's own procedures. In making these assessments, the user auditor should consider the nature, source, and interrelationships among the evidence, as well as the period covered by the tests of controls. The user auditor uses the assessed levels of control risk, as well as his or her understanding of the internal control structure, in determining the nature, timing, and extent of substantive tests for particular assertions.

16. The guidance in SAS No. 55, paragraphs 46 through 55, regarding the auditoffs consideration of the sufficiency of evidential matter to support a specific assessed level of control risk is applicable to user auditors considering evidential matter provided by a service auditor's report on policies and procedures placed in operation and tests of operating effectiveness. Because the report may be intended to satisfy the needs of several different user auditors, a user auditor should determine whether the specific tests of controls and results in the service auditor's report are relevant to assertions that are significant in the user organization's financial statements. For those tests of controls and results that are relevant, a user auditor should consider whether the nature, timing, and extent of such tests of controls and results provide appropriate evidence about the effectiveness of the policy or procedure to support the user auditor's desired assessed level of control risk. In evaluating these factors, user auditors should also keep in mind that, for certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less support for control risk reduction the test may provide.

Audit Evidence From Substantive

Audit Procedures Performed by Service Auditors

17. Service auditors may be engaged to perform procedures that are substantive in nature for the benefit of user auditors. Such engagements may involve the performance, by the service auditor, of procedures agreed upon by the user organization and its auditor and by the service organization and its auditor. In addition, there may be requirements imposed by governmental authorities or through contractual arrangements whereby service auditors perform designated procedures that are substantive in nature. The results of the application of the required procedures to balances and transactions processed by the service organization may be used by user auditors as part of the evidence necessary to support their opinions.

CONSIDERATIONS IN USING A SERVICE AUDITOR'S REPORT

18. In considering whether the service auditor's report is satisfactory for his or her purposes, the user auditor should make inquiries concerning the service auditor's professional reputation. Appropriate sources of information concerning the professional reputation of the service auditor are discussed in SAS No. 1, Codification of Auditing Standards and Procedures (AICPA, Professional Standards, vol. 1, AU sec. 543, "Part of Audit Performed by Other Independent Auditors," paragraph 10a).

19. In considering whether the service auditor's report is sufficient to meet his or her objectives, the user auditor should give consideration to the guidance in AU sec. 543.12. If the user auditor believes that the service auditor's report may not be sufficient to meet his or her objectives, the user auditor may supplement his or her understanding of the service auditor's procedures and conclusions by discussing with the service auditor the scope and results of the service auditor's work. Also, if the user auditor believes it is necessary, he or she may contact the service organization, through the user organization, to request that the service auditor perform agreed-upon procedures at the service organization, or the user auditor may perform such procedures.

20. When assessing a service organization's policies and procedures and how they interact with a user organization's internal control structure policies and procedures, the user auditor may become aware of the existence of reportable conditions. In such circumstances, the user auditor should consider the guidance provided in SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit (AICPA, Professional Standards, vol. 1, AU sec. 325).

21. The user auditor should not make reference to the report of the service auditor as a basis, in part, for his or her own opinion on the user organization's financial statements. The service auditors report is used in the audit, but the service auditor is not responsible for examining any portion of the financial statements as of any specific date or for any specified period. Thus, there cannot be a division of responsibility for the audit of the financial statements.

RESPONSIBILITIES OF SERVICE AUDITORS

22. The service auditor is responsible for the representations in his or her report and for exercising due care in the application of procedures that support those representations. Although a service auditors engagement differs from an audit of financial statements conducted in accordance with generally accepted auditing standards, it should be performed in accordance with the general standards and with the relevant fieldwork and reporting standards. Although the service auditor should be independent from the service organization, it is not necessary for the service auditor to be independent from each user organization.

23. As a result of procedures performed at the service organization, the service auditor may become aware of illegal acts, irregularities, or corrected errors attributable to the service organization's management or employees that may affect one or more user organizations. The terms errors, irregularities, and illegal acts are defined in SAS No. 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities, and SAS No. 54, Illegal Acts by Clients (AICPA, Professional Standards, vol. 1, AU secs. 316 and 317 ); the definitions therein are relevant to this section. When the service auditor becomes aware of such matters, he or she should determine from the appropriate level of management of the service organization whether this information has been communicated appropriately to affected user organizations, unless those matters are clearly inconsequential. If the management of the service organization has not communicated the information to affected user organizations and is unwilling to do so, the service auditor should inform the service organization's audit committee or others with equivalent authority or responsibility. If the audit committee does not respond appropriately to the service auditors communication, the service auditor should consider whether to resign from the engagement. The service auditor may wish to consult with his or her attorney in making this decision.

24. The type of engagement to be performed and the related report to be prepared should be established by the service organization. However, when circumstances permit, discussions between the service organization and the user organizations are advisable to determine the type of report that will be most suitable for the user organizations' needs. This Statement provides guidance on the two types of reports that may be issued:

a. Reports on policies and procedures placed in operation--A service auditor's report on a service organization's description of the policies and procedures that may be relevant to a user organization's internal control structure, on whether such policies and procedures were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date. Such reports may be useful in providing a user auditor with an understanding of the policies and procedures necessary to plan the audit and to design effective tests of controls and substantive tests at the user organization, but they are not intended to provide the user auditor with a basis for reducing his or her assessments of control risk below the maximum.

b. Reports on policies and procedures placed in operation and tests of operating effectiveness--A service auditor's report on a service organization's description of the policies and procedures that may be relevant to a user organization's internal control structure, on whether such policies and procedures were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the policies and procedures that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified. Such reports may be useful in providing the user auditor with an understanding of the policies and procedures necessary to plan the audit and may also provide the user auditor with a basis for reducing his or her assessments of control risk below the maximum.

Reports on Policies and Procedures Placed in Operation

25. The information necessary for a report on policies and procedures placed in operation ordinarily is obtained through discussions with appropriate service organization personnel and through refer ence to various forms of documentation, such as system flowcharts and narratives.

26. After obtaining a description of the relevant policies and procedures, the service auditor should determine whether the description provides sufficient information for user auditors to obtain an understanding of those aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. The description should contain a discussion of the features of the service organization's policies and procedures that would have an effect on a user organization's internal control structure. Such features are relevant when they directly affect the service provided to the user organization. They may include features generally considered to be part of the control environment, specific activities that may represent a user organization's accounting system or a portion thereof, or specific policies and procedures designed to control such functions. Control environment elements may include hiring practices and the involvement of internal auditors. Accounting system elements would include the ways in which user transactions are initiated and processed. Control structure policies and procedures employed by a service organization, such as policies and procedures over the modification of computer programs, ordinarily are designed to meet specific control objectives. The specific control objectives of the service organization should be set forth in the service organization's description of policies and procedures.

27. Evidence of whether policies and procedures have been placed in operation is ordinarily obtained through previous experience with the service organization and through procedures such as inquiry of appropriate management, supervisory, and staff personnel; inspection of service organization documents and records; and observation of service organization activities and operations.

For the type of report described in paragraph 24a, these procedures need not be supplemented by tests of the operating effectiveness of the service organization's policies and procedures.

28. Although a service auditoffs report on policies and procedures placed in operation is as of a specified date, the service auditor should inquire about changes in the service organization's policies and procedures that may have occurred before the beginning of fieldwork. If the service auditor believes that the changes would be considered significant by user organizations and their auditors, those changes should be included in the description of the service organization's policies and procedures. If the service auditor concludes that the changes would be considered significant by user organizations and their auditors and the changes are not included in the description of the service organization's policies and procedures, the service auditor should describe the changes in his or her report. Such changes might include - * Procedural changes made to accommodate provisions of a new FASB Statement of Financial Accounting Standards.

* Major changes in an application to permit on-line processing.

* Procedural changes to eliminate previously identified deficiencies. Changes that occurred more than twelve months before the date being reported on normally would not be considered significant, because they generally would not affect user auditors' considerations.

29. A service auditoffs report expressing an opinion on a description of policies and procedures placed in operation at a service organization should contain - a. A specific reference to the applications, services, products, or other aspects of the service organization covered.

b. A description of the scope and nature of the service auditoffs procedures.

c. Identification of the party specifying the control objectives.

d. An indication that the purpose of the service auditors engagement was to obtain reasonable assurance about whether (1) the service organization's description presents fairly, in all material respects, the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the policies and procedures were suitably designed to achieve specified control objectives, and (3) such policies and procedures had been placed in operation as of a specific date.

e. A disclaimer of opinion on the operating effectiveness of the policies and procedures.

f. The service auditor's opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization's policies and procedures that had been placed in operation as of a specific date and whether, in the service auditor's opinion, the policies and procedures were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those policies

g. A statement of the inherent limitations of the potential effectiveness of policies and procedures at the service organization and of the risk of projecting to future periods any evaluation of the description.

h. Identification of the parties for whom the report is intended.

30. If the service auditor believes that the description is inaccurate or insufficiently complete for user auditors, the service auditor's report should so state and should contain sufficient detail to provide user auditors with an appropriate understanding.

31. It may become evident to the service auditor, when considering the service organization's description of policies and procedures placed in operation, that the system was designed with the assumption that certain internal control structure policies and procedures would be implemented by the user organization. If the service auditor is aware of the need for such complementary user organization internal control structure policies and procedures, these should be delineated in the description of policies and procedures. If the application of internal control structure policies and procedures by user organizations is necessary to achieve the stated control objectives, the service auditors report should be modified to include the phrase "and user organizations applied the internal control structure policies and procedures contemplated in the design of the Service Organization's policies and procedures" following the words "complied with satisfactorily" in the scope and opinion paragraphs.

32. The service auditor should consider conditions that come to his or her attention that, in the service auditor's judgment, represent significant deficiencies in the design or operation of the service organization's policies and procedures that preclude the service auditor from obtaining reasonable assurance that specified control objectives would be achieved. The service auditor should also consider whether any other information, irrespective of specified control objectives, has come to his or her attention that causes him or her to conclude (a) that design deficiencies exist that could adversely affect the ability to record, process, summarize, or report financial data to user organizations without error and (b) that user organizations would not generally be expected to have policies and procedures in place to mitigate such design deficiencies.

33. The description of policies and procedures and control objectives required for these reports may be prepared by the service organization. If the service auditor prepares the description of policies and procedures and control objectives, the representations in the description remain the responsibility of the service organization. 34. For the service auditor to express an opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives, it is necessary that - a. The service organization identify and appropriately describe such control objectives and the relevant policies and procedures.

b. The service auditor consider the linkage of the policies and procedures to the stated control objectives.

c. The service auditor obtain sufficient evidence to reach an opinion.

35. The control objectives may be designated by the service organization or by outside parties such as regulatory authorities, a user group, or others. When the control objectives are not established by outside parties, the service auditor should be satisfied that the control objectives, as set forth by the service organization, are reasonable in the circumstances and consistent with the service organization's contractual obligations.

36. The service auditor's report should state whether the policies and procedures were suitably designed to achieve the specified control objectives. The report should not state whether they were suitably designed to achieve objectives beyond the specifically identified control objectives.

37. The service auditor's opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives is not intended to provide evidence of operating effectiveness or to provide the user auditor with a basis for concluding that control risk may be assessed below the maximum.

38. The following is a sample report on policies and procedures placed in operation at a service organization. The report should have, as an attachment, a description of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. This report is illustrative only and should be modified as appropriate to suit the circumstances of individual engagements.

To XYZ Service Organization:

We have examined the accompanying description of the _______ application of XYZ Service Organization. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of XYZ Service Organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the control structure policies and procedures included in the description were suitably designed to achieve the control objectives specified in the description, if those policies and procedures were complied with satisfactorily, and (3) such policies and procedures had been placed in operation as of ______________. The control objectives were specified by ___________. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering ore' opinion.

We did not perform procedures to determine the operating effectiveness of poLicies and procedures for any period. Accordingly, we express no opinion on the operating effectiveness of any aspects of Service Organization's policies and procedures, individually or in the aggregate.

In our opinion, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of ________. Also, in our opinion, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily.

The description of policies and procedures at XYZ Service Organization is as of __________ and any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the system in existence. The potential effectiveness of specific policies and procedures at the Service Organization is subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions.

This report is intended solely for use by the management of XYZ Service Organization, its customers, and the independent auditors of its customers.

39. If the service auditor concludes that the description is inaccurate or insufficiently complete for user auditors, the service auditor should so state in an explanatory paragraph preceding the opinion paragraph. An example of such an explanatory paragraph follows:

The accompanying description states that XYZ Service Organization uses operator identification numbers and passwords to prevent unauthorized access to the system. Based on inquiries of staff personnel and inspections of activities, we determined that such procedures are employed in Applications A and B but are not required to access the system in Applications C and D.

In addition, the first sentence of the opinion paragraph would be modified to read as follows:

In our opinion, except for the matter referred to in the preceding paragraph, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of____________.

40. If, after applying the criteria in paragraph 32, the service auditor concludes that there are significant deficiencies in the design or operation of the service organization's policies and procedures, the service auditor should report those conditions in an explanatory paragraph preceding the opinion paragraph. An example of an explanatory paragraph service organization's policies and procedures follows:

As discussed in the accompanying description, from time to time the Service Organization makes changes in application programs to correct deficiencies or to enhance capabilities. The procedures followed in determining whether to make changes, in designing the changes, and in implementing them do not include review and approval by authorized individuals who are independent from those involved in making the changes. There are also no specified requirements to test such changes or provide test results to an authorized reviewer prior to implementing the changes.

In addition, the second sentence of the opinion paragraph would be modified to read as follows:

Also in our opinion, except for the deficiency referred to in the preceding paragraph, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily.

Report on Policies and Procedures Placed in Operation and Tests of Operating Effectiveness

Paragraphs 41 through 56 repeat some of the information contained in paragraphs 25 through 40 to provide readers with a comprehensive, stand-alone presentation of the relevant considerations for each type of report.

41. The information necessary for a report on policies and procedures placed in operation and tests of operating effectiveness ordinarily is obtained through discussions with appropriate service organization personnel, through reference to various forms of documentation, such as system flowcharts and narratives, and through the performance of tests of controls. Evidence of whether policies and procedures have been placed in operation is ordinarily obtained through previous experience with the service organization and through procedures such as inquiry of appropriate management, supervisory, and staff personnel; inspection of service organization documents and records; and observation of service organization activities and operations. The service auditor applies tests of controls to determine whether specified policies and procedures are operating with sufficient effectiveness to achieve specified control objectives. SAS No. 39, Audit Sampling (AICPA, Professional Standards, vol. 1, AU sec. 350), provides guidance on the application and evaluation of audit sampling in performing tests of controls.

42. After obtaining a description of the relevant policies and procedures, the service auditor should determine whether the description provides sufficient information for user auditors to obtain an understanding of the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. The description should contain a discussion of the features of the service organization's policies and procedures that would have an effect on a user organization's internal control structure. Such features are relevant when they directly affect the service provided to the user organization. They may include features generally considered to be part of the control environment, specific activities that may represent a user organization's accounting system or a portion thereof, or specific policies and procedures designed to control such functions. Control environment elements may include hiring practices and the involvement of internal auditors. Accounting system elements would include the ways in which user transactions are initiated and processed. Control structure policies and procedures employed by a service organization, such as policies and procedures over the modification of computer programs, ordinarily are designed to meet specific control objectives. The specific control objectives of the service organization should be set forth in the service organization's description of policies and procedures.

43. The service auditor should inquire about changes in the service organization's policies and procedures that may have occurred before the beginning of fieldwork. If the service auditor believes the changes would be considered significant by user organizations and their auditors, those changes should be included in the description of the service organization's policies and procedures. If the set vice auditor concludes that the changes would be considered significant by user organizations and their auditors and the changes are not included in the description of the service organization's policies and procedures, the service auditor should describe the changes in his or her report. Such changes might include--

* Procedural changes made to accommodate provisions of a new FASB Statement of Financial Accounting Standards.

* Major changes in an application to permit on-line processing.

* Procedural changes to eliminate previously identified deficiencies. Changes that occurred more than twelve months before the date being reported on normally would not be considered significant, because they generally would not affect user auditors' considerations.

44. A service auditor's report expressing an opinion on a description of policies and procedures placed in operation at a service organization and tests of operating effectiveness should contain-- a. A specific reference to the applications, services, products, or other aspects of the service organization covered.

b. A description of the scope and nature of the service auditor's procedures.

c. Identification of the party specifying the control objectives.

d. An indication that the purpose of the service auditor's engagement was to obtain reasonable assurance about whether (1) the service organization's description presents fairly, in all material respects, the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the policies and procedures were suitably designed to achieve specified control objectives, and (3) such policies and procedures had been placed in operation as of a specific date.

e. The service auditor's opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization's policies and procedures that had been placed in operation as of a specific date and whether, in the service auditor's opinion, the policies and procedures were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those policies and procedures were complied with satisfactorily.

f. A reference to a description of tests of specified service organization policies and procedures designed to obtain evidence about the operating effectiveness of those policies and procedures in achieving specified control objectives. The description should include the policies and procedures that were tested, the control objectives the policies and procedures were intended to achieve, the tests applied, and the results of the tests. The description should include an indication of the nature, timing, and extent of the tests, as well as sufficient detail to enable user auditors to determine the effect of such tests on user auditors' assessments of control risk. To the extent that the service auditor identified causative factors for exceptions, determined the current status of corrective actions, or obtained other relevant qualitative information about exceptions noted, such information should be provided.

g. A statement of the period covered by the service auditor's report on the operating effectiveness of the specified policies and procedures.

h. The service auditor's opinion on whether the policies and procedures that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified.

i. When all of the control objectives listed in the description of policies and procedures placed in operation are not covered by tests of operating effectiveness, a statement that the service auditor does not express an opinion on control objectives not listed in the description of tests performed at the service organization.

j. A statement that the relative effectiveness and significance of specific service organization policies and procedures and their effect on assessments of control risk at user organizations are dependent on their interaction with the policies, procedures, and other factors present at individual user organizations.

k. A statement that the service auditor has performed no procedures to evaluate the effectiveness of policies and procedures at individual user organizations.

l. A statement of the inherent limitations of the potential effectiveness of policies and procedures at the service organization and of the risk of projecting to the future any evaluation of the description or any conclusions about the effectiveness of policies and procedures in achieving control objectives.

m. Identification of the parties for whom the report is intended.

45. If the service auditor believes that the description is inaccurate or insufficiently complete for user auditors, the service auditor's report should so state and should contain sufficient detail to provide user auditors with an appropriate understanding.

46. It may become evident to the ser vice auditor when considering the service organization's description of policies and procedures placed in operation, that the system was designed with the assumption that certain internal control structure policies and procedures would be implemented by the user organization. If the service auditor is aware of the need for such complementary user organization internal control structure policies and procedures, these should be delineated in the description of policies and procedures. If the application of internal control structure policies and procedures by user organizations is necessary to achieve the stated control objectives, the service auditor's report should be modified to include the phrase "and user organizations applied the internal control structure policies and procedures contemplated in the design of the Service Organization's policies and procedures" following the words "complied with satisfactorily" in the scope and opinion paragraphs. Similarly, if the operating effectiveness of policies and procedures at the service organization is dependent on the application of policies and procedures at user organizations, this should be delineated in the description of tests performed.

47. The service auditor should consider conditions that come to his or her attention that, in the service auditor's judgment, represent significant deficiencies in the design or operation of the service organization's policies and procedures that preclude the service auditor from obtaining reasonable assurance that specified control objectives would be achieved. The service auditor should also consider whether any other information, irrespective of specified control objectives, has come to his or her attention that causes him or her to conclude (a) that design deficiencies exist that could adversely affect the ability to record, process, summarize, or report financial data to user organizations without error and (b) that user organizations would not generally be expected to have policies and procedures in place to mitigate such design deficiencies.

48. The description of policies and procedures and control objectives required for these reports may be prepared by the service organization. If the service auditor prepares the description of policies and procedures and control objectives, the representations in the description remain the responsibility of the service organization.

49. For the service auditor to express an opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives, it is necessary that--

a. The service organization identify and appropriately describe such control objectives and the relevant policies and procedures.

b. The service auditor consider the linkage of the policies and procedures to the stated control objectives.

c. The service auditor obtain sufficient evidence to reach an opinion.

50. The control objectives may be designated by the service organization or by outside parties such as regulatory authorities, a user group, or others. When the control objectives are not established by outside parties, the service auditor should be satisfied that the control objectives, as set forth by the service organization, are reasonable in the circumstances and consistent with the service organization's contractual obligations.

51. The service auditor's report should state whether the policies and procedures were suitably designed to achieve the specified control objectives. The report should not state whether they were suitably designed to achieve objectives beyond the specifically identified control objectives.

52. The service auditor's opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives is not intended to provide evidence of operating effectiveness or to provide the user auditor with a basis for concluding that control risk may be assessed below the maximum. Evidence that may enable the user auditor to conclude that control risk may be assessed below the maximum may be obtained from the results of specific tests of operating effectiveness.

53. The management of the service organization specifies whether all or selected applications and control objectives will be covered by the tests of operating effectiveness. The service auditor determines which policies and procedures are, in his or her judgment, necessary to achieve the control objectives specified by management. The service auditor then determines the nature, timing, and extent of the tests of controls needed to evaluate operating effectiveness. Testing should be applied to policies and procedures in effect throughout the period covered by the report. To be useful to user auditors, the report should ordinarily cover a minimum reporting period of six months.

54. The following is a sample report on policies and procedures placed in operation at a service organization and tests of operating effectiveness. It should be assumed that the report has two attachments: (a) a description of the service organization's policies and procedures that may be relevant to a user organization's internal control structure and (b) a description of policies and procedures for which tests of operating effectiveness were performed, the control objectives the policies and procedures were intended to achieve, the tests applied, and the results of those tests. This report is illustrative only and should be modified as appropriate to suit the circumstances of individual engagements.

To XYZ Service Organization:

We have examined the accompanying description of the _________ application of XYZ Service Organization. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Service Organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the control structure policies and procedures included in the description were suitably designed to achieve the control objectives specified in the description, if those policies and procedures were complied with satisfactorily, and (3) such policies and procedures had been placed in operation as of _____________. The control objectives were specified by _______________. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion.

In our opinion, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of ______________ . Also, in our opinion, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily.

In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific policies and procedures, listed in Schedule X, to obtain evidence about their effectiveness in meeting the control objectives, described in Schedule X, during the period from ___________to ____________. The specific policies and with the nature, timing, extent, and results of the tests are listed in Schedule X. This information has been provided to user organizations of XYZ Service Organization and to their auditors to be taken into consideration, along with information about the internal control structure at user organizations, when making assessments of control risk for user organizations. In our opinion the policies and procedures that were tested, as described in Schedule X, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in Schedule X were achieved during the period from _____________ to __________________. [However, the scope of our engagement did not include tests to determine whether control objectives not listed in Schedule X were achieved; accordingly, we express no opinion on the achievement of control objectives not included in Schedule X.]

The relative effectiveness and significance of specific policies and procedures at XYZ Service Organization and their effect on assessments of control risk at user organizations are dependent on their interaction with the pelicies, procedures, and other factors resent at individual user organizations. We have performed no procedures to evaluate the effectiveness of polides and procedures at individual user organizations. The description of policies and procedures at Service Organization is as of _____________, and information about tests of the operating effectiveness of specified policies and procedures covers the period from ___________ to ______________. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the system in existence. The potential effectiveness of specified policies and procedures at the Service Organization is subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Furthermore, the projection of conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions.

This report is intended solely for use by the management of XYZ Service Organization, its customers, and the independent auditors of its customers.

55. If the service auditor concludes that the description is inaccurate or insufficiently complete for user auditors, the service auditor should so state in an explanatory paragraph preceding the opinion paragraph. An example of such an explanatory paragraph follows:

The accompanying description states that XYZ Service Organization uses operator identification numbers and passwords to prevent unauthorized access to the system. Based on inquiries of staff personnel and inspection of activities, we determined that such procedures are employed in Applications A and B but are not required to access the system in Applications C and D.

In addition, the first sentence of the opinion paragraph would be modified to read as follows:

In our opinion, except for the matter referred to in the preceding paragraph, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of __________.

56. If, after applying the criteria in paragraph 47, the service auditor concludes that there are significant deficiencies in the design or operation of the service organization's policies and procedures, the service auditor should report those conditions in an explanatory paragraph preceding the opinion paragraph. An example of an explanatory paragraph describing a significant deficiency in the design or operation of the service organization's policies and procedures follows:

As discussed in the accompanying description, from time to time the Service Organization makes changes in application programs to correct deficiencies or to enhance capabilities. The procedures followed in determining whether to make changes, in designing the changes, and in implementing them do not include review and approval by authorized individuals who are independent from those involved in making the changes. There are also no specified requirements to test such changes or provide test results to an authorized reviewer prior to implementing the changes.

In addition, the second sentence of the opinion paragraph would be modified to read as follows:

Also in our opinion, except for the deficiency referred to in the preceding paragraph, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the related control objectives would be achieved if the described policies and procedures were complied with satisfactorily.

Written Representations of the Service Organization Management

57. Regardless of the type of report issued, the service auditor should obtain written representations from the service organization's management that - * Acknowledge management's responsibility for establishing and maintaining appropriate policies and procedures relating to the processing of transactions for user organizations.

* Acknowledge the appropriateness of the specified control objectives.

* State that the description of policies and procedures presents fairly, in all material respects, the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure.

* State that the policies and procedures, as described, had been placed in operation as of a specified date.

* State that management believes its policies and procedures were suitably designed to achieve the specified control objectives.

* State that management has disclosed to the service auditor any significant changes in policies and procedures that have occurred since the service organization's last examination.

* State that management has disclosed to the service auditor any illegal acts, irregularities, or uncorrected errors attributable to the service organization's management or employees that may affect one or more user organizations.

* State that management has disclosed to the service auditor all design deficiencies in policies and procedures of which it is aware including those for which management believes the cost of corrective action may exceed the benefits. If the scope of the work includes tests of operating effectiveness, the service auditor should obtain a written representation from the service organization's management stating that management has disclosed to the service auditor all instances, of which it is aware, when policies and procedures have not operated with sufficient effectiveness to achieve the specified control objectives.

Reporting on Substantive Procedures

58. The service auditor may be requested to apply substantive procedures to user transactions or assets at the service organization. In such circumstances, the service auditor may make specific reference in his or her report to having carried out the designated procedures or may provide a separate report in accordance with SAS No. 35, Special Reports--Applying Agreed-Upon Procedures to Specified Elements, Accounts, or Items of a Financial Statement (AICPA, Professional Standards, vol. 1, AU sec. 622). Either form of reporting should include a description of the nature, timing, extent, and results of the procedures in sufficient detail to be useful to user auditors in deciding whether to use the results as evidence to support their opinions.

EFFECTIVE DATE

59. This Statement is effective for service auditors' reports dated after March 31, 1993. Earlier application of this Statement is encouraged.

This Statement entitled Reports on the Processing of Transactions by Service Organizations was adopted unanimously by the seventeen members of the board.

Auditing Standards Board (1991)

DONALD L. NEEBES, Chairman

WALTER R. BOGAN

WILLIAM A. BROADUS

JACOB J. COHEN

TIMOTHY E. DURBIN

STUART H. HARDEN

MURRAY B. HIRSCH

GARY L. HOLSTRUM

GARY A. HOTCHKISS

RICHARD A. JONES

A.V. LAROCCA

GEORGE A. LEWIS

D. EDWARD MARTIN

EDWARD E. NUSBAUM

DON M. PALLAIS

MORTON B. SOLOMON

JOHN B. SULLIVAN

DAN M. GUY

Vice President, Auditing

JUDITH M. SHERINSKY

Technical Manager,

Auditing Standards
COPYRIGHT 1992 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1992, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Publication:Journal of Accountancy
Date:Jul 1, 1992
Words:9310
Previous Article:Hedging foreign currency risks.
Next Article:Quality review standards interpretations.
Topics:


Related Articles
SAS 70 and new audit risk alerts available.
The AICPA role in standard setting.
Investor views of audit assurance: recent evidence of the expectation gap.
Proposed omnibus SAS encourages managers to report errors.
New SASs address communications and adjustments.
Now availabe.
The AICPA auditing standards board issues three standards. (Auditing).
Detecting fraud: will the new rules help? Sarbanes-Oxley compliance is raising questions about the relationship between internal and external...
SAS 70: new life for an old audit standard; Following Sarbanes-Oxley legislation, the standard governing internal controls for third-party providers...
Section 404 compliance: telling it like it is; It's 'showtime' for reporting on internal controls, and Financial Executives Research Foundation...

Terms of use | Copyright © 2014 Farlex, Inc. | Feedback | For webmasters