Statement on auditing standards no. 70.Note: Statements on Auditing Standards Statements on Auditing Standards, commonly abbreviated as SAS, provide guidance to external auditors on generally accepted auditing standards (abbreviated as GAAS) in regards to auditing an entity and issuing a report. are issued by the Auditing Standards Board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public , the senior technical body of the Institute designated to issue pronouncements on auditing matters. Rule 202 of the Institute's Code of Professional Conduct requires compliance with these standards. REPORTS ON/THE PROCESSING OF TRANSACTIONS BY SERVICE ORGANIZATIONS (SUPERSEDES STATEMENT ON AUDITING STANDARDS NO. 44, AICPA AICPA See American Institute of Certified Public Accountants (AICPA). , PROFESSIONAL STANDARDS, VOL VOL Volume VOL Volunteer VOL Volcano VOL Volvo (stock symbol) VOL Verdingungsordnung für Leistungen (German) VOL Volatile Organic Liquid Vol Volscan (linguistics) . 1, AU SEC. 324)
CONTENTS
Introduction and Applicability/1-4
The User Auditor's Consideration of the
Effect of the Service Organization
on the Internal Control Structure
of the User Organization and the
Availability of Audit Evidence/5-17
The Effect of a Service Organization
on a User Organization's Internal
Control Structure/6
Planning the Audit/7-10
Assessing Control Risk at the User
Organization/I1-16
Audit Evidence From Substantive
Audit Procedures Performed by
Service Auditors/17
Considerations in Using a Service
Auditors Report/18-21
Responsibilities of Service
Auditors/22-58
Reports on Policies and Procedures
Placed in Operation/25-40
Reports on Policies and Procedures
Placed in Operation and Tests of
Operating Effectiveness/41-56
Written Representations of the
Service Organization's
Management/57
Reporting on Substantive
Procedures/58
Effective Date/59
INTRODUCTION AND APPLICABILITY 1. This Statement provides guidance on the factors an independent auditor Independent Auditor An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report. Notes: These auditors aren't affiliated with the company being audited. should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions. This Statement also provides guidance for independent auditors who issue reports on the processing of transactions by a service organization for use by other auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together . 2. For purposes of this Statement, the following definitions apply: * User organization--The entity that has engaged a service organization and whose financial statements are being audited * User auditor--The auditor auditor n. an accountant who conducts an audit to verify the accuracy of the financial records and accounting practices of a business or government. A proper audit will point out deficiencies in accounting and other financial operations. who reports on the financial statements of the user organization * Service organization--The entity (or segment of an entity) that provides services to the user organization * Service auditor--The auditor who reports on the processing of transactions by a service organization * Report on policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental placed in operation--A service auditor's report Auditor's Report Recorded in the annual report, the auditor's report tests to see that a corporation's financial statements comply with GAAP. This is sometimes referred to as the clean opinion. Notes: Most auditor's reports consist of three paragraphs. on a service organization's description of its control structure policies and procedures that may be relevant to a user organization's internal control structure, on whether such policies and procedures were suitably designed to achieve specified spec·i·fy tr.v. spec·i·fied, spec·i·fy·ing, spec·i·fies 1. To state explicitly or in detail: specified the amount needed. 2. To include in a specification. 3. control objectives, and on whether they had been placed in operation as of a specixfic date * Report on policies and procedures placed in operation and tests of operating effectiveness--A service auditor's report on a service organization's description of its control structure policies and procedures that may be relevant to a user organization's internal control structure,' on whether such policies and procedures were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the policies and procedures that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified 1. The guidance in this Statement is applicable to the audit of the financial statements of an entity that obtains either or both of the following services from another organization: * Executing transactions and maintaining the related accountability The traceability of actions performed on a system to a specific system entity (user, process, device). For example, the use of unique user identification and authentication supports accountability; the use of shared user IDs and passwords destroys accountability. * Recording transactions and processing related data Service organizations that provide such services include, for example, bank trust departments that invest and hold assets for employee benefit plans or for others, mortgage bankers Mortgage Banker A company, individual or institution that originates, sells and services mortgage loans. Notes: Don't confuse a mortgage banker with a mortgage broker. that service mortgages for others, and electronic data processing See EDP. (application) Electronic Data Processing - (EDP) data processing by electronic machines, i.e. computers. (EDP (Electronic Data Processing) The first name used for the computer field. EDP - Electronic Data Processing ) service centers that process transactions and related data for others. The guidance in this Statement may also be relevant to situations in which an organization develops, provides, and maintains the software used by client organizations. The provisions of this Statement are not intended to apply to situations in which the services provided are limited to executing client organization transactions that are specifically authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: by the client, such as the processing of checking account transactions by a bank or the execution of securities transactions by a broker. This Statement also is not intended to apply to the audit of transactions arising from financial interests in partnerships, corporations, and joint ventures, such as working interests in oil and gas ventures, when proprietary interests are accounted for and reported to interest holders. 4. This Statement is organized into the following sections: a. The user auditor's consideration of the effect of the service organization on the internal control structure of the user organization and the availability of evidence to-- * Obtain the necessary understanding of the user organization's internal control structure to plan the audit * Assess control risk at the user organization * Perform substantive Substantive may refer to: In grammar:
b. Considerations in using a service auditor's report c. Responsibilities of service auditors THE USER AUDITOR'S CONSIDERATION OF THE EFFECT OF THE SERVICE ORGANIZATION ON THE INTERNAL CONTROL STRUCTURE OF THE USER ORGANIZATION AND THE AVAILABILITY OF AUDIT EVIDENCE 5. The user auditor should consider the discussion in paragraphs 6 through 21 when planning and performing the audit of an entity that uses a service organization to process its transactions. The Effect of a Service Organizalion on a User Organizations Internal Control Structure 6. When a user organization uses a service organization, transactions that affect the user organization's financial statements are subjected to policies and procedures that are, at ]east in part, physically and operationally separate from the user organization. The relationship of the policies and procedures of the service organization to those of the user organization depends primarily on the nature of the services provided by the service organization. For example, when those services are limited to recording user transactions and processing the related data, and the user organization retains responsibility for authorizing transactions and maintaining the related accountability, there is a high degree of interaction between the policies and procedures at the service organization and those at the user organization. In these circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact. 2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or , it may be possible for the user organization to implement effective internal control structure policies and procedures for those transactions. When the service organization executes the user organization's transactions and maintains the related accountability, there is a lower degree of interaction and it may not be practicable practicable adj. when something can be done or performed. for the user organization to implement effective internal control structure policies and procedures for those transactions. The degree of interaction, as well as the nature and materiality MATERIALITY. That which is important; that which is not merely of form but of substance. 2. When a bill for discovery has been filed, for example, the defendant must answer every material fact which is charged in the bill, and the test in these cases seems to of the transactions processed by the service organization, are the most important factors in determining the significance of the service organization's policies and procedures to the user organization's internal control structure. Planning the Audit 7. SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. No. 55, Consideration of the Internal Control Structure in a Financial Statement Audit (AICPA, Professional Standards, vol. 1, AU sec. 319), states that an auditor should obtain a sufficient understanding of each of the three elements of the entity's internal control structure to plan the audit. This understanding should include knowledge about the design of relevant policies, procedures, and records and whether they have been placed in operation by the entity. In planning the audit, such knowledge should be used to - * Identify types of potential misstatements. * Consider factors that affect the risk of material misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. .* Design substantive tests. 8. If an entity uses a service organization, certain policies, procedures, and records of the service organization may be relevant to the user organization's ability to record, process, summarize sum·ma·rize intr. & tr.v. sum·ma·rized, sum·ma·riz·ing, sum·ma·riz·es To make a summary or make a summary of. sum , and report financial data consistent with the assertions embodied em·bod·y tr.v. em·bod·ied, em·bod·y·ing, em·bod·ies 1. To give a bodily form to; incarnate. 2. To represent in bodily or material form: in the entity,s financial statements. In determining the significance of these policies, procedures, and records to planning the audit, the user auditor should consider factors such as-- * The significance of the financial statement assertions that are affected by the policies and procedures of the service organization. * The inherent risk associated with the assertions affected by the policies and procedures of the service organization. * The nature of the services provided by the service organization and whether they are highly standardized standardized pertaining to data that have been submitted to standardization procedures. standardized morbidity rate see morbidity rate. standardized mortality rate see mortality rate. and used extensively by many user organizations or unique and used only by a few. * The extent to which the user organization's internal control structure policies and procedures interact Interact can refer to:
Fall of Interact While the Game Boy device was first released, Interact acquired the rights to sell Datel's Action Replay with the policies and procedures of the service organization. * The user organization's internal control structure policies and procedures that are applied to the transactions affected by the service organization's activities. * The terms of the contract between the user organization and the service organization (for example, their respective responsibilities and the extent of the service organization's discretion to initiate INITIATE. A right which is incomplete. By the birth of a child, the husband becomes tenant by the curtesy initiate, but his estate is not consummate until the death of the wife. 2 Bouv. Inst. n. 1725. transactions). * The service organization's capabilities, including its - --Record of performance. --Insurance coverage. --Financial stability. * The user auditor's prior experience with the service organization. * The extent of auditable data in the user organization's possession. * The existence of specific regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. that may dictate TO DICTATE. To pronounce word for word what is destined to be at the same time written by another. Merlin Rep. mot Suggestion, p. 5 00; Toull. Dr. Civ. Fr. liv. 3, t. 2, c. 5, n. 410. the application of audit procedures beyond those required to comply with generally accepted auditing standards Generally Accepted Auditing Standards, or GAAS, are ten auditing standards, developed by the AICPA, consisting of general standards, standards of field work, and standards of reporting, along with interpretations. . 9 . The user auditor should also consider the available information about the service organization's policies and procedures, including (a) the information in the user organization's possession, such as user manuals, system overviews, and technical manuals, and (b) the existence of reports on the service organization's policies and procedures, such as reports by service auditors, internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. (the user organization's or the service organization's), or regulatory authorities Noun 1. regulatory authority - a governmental agency that regulates businesses in the public interest regulatory agency administrative body, administrative unit - a unit with administrative responsibilities . 10. After considering the above factors and evaluating the available information, the user auditor may conclude that he or she has the means to obtain a sufficient understanding of the internal control structure to plan the audit. If the user auditor concludes that information is not available to obtain a sufficient understanding to plan the audit, he or she may consider contacting the service organization, through the user organization, to obtain specific information or request that a service auditor be engaged to perform procedures that will supply the necessary information, or the user auditor may visit the service organization and perform such procedures. If the user auditor is unable to obtain sufficient evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim dis·claim v. dis·claimed, dis·claim·ing, dis·claims v.tr. 1. To deny or renounce any claim to or connection with; disown. 2. To deny the validity of; repudiate. 3. an opinion on the financial statements because of a scope limitation. Assessing Control Risk at the User Organization 11. After obtaining an understanding of the internal control structure, the user auditor assesses control risk for the assertions embodied in the account balances and classes of transactions, including those that are affected by the activities of the service organization. In doing so, the user auditor may identify certain internal control structure policies and procedures that, if effective, would permit the user auditor to assess control risk below the maximum for particular assertions. Such policies and procedures may be applied at either the user organization or the service organization. The user auditor may conclude that it would be efficient to obtain evidential ev·i·den·tial adj. Law Of, providing, or constituting evidence: evidential material. ev matter about the operating effectiveness of these policies and procedures to provide a basis for assessing control risk below the maximum. 12. A service auditor's report on policies and procedures placed in operation at the service organization should be helpful in providing a sufficient understanding to plan the audit of the user organization. Such a report, however, is not intended to provide any evidence of the operating effectiveness of the relevant policies and procedures that would allow the user auditor to reduce the assessed level of control risk below the maximum. Such evidential matter should be derived de·rive v. de·rived, de·riv·ing, de·rives v.tr. 1. To obtain or receive from a source. 2. from one or more of the following: a. Tests of the user organization's controls over the activities of the service organization (for example, the user auditor may test the user organization's independent performance of selected items processed by an EDP service center or test the user organization's reconciliation of output reports with source documents) b. A service auditor's report on policies and procedures placed in operation and tests of operating effectiveness, or a report on the application of agreed-upon procedures that describes relevant tests of controls c. Appropriate tests of controls performed by the user auditor at the service organization 13. The user organization may establish effective controls over the service organization's activities that may be tested and that may enable the user auditor to reduce the assessed level of control risk below the maximum for some or all of the related assertions. Ira user organization, for example, uses an EDP service center to process payroll payroll a list of employees, their salary rates, tax deductions, amounts paid, payroll tax, long service leave entitlements. transactions, the user organization may establish internal control structure policies and procedures over input and output data to prevent or detect material misstatements. The user organization might perform the service organization's payroll calculations on a test basis. In this situation, the user auditor may perform tests of the user organization's controls over data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a that would provide a basis for assessing control risk below the maximum for the assertions related to payroll transactions. The user auditor may decide that obtaining evidence of the operating effectiveness of the service organization's policies and procedures, such as those over changes in payroll programs, is not necessary or efficient. 14. The user auditor may find that internal control structure policies and procedures relevant to assessing control risk below the maximum for particular assertions are applied only at the service organization. If the user auditor plans to assess control risk below the maximum for those assertions, he or she should evaluate the operating effectiveness of those policies and procedures by obtaining a service auditor's report that describes the results of the service auditor's tests of those policies and procedures (that is, a report on policies and procedures placed in operation and tests of operating effectiveness, or an agreed-upon procedures report) or by performing tests of controls at the service organization. If the user auditor decides to use a service auditor's report, the user auditor should consider the extent of the evidence provided by the report about the effectiveness of policies and procedures intended to prevent or detect material misstatements in the particular assertions. The user auditor remains responsible for evaluating the evidence presented by the service auditor and for determining its effect on the assessment of control risk at the user organization. 15. The user auditor's assessments of control risk regarding assertions about account balances or classes of transactions are based on the combined evidence provided by the service auditor's report and the user auditor's own procedures. In making these assessments, the user auditor should consider the nature, source, and interrelationships among the evidence, as well as the period covered by the tests of controls. The user auditor uses the assessed levels of control risk, as well as his or her understanding of the internal control structure, in determining the nature, timing, and extent of substantive tests for particular assertions. 16. The guidance in SAS No. 55, paragraphs 46 through 55, regarding the auditoffs consideration of the sufficiency of evidential matter to support a specific assessed level of control risk is applicable to user auditors considering evidential matter provided by a service auditor's report on policies and procedures placed in operation and tests of operating effectiveness. Because the report may be intended to satisfy the needs of several different user auditors, a user auditor should determine whether the specific tests of controls and results in the service auditor's report are relevant to assertions that are significant in the user organization's financial statements. For those tests of controls and results that are relevant, a user auditor should consider whether the nature, timing, and extent of such tests of controls and results provide appropriate evidence about the effectiveness of the policy or procedure to support the user auditor's desired assessed level of control risk. In evaluating these factors, user auditors should also keep in mind that, for certain assertions, the shorter the period covered by a specific test and the longer the time elapsed e·lapse intr.v. e·lapsed, e·laps·ing, e·laps·es To slip by; pass: Weeks elapsed before we could start renovating. n. since the performance of the test, the less support for control risk reduction the test may provide. Audit Evidence From Substantive Audit Procedures Performed by Service Auditors 17. Service auditors may be engaged to perform procedures that are substantive in nature for the benefit of user auditors. Such engagements may involve the performance, by the service auditor, of procedures agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations" stipulatory noncontroversial, uncontroversial - not likely to arouse controversy by the user organization and its auditor and by the service organization and its auditor. In addition, there may be requirements imposed by governmental authorities or through contractual arrangements whereby service auditors perform designated procedures that are substantive in nature. The results of the application of the required procedures to balances and transactions processed by the service organization may be used by user auditors as part of the evidence necessary to support their opinions. CONSIDERATIONS IN USING A SERVICE AUDITOR'S REPORT 18. In considering whether the service auditor's report is satisfactory for his or her purposes, the user auditor should make inquiries concerning the service auditor's professional reputation. Appropriate sources of information concerning the professional reputation of the service auditor are discussed in SAS No. 1, Codification The collection and systematic arrangement, usually by subject, of the laws of a state or country, or the statutory provisions, rules, and regulations that govern a specific area or subject of law or practice. of Auditing Standards and Procedures (AICPA, Professional Standards, vol. 1, AU sec. 543, "Part of Audit Performed by Other Independent Auditors," paragraph 10a). 19. In considering whether the service auditor's report is sufficient to meet his or her objectives, the user auditor should give consideration to the guidance in AU sec. 543.12. If the user auditor believes that the service auditor's report may not be sufficient to meet his or her objectives, the user auditor may supplement his or her understanding of the service auditor's procedures and conclusions by discussing with the service auditor the scope and results of the service auditor's work. Also, if the user auditor believes it is necessary, he or she may contact the service organization, through the user organization, to request that the service auditor perform agreed-upon procedures at the service organization, or the user auditor may perform such procedures. 20. When assessing a service organization's policies and procedures and how they interact with a user organization's internal control structure policies and procedures, the user auditor may become aware of the existence of reportable conditions. In such circumstances, the user auditor should consider the guidance provided in SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit (AICPA, Professional Standards, vol. 1, AU sec. 325). 21. The user auditor should not make reference to the report of the service auditor as a basis, in part, for his or her own opinion on the user organization's financial statements. The service auditors report is used in the audit, but the service auditor is not responsible for examining any portion of the financial statements as of any specific date or for any specified period. Thus, there cannot be a division of responsibility for the audit of the financial statements. RESPONSIBILITIES OF SERVICE AUDITORS 22. The service auditor is responsible for the representations in his or her report and for exercising due care in the application of procedures that support those representations. Although a service auditors engagement differs from an audit of financial statements conducted in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with generally accepted auditing standards, it should be performed in accordance with the general standards and with the relevant fieldwork field·work n. 1. A temporary military fortification erected in the field. 2. Work done or firsthand observations made in the field as opposed to that done or observed in a controlled environment. 3. and reporting standards. Although the service auditor should be independent from the service organization, it is not necessary for the service auditor to be independent from each user organization. 23. As a result of procedures performed at the service organization, the service auditor may become aware of illegal acts, irregularities, or corrected errors attributable attributable emanating from or pertaining to attribute. attributable proportion see attributable risk (below). attributable risk to the service organization's management or employees that may affect one or more user organizations. The terms errors, irregularities, and illegal acts are defined in SAS No. 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities, and SAS No. 54, Illegal Acts by Clients (AICPA, Professional Standards, vol. 1, AU secs. 316 and 317 ); the definitions therein are relevant to this section. When the service auditor becomes aware of such matters, he or she should determine from the appropriate level of management of the service organization whether this information has been communicated appropriately to affected user organizations, unless those matters are clearly inconsequential in·con·se·quen·tial adj. 1. Lacking importance. 2. Not following from premises or evidence; illogical. n. A triviality. . If the management of the service organization has not communicated the information to affected user organizations and is unwilling to do so, the service auditor should inform the service organization's audit committee or others with equivalent authority or responsibility. If the audit committee does not respond appropriately to the service auditors communication, the service auditor should consider whether to resign from the engagement. The service auditor may wish to consult with his or her attorney in making this decision. 24. The type of engagement to be performed and the related report to be prepared should be established by the service organization. However, when circumstances permit, discussions between the service organization and the user organizations are advisable ad·vis·a·ble adj. Worthy of being recommended or suggested; prudent. ad·vis  a·bil to determine the
type of report that will be most suitable for the user
organizations' needs. This Statement provides guidance on the two
types of reports that may be issued:a. Reports on policies and procedures placed in operation--A service auditor's report on a service organization's description of the policies and procedures that may be relevant to a user organization's internal control structure, on whether such policies and procedures were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date. Such reports may be useful in providing a user auditor with an understanding of the policies and procedures necessary to plan the audit and to design effective tests of controls and substantive tests at the user organization, but they are not intended to provide the user auditor with a basis for reducing his or her assessments of control risk below the maximum. b. Reports on policies and procedures placed in operation and tests of operating effectiveness--A service auditor's report on a service organization's description of the policies and procedures that may be relevant to a user organization's internal control structure, on whether such policies and procedures were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the policies and procedures that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified. Such reports may be useful in providing the user auditor with an understanding of the policies and procedures necessary to plan the audit and may also provide the user auditor with a basis for reducing his or her assessments of control risk below the maximum. Reports on Policies and Procedures Placed in Operation 25. The information necessary for a report on policies and procedures placed in operation ordinarily or·di·nar·i·ly adv. 1. As a general rule; usually: ordinarily home by six. 2. In the commonplace or usual manner: ordinarily dressed pedestrians on the street. is obtained through discussions with appropriate service organization personnel and through refer ence to various forms of documentation, such as system flowcharts and narratives. 26. After obtaining a description of the relevant policies and procedures, the service auditor should determine whether the description provides sufficient information for user auditors to obtain an understanding of those aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. The description should contain a discussion of the features of the service organization's policies and procedures that would have an effect on a user organization's internal control structure. Such features are relevant when they directly affect the service provided to the user organization. They may include features generally considered to be part of the control environment, specific activities that may represent a user organization's accounting system or a portion thereof, or specific policies and procedures designed to control such functions. Control environment elements may include hiring practices and the involvement of internal auditors. Accounting system elements would include the ways in which user transactions are initiated and processed. Control structure policies and procedures employed by a service organization, such as policies and procedures over the modification A change or alteration in existing materials. Modification generally has the same meaning in the law as it does in common parlance. The term has special significance in the law of contracts and the law of sales. of computer programs, ordinarily are designed to meet specific control objectives. The specific control objectives of the service organization should be set forth in the service organization's description of policies and procedures. 27. Evidence of whether policies and procedures have been placed in operation is ordinarily obtained through previous experience with the service organization and through procedures such as inquiry of appropriate management, supervisory su·per·vi·sor n. 1. One who supervises. 2. One who is in charge of a particular department or unit, as in a governmental agency or school system. 3. One who is an elected administrative officer in certain U.S. , and staff personnel; inspection of service organization documents and records; and observation of service organization activities and operations. For the type of report described in paragraph 24a, these procedures need not be supplemented by tests of the operating effectiveness of the service organization's policies and procedures. 28. Although a service auditoffs report on policies and procedures placed in operation is as of a specified date, the service auditor should inquire in·quire also en·quire v. in·quired, in·quir·ing, in·quires v.intr. 1. To seek information by asking a question: inquired about prices. 2. about changes in the service organization's policies and procedures that may have occurred before the beginning of fieldwork. If the service auditor believes that the changes would be considered significant by user organizations and their auditors, those changes should be included in the description of the service organization's policies and procedures. If the service auditor concludes that the changes would be considered significant by user organizations and their auditors and the changes are not included in the description of the service organization's policies and procedures, the service auditor should describe the changes in his or her report. Such changes might include - * Procedural changes made to accommodate provisions of a new FASB Statement FASB Statement A standard set by the Financial Accounting Standards Board regarding a financial accounting and reporting method. Essentially, FASB statements determine the acceptable accounting practices that Certified Public Accountants use in reporting of Financial Accounting Standards. * Major changes in an application to permit on-line processing. * Procedural changes to eliminate previously identified deficiencies. Changes that occurred more than twelve months before the date being reported on normally would not be considered significant, because they generally would not affect user auditors' considerations. 29. A service auditoffs report expressing an opinion on a description of policies and procedures placed in operation at a service organization should contain - a. A specific reference to the applications, services, products, or other aspects of the service organization covered. b. A description of the scope and nature of the service auditoffs procedures. c. Identification of the party specifying the control objectives. d. An indication that the purpose of the service auditors engagement was to obtain reasonable assurance about whether (1) the service organization's description presents fairly, in all material respects, the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the policies and procedures were suitably designed to achieve specified control objectives, and (3) such policies and procedures had been placed in operation as of a specific date. e. A disclaimer of opinion Disclaimer of opinion An auditor's statement that does not express any opinion regarding the company's financial condition. disclaimer of opinion on the operating effectiveness of the policies and procedures. f. The service auditor's opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization's policies and procedures that had been placed in operation as of a specific date and whether, in the service auditor's opinion, the policies and procedures were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those policies g. A statement of the inherent limitations of the potential effectiveness of policies and procedures at the service organization and of the risk of projecting to future periods any evaluation of the description. h. Identification of the parties for whom the report is intended. 30. If the service auditor believes that the description is inaccurate or insufficiently in·suf·fi·cient adj. Not sufficient; inadequate. in suf·fi complete for user auditors, the service
auditor's report should so state and should contain sufficient
detail to provide user auditors with an appropriate understanding.31. It may become evident to the service auditor, when considering the service organization's description of policies and procedures placed in operation, that the system was designed with the assumption that certain internal control structure policies and procedures would be implemented by the user organization. If the service auditor is aware of the need for such complementary user organization internal control structure policies and procedures, these should be delineated de·lin·e·ate tr.v. de·lin·e·at·ed, de·lin·e·at·ing, de·lin·e·ates 1. To draw or trace the outline of; sketch out. 2. To represent pictorially; depict. 3. in the description of policies and procedures. If the application of internal control structure policies and procedures by user organizations is necessary to achieve the stated control objectives, the service auditors report should be modified mod·i·fy v. mod·i·fied, mod·i·fy·ing, mod·i·fies v.tr. 1. To change in form or character; alter. 2. to include the phrase "and user organizations applied the internal control structure policies and procedures contemplated in the design of the Service Organization's policies and procedures" following the words "complied with satisfactorily" in the scope and opinion paragraphs. 32. The service auditor should consider conditions that come to his or her attention that, in the service auditor's judgment, represent significant deficiencies in the design or operation of the service organization's policies and procedures that preclude pre·clude tr.v. pre·clud·ed, pre·clud·ing, pre·cludes 1. To make impossible, as by action taken in advance; prevent. See Synonyms at prevent. 2. the service auditor from obtaining reasonable assurance that specified control objectives would be achieved. The service auditor should also consider whether any other information, irrespective of irrespective of prep. Without consideration of; regardless of. irrespective of preposition despite specified control objectives, has come to his or her attention that causes him or her to conclude (a) that design deficiencies exist that could adversely affect the ability to record, process, summarize, or report financial data to user organizations without error and (b) that user organizations would not generally be expected to have policies and procedures in place to mitigate mit·i·gate v. To moderate in force or intensity. mit i·gation n. such design deficiencies.33. The description of policies and procedures and control objectives required for these reports may be prepared by the service organization. If the service auditor prepares the description of policies and procedures and control objectives, the representations in the description remain the responsibility of the service organization. 34. For the service auditor to express an opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives, it is necessary that - a. The service organization identify and appropriately describe such control objectives and the relevant policies and procedures. b. The service auditor consider the linkage linkage In mechanical engineering, a system of solid, usually metallic, links (bars) connected to two or more other links by pin joints (hinges), sliding joints, or ball-and-socket joints to form a closed chain or a series of closed chains. of the policies and procedures to the stated control objectives. c. The service auditor obtain sufficient evidence to reach an opinion. 35. The control objectives may be designated by the service organization or by outside parties such as regulatory authorities, a user group, or others. When the control objectives are not established by outside parties, the service auditor should be satisfied that the control objectives, as set forth by the service organization, are reasonable in the circumstances and consistent with the service organization's contractual obligations. 36. The service auditor's report should state whether the policies and procedures were suitably designed to achieve the specified control objectives. The report should not state whether they were suitably designed to achieve objectives beyond the specifically identified control objectives. 37. The service auditor's opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives is not intended to provide evidence of operating effectiveness or to provide the user auditor with a basis for concluding that control risk may be assessed below the maximum. 38. The following is a sample report on policies and procedures placed in operation at a service organization. The report should have, as an attachment See attach a file. , a description of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. This report is illustrative il·lus·tra·tive adj. Acting or serving as an illustration. il·lus tra·tive·ly adv.Adj. 1. only and should be modified as appropriate to suit the circumstances of individual engagements. To XYZ XYZ interj. Informal Used to indicate to someone that the zipper of his or her pants is open. [ex(amine) y(our) z(ipper).] Service Organization: We have examined the accompanying ac·com·pa·ny v. ac·com·pa·nied, ac·com·pa·ny·ing, ac·com·pa·nies v.tr. 1. To be or go with as a companion. 2. description of the _______ application of XYZ Service Organization. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of XYZ Service Organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the control structure policies and procedures included in the description were suitably designed to achieve the control objectives specified in the description, if those policies and procedures were complied with satisfactorily, and (3) such policies and procedures had been placed in operation as of ______________. The control objectives were specified by ___________. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants With over 330,525 CPA members (in August 2006), the American Institute of Certified Public Accountants (AICPA) is the largest professional organization of Certified Public Accountants (CPAs) in the United States of America. and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering See render. (graphics, text) rendering - The conversion of a high-level object-based description into a graphical image for display. For example, ray-tracing takes a mathematical model of a three-dimensional object or scene and converts it into a bitmap image. ore' opinion. We did not perform procedures to determine the operating effectiveness of poLicies and procedures for any period. Accordingly, we express no opinion on the operating effectiveness of any aspects of Service Organization's policies and procedures, individually or in the aggregate. In our opinion, the accompanying description of the aforementioned a·fore·men·tioned adj. Mentioned previously. n. The one or ones mentioned previously. aforementioned Adjective mentioned before Adj. 1. application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of ________. Also, in our opinion, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily. The description of policies and procedures at XYZ Service Organization is as of __________ and any projection projection, in psychology: see defense mechanism. See rear-projection TV, front-projection TV and LCD panel. (theory) projection - In domain theory, a function, f, which is (a) idempotent, i.e. of such information to the future is subject to the risk that, because of change, the description may no longer portray por·tray tr.v. por·trayed, por·tray·ing, por·trays 1. To depict or represent pictorially; make a picture of. 2. To depict or describe in words. 3. To represent dramatically, as on the stage. the system in existence. The potential effectiveness of specific policies and procedures at the Service Organization is subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions. This report is intended solely for use by the management of XYZ Service Organization, its customers, and the independent auditors of its customers. 39. If the service auditor concludes that the description is inaccurate or insufficiently complete for user auditors, the service auditor should so state in an explanatory ex·plan·a·to·ry adj. Serving or intended to explain: an explanatory paragraph. ex·plan paragraph preceding the opinion paragraph. An example of such an explanatory paragraph follows: The accompanying description states that XYZ Service Organization uses operator identification numbers and passwords to prevent unauthorized access to the system. Based on inquiries of staff personnel and inspections of activities, we determined that such procedures are employed in Applications A and B but are not required to access the system in Applications C and D. In addition, the first sentence of the opinion paragraph would be modified to read as follows: In our opinion, except for the matter referred to in the preceding paragraph, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of____________. 40. If, after applying the criteria criteria (krītēr´ē  ),n. in paragraph 32, the service auditor concludes that there are significant deficiencies in the design or operation of the service organization's policies and procedures, the service auditor should report those conditions in an explanatory paragraph preceding the opinion paragraph. An example of an explanatory paragraph service organization's policies and procedures follows: As discussed in the accompanying description, from time to time the Service Organization makes changes in application programs to correct deficiencies or to enhance capabilities. The procedures followed in determining whether to make changes, in designing the changes, and in implementing them do not include review and approval by authorized individuals who are independent from those involved in making the changes. There are also no specified requirements to test such changes or provide test results to an authorized reviewer re·view·er n. One who reviews, especially one who writes critical reviews, as for a newspaper or magazine. reviewer Noun a person who writes reviews of books, films, etc. Noun 1. prior to implementing the changes. In addition, the second sentence of the opinion paragraph would be modified to read as follows: Also in our opinion, except for the deficiency A shortage or insufficiency. The amount by which federal Income Tax due exceeds the amount reported by the taxpayer on his or her return; also, the amount owed by a taxpayer who has not filed a return. referred to in the preceding paragraph, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily. Report on Policies and Procedures Placed in Operation and Tests of Operating Effectiveness Paragraphs 41 through 56 repeat some of the information contained in paragraphs 25 through 40 to provide readers with a comprehensive, stand-alone (jargon) stand-alone - Capable of operating without other programs, libraries, computers, hardware, networks, etc. Exactly what is absent is presumed to be obvious from context. "We only run Windows on stand-alone PCs because it's too dangerous to run it on networked ones." presentation of the relevant considerations for each type of report. 41. The information necessary for a report on policies and procedures placed in operation and tests of operating effectiveness ordinarily is obtained through discussions with appropriate service organization personnel, through reference to various forms of documentation, such as system flowcharts and narratives, and through the performance of tests of controls. Evidence of whether policies and procedures have been placed in operation is ordinarily obtained through previous experience with the service organization and through procedures such as inquiry of appropriate management, supervisory, and staff personnel; inspection of service organization documents and records; and observation of service organization activities and operations. The service auditor applies tests of controls to determine whether specified policies and procedures are operating with sufficient effectiveness to achieve specified control objectives. SAS No. 39, Audit Sampling (AICPA, Professional Standards, vol. 1, AU sec. 350), provides guidance on the application and evaluation of audit sampling in performing tests of controls. 42. After obtaining a description of the relevant policies and procedures, the service auditor should determine whether the description provides sufficient information for user auditors to obtain an understanding of the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. The description should contain a discussion of the features of the service organization's policies and procedures that would have an effect on a user organization's internal control structure. Such features are relevant when they directly affect the service provided to the user organization. They may include features generally considered to be part of the control environment, specific activities that may represent a user organization's accounting system or a portion thereof, or specific policies and procedures designed to control such functions. Control environment elements may include hiring practices and the involvement of internal auditors. Accounting system elements would include the ways in which user transactions are initiated and processed. Control structure policies and procedures employed by a service organization, such as policies and procedures over the modification of computer programs, ordinarily are designed to meet specific control objectives. The specific control objectives of the service organization should be set forth in the service organization's description of policies and procedures. 43. The service auditor should inquire about changes in the service organization's policies and procedures that may have occurred before the beginning of fieldwork. If the service auditor believes the changes would be considered significant by user organizations and their auditors, those changes should be included in the description of the service organization's policies and procedures. If the set vice auditor concludes that the changes would be considered significant by user organizations and their auditors and the changes are not included in the description of the service organization's policies and procedures, the service auditor should describe the changes in his or her report. Such changes might include-- * Procedural changes made to accommodate provisions of a new FASB Statement of Financial Accounting Standards. * Major changes in an application to permit on-line processing. * Procedural changes to eliminate previously identified deficiencies. Changes that occurred more than twelve months before the date being reported on normally would not be considered significant, because they generally would not affect user auditors' considerations. 44. A service auditor's report expressing an opinion on a description of policies and procedures placed in operation at a service organization and tests of operating effectiveness should contain-- a. A specific reference to the applications, services, products, or other aspects of the service organization covered. b. A description of the scope and nature of the service auditor's procedures. c. Identification of the party specifying the control objectives. d. An indication that the purpose of the service auditor's engagement was to obtain reasonable assurance about whether (1) the service organization's description presents fairly, in all material respects, the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the policies and procedures were suitably designed to achieve specified control objectives, and (3) such policies and procedures had been placed in operation as of a specific date. e. The service auditor's opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization's policies and procedures that had been placed in operation as of a specific date and whether, in the service auditor's opinion, the policies and procedures were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those policies and procedures were complied with satisfactorily. f. A reference to a description of tests of specified service organization policies and procedures designed to obtain evidence about the operating effectiveness of those policies and procedures in achieving specified control objectives. The description should include the policies and procedures that were tested, the control objectives the policies and procedures were intended to achieve, the tests applied, and the results of the tests. The description should include an indication of the nature, timing, and extent of the tests, as well as sufficient detail to enable user auditors to determine the effect of such tests on user auditors' assessments of control risk. To the extent that the service auditor identified causative caus·a·tive adj. 1. Functioning as an agent or cause. 2. Expressing causation. Used of a verb or verbal affix. caus factors for exceptions, determined the current status of corrective actions A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or , or obtained other relevant qualitative qualitative /qual·i·ta·tive/ (kwahl´i-ta?tiv) pertaining to quality. Cf. quantitative. qualitative pertaining to observations of a categorical nature, e.g. breed, sex. information about exceptions noted, such information should be provided. g. A statement of the period covered by the service auditor's report on the operating effectiveness of the specified policies and procedures. h. The service auditor's opinion on whether the policies and procedures that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified. i. When all of the control objectives listed in the description of policies and procedures placed in operation are not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. by tests of operating effectiveness, a statement that the service auditor does not express an opinion on control objectives not listed in the description of tests performed at the service organization. j. A statement that the relative effectiveness and significance of specific service organization policies and procedures and their effect on assessments of control risk at user organizations are dependent on their interaction with the policies, procedures, and other factors present at individual user organizations. k. A statement that the service auditor has performed no procedures to evaluate the effectiveness of policies and procedures at individual user organizations. l. A statement of the inherent limitations of the potential effectiveness of policies and procedures at the service organization and of the risk of projecting to the future any evaluation of the description or any conclusions about the effectiveness of policies and procedures in achieving control objectives. m. Identification of the parties for whom the report is intended. 45. If the service auditor believes that the description is inaccurate or insufficiently complete for user auditors, the service auditor's report should so state and should contain sufficient detail to provide user auditors with an appropriate understanding. 46. It may become evident to the ser vice auditor when considering the service organization's description of policies and procedures placed in operation, that the system was designed with the assumption that certain internal control structure policies and procedures would be implemented by the user organization. If the service auditor is aware of the need for such complementary user organization internal control structure policies and procedures, these should be delineated in the description of policies and procedures. If the application of internal control structure policies and procedures by user organizations is necessary to achieve the stated control objectives, the service auditor's report should be modified to include the phrase "and user organizations applied the internal control structure policies and procedures contemplated in the design of the Service Organization's policies and procedures" following the words "complied with satisfactorily" in the scope and opinion paragraphs. Similarly, if the operating effectiveness of policies and procedures at the service organization is dependent on the application of policies and procedures at user organizations, this should be delineated in the description of tests performed. 47. The service auditor should consider conditions that come to his or her attention that, in the service auditor's judgment, represent significant deficiencies in the design or operation of the service organization's policies and procedures that preclude the service auditor from obtaining reasonable assurance that specified control objectives would be achieved. The service auditor should also consider whether any other information, irrespective of specified control objectives, has come to his or her attention that causes him or her to conclude (a) that design deficiencies exist that could adversely affect the ability to record, process, summarize, or report financial data to user organizations without error and (b) that user organizations would not generally be expected to have policies and procedures in place to mitigate such design deficiencies. 48. The description of policies and procedures and control objectives required for these reports may be prepared by the service organization. If the service auditor prepares the description of policies and procedures and control objectives, the representations in the description remain the responsibility of the service organization. 49. For the service auditor to express an opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives, it is necessary that-- a. The service organization identify and appropriately describe such control objectives and the relevant policies and procedures. b. The service auditor consider the linkage of the policies and procedures to the stated control objectives. c. The service auditor obtain sufficient evidence to reach an opinion. 50. The control objectives may be designated by the service organization or by outside parties such as regulatory authorities, a user group, or others. When the control objectives are not established by outside parties, the service auditor should be satisfied that the control objectives, as set forth by the service organization, are reasonable in the circumstances and consistent with the service organization's contractual obligations. 51. The service auditor's report should state whether the policies and procedures were suitably designed to achieve the specified control objectives. The report should not state whether they were suitably designed to achieve objectives beyond the specifically identified control objectives. 52. The service auditor's opinion on whether the policies and procedures were suitably designed to achieve the specified control objectives is not intended to provide evidence of operating effectiveness or to provide the user auditor with a basis for concluding that control risk may be assessed below the maximum. Evidence that may enable the user auditor to conclude that control risk may be assessed below the maximum may be obtained from the results of specific tests of operating effectiveness. 53. The management of the service organization specifies whether all or selected applications and control objectives will be covered by the tests of operating effectiveness. The service auditor determines which policies and procedures are, in his or her judgment, necessary to achieve the control objectives specified by management. The service auditor then determines the nature, timing, and extent of the tests of controls needed to evaluate operating effectiveness. Testing should be applied to policies and procedures in effect throughout the period covered by the report. To be useful to user auditors, the report should ordinarily cover a minimum reporting period of six months. 54. The following is a sample report on policies and procedures placed in operation at a service organization and tests of operating effectiveness. It should be assumed that the report has two attachments: (a) a description of the service organization's policies and procedures that may be relevant to a user organization's internal control structure and (b) a description of policies and procedures for which tests of operating effectiveness were performed, the control objectives the policies and procedures were intended to achieve, the tests applied, and the results of those tests. This report is illustrative only and should be modified as appropriate to suit the circumstances of individual engagements. To XYZ Service Organization: We have examined the accompanying description of the _________ application of XYZ Service Organization. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Service Organization's policies and procedures that may be relevant to a user organization's internal control structure, (2) the control structure policies and procedures included in the description were suitably designed to achieve the control objectives specified in the description, if those policies and procedures were complied with satisfactorily, and (3) such policies and procedures had been placed in operation as of _____________. The control objectives were specified by _______________. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of ______________ . Also, in our opinion, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described policies and procedures were complied with satisfactorily. In addition to the procedures we considered necessary to render (1) To make visible; to draw. The term comes from the graphics world where a rendering is an artist's drawing of what a new structure would look like. In computer-aided design (CAD), a rendering is a particular view of a 3D model that has been converted into a realistic image. our opinion as expressed in the previous paragraph, we applied tests to specific policies and procedures, listed in Schedule X, to obtain evidence about their effectiveness in meeting the control objectives, described in Schedule X, during the period from ___________to ____________. The specific policies and with the nature, timing, extent, and results of the tests are listed in Schedule X. This information has been provided to user organizations of XYZ Service Organization and to their auditors to be taken into consideration, along with information about the internal control structure at user organizations, when making assessments of control risk for user organizations. In our opinion the policies and procedures that were tested, as described in Schedule X, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in Schedule X were achieved during the period from _____________ to __________________. [However, the scope of our engagement did not include tests to determine whether control objectives not listed in Schedule X were achieved; accordingly, we express no opinion on the achievement of control objectives not included in Schedule X.] The relative effectiveness and significance of specific policies and procedures at XYZ Service Organization and their effect on assessments of control risk at user organizations are dependent on their interaction with the pelicies, procedures, and other factors resent re·sent tr.v. re·sent·ed, re·sent·ing, re·sents To feel indignantly aggrieved at. [French ressentir, to be angry, from Old French resentir, at individual user organizations. We have performed no procedures to evaluate the effectiveness of polides and procedures at individual user organizations. The description of policies and procedures at Service Organization is as of _____________, and information about tests of the operating effectiveness of specified policies and procedures covers the period from ___________ to ______________. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the system in existence. The potential effectiveness of specified policies and procedures at the Service Organization is subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Furthermore, the projection of conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions. This report is intended solely for use by the management of XYZ Service Organization, its customers, and the independent auditors of its customers. 55. If the service auditor concludes that the description is inaccurate or insufficiently complete for user auditors, the service auditor should so state in an explanatory paragraph preceding the opinion paragraph. An example of such an explanatory paragraph follows: The accompanying description states that XYZ Service Organization uses operator identification numbers and passwords to prevent unauthorized access to the system. Based on inquiries of staff personnel and inspection of activities, we determined that such procedures are employed in Applications A and B but are not required to access the system in Applications C and D. In addition, the first sentence of the opinion paragraph would be modified to read as follows: In our opinion, except for the matter referred to in the preceding paragraph, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization's policies and procedures that had been placed in operation as of __________. 56. If, after applying the criteria in paragraph 47, the service auditor concludes that there are significant deficiencies in the design or operation of the service organization's policies and procedures, the service auditor should report those conditions in an explanatory paragraph preceding the opinion paragraph. An example of an explanatory paragraph describing a significant deficiency in the design or operation of the service organization's policies and procedures follows: As discussed in the accompanying description, from time to time the Service Organization makes changes in application programs to correct deficiencies or to enhance capabilities. The procedures followed in determining whether to make changes, in designing the changes, and in implementing them do not include review and approval by authorized individuals who are independent from those involved in making the changes. There are also no specified requirements to test such changes or provide test results to an authorized reviewer prior to implementing the changes. In addition, the second sentence of the opinion paragraph would be modified to read as follows: Also in our opinion, except for the deficiency referred to in the preceding paragraph, the policies and procedures, as described, are suitably designed to provide reasonable assurance that the related control objectives would be achieved if the described policies and procedures were complied with satisfactorily. Written Representations of the Service Organization Management 57. Regardless of the type of report issued, the service auditor should obtain written representations from the service organization's management that - * Acknowledge management's responsibility for establishing and maintaining appropriate policies and procedures relating to relating to relate prep → concernant relating to relate prep → bezüglich +gen, mit Bezug auf +acc the processing of transactions for user organizations. * Acknowledge the appropriateness of the specified control objectives. * State that the description of policies and procedures presents fairly, in all material respects, the aspects of the service organization's policies and procedures that may be relevant to a user organization's internal control structure. * State that the policies and procedures, as described, had been placed in operation as of a specified date. * State that management believes its policies and procedures were suitably designed to achieve the specified control objectives. * State that management has disclosed dis·close tr.v. dis·closed, dis·clos·ing, dis·clos·es 1. To expose to view, as by removing a cover; uncover. 2. To make known (something heretofore kept secret). to the service auditor any significant changes in policies and procedures that have occurred since the service organization's last examination. * State that management has disclosed to the service auditor any illegal acts, irregularities, or uncorrected errors attributable to the service organization's management or employees that may affect one or more user organizations. * State that management has disclosed to the service auditor all design deficiencies in policies and procedures of which it is aware including those for which management believes the cost of corrective action may exceed the benefits. If the scope of the work includes tests of operating effectiveness, the service auditor should obtain a written representation from the service organization's management stating that management has disclosed to the service auditor all instances, of which it is aware, when policies and procedures have not operated with sufficient effectiveness to achieve the specified control objectives. Reporting on Substantive Procedures 58. The service auditor may be requested to apply substantive procedures to user transactions or assets at the service organization. In such circumstances, the service auditor may make specific reference in his or her report to having carried out the designated procedures or may provide a separate report in accordance with SAS No. 35, Special Reports--Applying Agreed-Upon Procedures to Specified Elements, Accounts, or Items of a Financial Statement (AICPA, Professional Standards, vol. 1, AU sec. 622). Either form of reporting should include a description of the nature, timing, extent, and results of the procedures in sufficient detail to be useful to user auditors in deciding whether to use the results as evidence to support their opinions. EFFECTIVE DATE 59. This Statement is effective for service auditors' reports dated after March 31, 1993. Earlier application of this Statement is encouraged. This Statement entitled en·ti·tle tr.v. en·ti·tled, en·ti·tling, en·ti·tles 1. To give a name or title to. 2. To furnish with a right or claim to something: Reports on the Processing of Transactions by Service Organizations was adopted unanimously by the seventeen Seventeen novel of young love. [Am. Lit.: Booth Tarkington Seventeen in Magill I, 882] See : Adolescence members of the board. Auditing Standards Board (1991) DONALD Donald (Domnall, Domhnall, Dumhnuil, Dónall) is an anglicized version of a Scottish or Irish Gaelic personal name, containing the elements dumno "world" and val "rule", viz. "ruler of the world". Compare Dumnorix. L. NEEBES, Chairman WALTER Wal·ter , Bruno 1876-1962. German conductor noted for his interpretations of Mozart and Mahler. Noun 1. Walter - German conductor (1876-1962) Bruno Walter R. BOGAN Bo·gan , Louise 1897-1970. American poet whose subtle, spare works are metaphysical in tone. WILLIAM William, crown prince of Germany William or Frederick William, 1882–1951, crown prince of Germany, son of William II. In World War I he commanded (1914) an army on the Western Front and was nominal commander in the German attack A. BROADUS JACOB Jacob (jā`kəb), in the Bible, ancestor of the Hebrews, the younger of Isaac and Rebecca's twin sons; the older was Esau. In exchange for a bowl of lentil soup, Jacob obtained Esau's birthright and, with his mother's help, received the blessing J. COHEN cohen or kohen (Hebrew: “priest”) Jewish priest descended from Zadok (a descendant of Aaron), priest at the First Temple of Jerusalem. The biblical priesthood was hereditary and male. TIMOTHY Timothy, epistles in the New Testament Timothy, two letters of the New Testament. With Titus they comprise the Pastoral Epistles, in which St. Paul addresses his coworkers as the guardians and transmitters of his teaching. E. DURBIN Durbin is a surname, and may refer to: Durbin (surname), a Last Name:
STUART Stuart, British royal family Stuart or Stewart, royal family that ruled Scotland and England. The Stuart lineage began in a family of hereditary stewards of Scotland, the earliest of whom was Walter (d. H. HARDEN hard·en v. hard·ened, hard·en·ing, hard·ens v.tr. 1. To make hard or harder. 2. To enable to withstand physical or mental hardship. 3. MURRAY Murray, river, Australia Murray, principal river of Australia, 1,609 mi (2,589 km) long, rising in the Australian Alps, SE New South Wales, and flowing westward to form the New South Wales–Victoria boundary. B. HIRSCH Hirsch (deer in German and Yiddish) may refer to:
GARY L. HOLSTRUM GARY A. HOTCHKISS Hotchkiss may refer to:
RICHARD Ri·chard , Joseph Henri Maurice Known as "Rocket." 1921-2000. Canadian hockey player. A right wing for the Montreal Canadiens (1942-1960), he led his team to eight Stanley Cup championships and was the first player to score 50 goals in a A. JONES A.V. LAROCCA GEORGE George, river, c.345 mi (560 km) long, rising in a lake on the Quebec-Labrador boundary, E Canada. It flows N through Indian Lake (125 sq mi/324 sq km) to Ungava Bay (an arm of Hudson Strait). A. LEWIS D. EDWARD MARTIN
Edward Martin (September 18, 1879–March 19, 1967) was an American lawyer and Republican party politician from Waynesburg, Pennsylvania. EDWARD Edward killed his father at his mother’s instigation. [Br. Balladry: Edward in Benét, 302] See : Patricide E. NUSBAUM Nusbaum is a village in the district Bitburg-Prüm in Rhineland-Palatinate, Germany, situated in the southern part of the Eifel. Links
DON M. PALLAIS MORTON Morton, village (1990 pop. 13,799), Tazewell co., central Ill., in a grain-farming and livestock area; inc. 1877. Food is canned, and tractor parts, washing machines, and pottery are manufactured. B. SOLOMON Solomon, d. c.930 B.C., king of the ancient Hebrews (c.970–c.930 B.C.), son and successor of David. His mother was Bath-sheba. His accession has been dated to c.970 B.C. According to the Bible. JOHN B. SULLIVAN
DAN M. GUY Vice President, Auditing JUDITH Judith [Heb.,=Jewess], early Jewish book included in the Septuagint, but not included in the Hebrew Bible, and placed in the Apocrypha of Protestant Bibles. It recounts an attack on the Jews by an army led by Holofernes, Nebuchadnezzar's general. M. SHERINSKY Technical Manager, Auditing Standards |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion