9.4
The service auditor may become aware of (1) fraud, (2) uncorrected misstatements that are not clearly trivial, or (3) noncompliance with laws or regulations that may affect the user entity.
(S)he then should determine the effects and whether the information has been communicated to user entities. If not, the service auditor should inform those charged with governance of the service organization. If (s)he is not satisfied with the response, the service auditor may consider obtaining legal advice or withdrawing from the engagement
Reporting by the User Auditor 1. The user auditor should express a qualified opinion or disclaim an opinion if ____________________________________________________________. 2. The user auditor should _________ refer to the work of a service auditor in the user auditor's report containing______________. 3. If a reference to the work of a service auditor is relevant to understanding a __________of the opinion, the report should indicate that the reference does not reduce the user auditor's responsibility
1. (s)he cannot obtain sufficient appropriate audit evidence regarding the services provided by the service organization relevant to the audit of the user entity. 2. not; an unmodified opinion 3. modification
if the user auditor plans to use a type 1 or type 2 report, the user auditor should
1. Evaluate whether the report is appropriate for the user auditor's purposes; 2. Evaluate the sufficiency and appropriateness of the evidence provided by the report for understanding the user entity's relevant internal control; and 3. Determine whether complementary user entity controls identified by the service organization are relevant to the RMMs relating to the relevant assertions in the user entity's financial statements and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.
Modified Opinion from service Auditor, if the opinion should be modified if
1. Management's description of the service organization's system is not fairly presented, 2. The controls are not suitably designed, 3. The controls did not operate effectively in the case of a type 2 report, or 4. The service auditor was not able to obtain sufficient appropriate evidence.
2 objectives of user auditor under AU-c 402
1. Obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity's internal control relevant to the audit. The understanding should be sufficient to identify and assess the risks of material misstatement. 2. Design and perform audit procedures responsive to those risks.
If the user auditor is unable to obtain a sufficient understanding of the controls from the user entity, the user auditor should obtain that understanding from one or more of the following procedures
1. Obtaining and reading a service auditor's report, if available (This subunit applies to this option.) 2. Contacting the service organization, through the user entity, to obtain specific information 3. Performing procedures at the service organization to provide the necessary information about its relevant controls 4. Using another auditor to perform procedures to provide the necessary information about the relevant controls at the service organization
if user auditor choose Reliance on Controls, When the user auditor's risk assessment includes an expectation that controls at the service organization are operating effectively, the user auditor should obtain audit evidence about the operating effectiveness of those controls from one or more of the following:
1. Obtaining and reading a type 2 report 2. Performing appropriate tests of controls at the service organization 3. Using another auditor to perform tests of controls at the service organization
4 areas auditor should consider when understanding a Service Organization's Services and Internal Control
1. The nature of the services provided by the service organization and their significance to the user entity, including their effect on the user entity's internal control 2. The nature and materiality of the transactions processed (or accounts or financial reporting processes affected) by the service organization 3. The degree of interaction between the service organization and the user entity 4. The nature of the relationship between the user entity and the service organization, including the relevant contractual terms
Using a Type 1 or Type 2 Report to Support the User Auditor's Understanding, And The user auditor should be satisfied as to
1. The service auditor's professional competence and independence from the service organization and 2. The adequacy of the standards under which the report was issued.
A service organization's services and controls are part of the client's information system relevant to financial reporting if they have an effect on
1. The significant classes of transactions in the user entity's operations; 2. The systems, both IT and manual, that initiate, authorize, record, process, correct, and report the user entity's transactions; 3. How the user entity's information system captures significant events and conditions, other than transactions; or 4. The process used to prepare statements, including significant estimates and disclosures.
Regarding Fraud, non compliance, and uncorrected misstatements, user auditor should
1. inquire of management of the user entity about whether the user entity is aware of any (1) fraud, (2) noncompliance with laws and regulations, or (3) uncorrected misstatements at the service organization affecting the financial statements of the user entity. 2. evaluate how such matters, if any, affect the nature, timing, and extent of the user auditor's further audit procedures, including the effect on the user auditor's conclusions and report.
service auditor reports on controls at a service organization in one of the following:
1.Report on management's description of a service organization's system and the suitability of the design of controls (a SOC 1 type 1 report) 2. Report on management's description of a service organization's system, the suitability of the design of the controls, and operating effectiveness of controls (a SOC 1 type 2 report)
The service auditor reports on controls at a service organization in one of the following reports: Type 1 report - Type 2 report -
1.report on management's description of a service organization's system and the suitability of the design of controls. 2.report on management's description of a service organization's system, the suitability of the design of the controls, and operating effectiveness of controls.
Complementary user entity controls
are those that management of the service organization assumes, in the design of its service, will be implemented by user entities to achieve the control objectives.
user auditor
audits and reports on the financial statements of the user entity.
AT-C 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' ICFR
guidance for a service auditor's reports on a service organization's internal control. These reports also are known as SOC 1 reports (System and Organization Controls reports). SOC 2 and 3 reports that address other than financial reporting controls (e.g., security and privacy) may be issued by service auditors.
AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization,
guidance to a user auditor when the user entity uses a service organization
subservice organization
is used by another service organization to perform some of the services provided to user entities that are relevant to their internal control over financial reporting.