Product Image

Service Organizations: Applying SAS No. 70, as Amended – AICPA Audit Guide

Publisher: AICPA
Availability: Backordered
See Below To Add To Cart

Description

New 2008 edition coming June 30

This Audit Guide is designed to provide guidance to auditors reporting on a service organization's controls, this Guide also provides guidance to auditors of companies that use service organizations. In addition, it has been revised as of March 1, 2008 to reflect certain changes necessary because of the issuance of authoritative pronouncements.

Service organizations provide services ranging from performing a specific task under the direction of a company to replacing entire business units or functions of that company. Many companies use service organizations to accomplish tasks that affect the company's financial statements.

Because many of the service organizations' functions affect a company's financial statement, auditors auditing those financial statements may need information about those services, the related service organization's controls, and their effects on the company's financial statements.

Table of Contents

  • Chapter 1 - Audit Considerations for an Entity That Uses a Service Organization
    • Applying AU Section 319 to the Audit of a User Organization's Financial Statements
    • The Effect of a Service Organization on a User Organization's Internal Control and Planning the Audit of a User Organization's Financial Statements
    • Regulatory Capital Matters
      • Examples of Service Organizations
    • Sources of Information About a Service Organization
    • The User Auditor's Assessment of Control Risk
    • Other Types of Internal Control Engagements
  • Chapter 2 - Form and Content of Service Auditor's Reports
    • Types of Service Auditors' Reports
    • Format and Content of Type 1 and Type 2 Reports
    • The Independent Service Auditor's Report
      • Use of a Service Auditor's Report
    • The Service Organization's Description of Controls
      • Aspects of the Control Environment That May Affect the Services Provided to User Organizations
      • Aspects of the Risk Assessment Process That May Affect the Services Provided to User Organizations
      • Aspects of Information and Communication That May Affect a User Organization's Internal Control
      • Aspects of Monitoring That May Affect the Services Provided to User Organizations
      • Level of Detail of the Description of Controls
      • Control Objectives, Related Controls, and Assertions in User Organizations' Financial Statements
    • Information Provided by the Service Auditor
      • The Description of Tests of the Operating Effectiveness of Controls and the Results of Those Tests
      • Other Information a Service Auditor May Provide
    • Other Information Provided by the Service Organization
    • Alternative Methods of Organizing Type 1 and Type 2 Reports
    • Other Matters
      • Engagements Involving Subservice Organizations
      • Certification of Computer Software
  • Chapter 3 - Using Type 1 and Type 2 Reports
    • Determining Whether to Use a Given Type 1 or Type 2 Report
    • Timing Considerations Related to Using a Service Organization's Description of Controls
    • The User Auditor's Consideration of Tests of Operating Effectiveness
    • Complementary Controls That May Be Required at User Organizations
    • Reportable Conditions
    • Uncorrected Errors at the Service Organization
  • Chapter 4 - Performing a Service Auditor's Engagement
    • Responsibilities of the Service Organization
    • Responsibilities of the Service Auditor
      • Procedures to Report on the Fairness of the Presentation of the Service Organization's Description of Controls
      • Procedures to Report on the Suitability of Design of Controls to Achieve Specified Control Objectives
      • Procedures to Report on the Suitability of Design of Controls to Achieve Specified Control Objectives
    • Describing Tests of Operating Effectiveness and the Results of Those Tests
      • Examples of Descriptions of Tests of Operating Effectiveness and the Results of Those Tests
    • Reporting When Controls Are Not Operating Effectively
    • Additional Comments Related to Type 2 Engagements
    • Other Matters Related to Performing a Service Auditor's Engagement
      • Complementary Controls at User Organizations
      • Other Design Deficiencies Irrespective of Specified Control Objectives
      • Changes in the Service Organization's Controls
      • Changes in the Control Objectives to Be Tested
      • Service Auditor's Recommendations for Improving Controls
      • Uncorrected Errors, Fraud, or Illegal Acts at a Service Organization
      • Representation Letter From the Service Organization's Management
      • Elements of the Service Organization's Description That Are Not Covered by the Service Auditor's Report
      • Going-Concern Matters
      • Reportable Conditions
      • Related Parties
      • Using the Work of Internal Auditors
      • Distribution of Reports
      • Board of Directors' Minutes
      • Legal Letters
      • Engagements to Report on Only the General Computer Controls of a Service Organization
  • Chapter 5 - Service Organizations That Use Other Service Organizations
    • Examples of Subservice Organizations and Subservicing Situations
    • The Effect of a Subservice Organization on a User Organization's Internal Control
    • Responsibilities of Service Organizations, User Auditors, and Service Auditors if Control Objectives Are Established by the Service Organization
      • Responsibilities of Service Organizations
      • Responsibilities of User Auditors
      • Responsibilities of Service Auditors
      • Sample Service Auditor's Report Using the Carve-Out Method
      • Sample Service Auditor's Report Using the Inclusive Method
    • Responsibilities of Service Organizations, User Auditors, and the Service Auditors if Control Objectives Are Established by an Outside Party
    • Subservice Organizations That Hold and Service Securities
  • Appendixes
    • Appendix A: Examples of Service Auditors' Reports, Description of Controls Placed in Operation, and Descriptions of Tests of Operating Effectiveness
    • Appendix B: Illustrative Representation Letter for a Service Auditor's Engagement
    • Appendix C: Responsibilities of Service Organizations, Service Auditors, and User Auditors If Subservice Organizations Perform Significant Functions for User Organizations and Control Objectives Are Established by the Service Organization
    • Appendix D: Responsibilities of Service Organizations, Service Auditors, and User Auditors If Subservice Organizations Perform Significant Functions for User Organizations and Control Objectives Are Established by an Outside Party
    • Appendix E: Illustrative Control Objectives for Various Types of Service Organizations
    • Appendix F: AICPA Professional Standards, AU Section 324: Service Organizations
    • Appendix G: AICPA Professional Standards, AU Section 9324: Service Organizations: Auditing Interpretations of Section 324
    • Appendix H: Statement on Auditing Standards Cross-Referenced to Professional Standards AU Sections - Transition Schedule
    • Appendix I: Schedule of Changes Made to Service Organizations: Applying SAS No. 70, as Amended

Excerpts

Introduction
  
I-01   Many entities use outside service organizations to accomplish tasks that affect the entity's financial statements. Service organizations provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity. In recent years, there has been a significant increase in the use of service organizations. Because many of the functions performed by service organizations affect an entity's financial statements, auditors performing audits of financial statements may need to obtain information about those services, the related service organization controls, and their effects on an entity's financial statements.

I-02   Examples of service organizations that perform functions that may affect other entities' financial statements are bank trust departments that hold and service assets for employee benefit plans or for others, mortgage bankers that service mortgages for others, and application service providers that provide software applications and a technology environment that enables customers to process financial and operational transactions.

I-03   An auditor may be engaged to issue a report on a service organization's controls for use by user organizations and their auditors. Statement on Auditing Standards (SAS) No. 70, Service Organizations, as amended (AICPA, Professional Standards, vol. 1, AU sec. 324),1 provides guidance to an auditor performing (1) an audit of a user organization's financial statements, and (2) procedures at a service organization that will enable the auditor to issue a ser- vice auditor's report on a service organization's controls that may be part of user organizations' information systems. Although a service auditor's report may be used by management of a service organization and its user organizations, its primary purpose is to provide information to auditors who audit user organizations' financial statements. The purpose of this Guide is to help auditors of entities that use service organizations (user auditors) and auditors issuing reports on the controls of service organizations (service auditors) implement SAS No. 70, as amended.

I-04   Publicly-held companies and other ''issuers'' are subject to the provisions of the Sarbanes-Oxley Act of 2002 (Act) and related Securities and Ex- change Commission (SEC) regulations implementing the Act. Their outside auditors are also subject to the provisions of the Act and to the rules and standards issued by the Public Company Accounting Oversight Board (PCAOB).  The PCAOB adopted as interim standards, on an initial, transitional basis, the AICPA generally accepted auditing standards in existence on April 16, 2003. In September 2004 certain of these interim standards were amended by PCAOB Release 2004-008, Conforming Amendments to PCAOB Interim Standards Resulting from the Adoption of PCAOB Auditing Standard No. 2, "An Audit Of Internal Control Over Financial Reporting Performed In Conjunction With An Audit of Financial Statements." The PCAOB has also issued four auditing standards. These standards include:

  • PCAOB Auditing Standard No. 1, References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board
  • PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting performed in Conjunction With an Audit of Financial Statements
  • PCAOB Auditing Standard No. 3, Audit Documentation
  • PCAOB Auditing Standard No. 4, Reporting on Whether a Previously Reported Material Weakness Continues to Exist

I-05   Since this Guide is designed to provide guidance to service auditors engaged to issue reports on a service organization's controls that may be part of a user organization's information system in the context of an audit of financial statements and to provide guidance to user auditors engaged to audit the financial statements of entities that use service organizations, PCAOB Auditing Standards No. 1, 2, 3, and 4 are not reflected in this Guide, except to reflect certain conforming amendments made by PCAOB Release 2004-008 to certain of the interim standards discussed in this Guide. For issuers, these conforming amendments have been footnoted throughout this Guide, as applicable. Certain of the provisions in Release 2004-008 are relevant to situations in which an auditor is engaged solely to audit a company's financial statements and not just when performing an integrated audit of financial statements and internal control over financial reporting (''integrated audit"). For information on PCAOB auditing standards, quality control standards, and related guidance that may have been issued subsequent to the writing of this Guide, please refer to the PCAOB Web site at www.pcaobus.org (audits of issuers only).

Subscription Info

Paperback 2008
Product# 012778
Availability:Backordered
*Discounted price reflected in Shopping Cart
(What is the Standing Order Option?)
Regular:$86.25
AICPA Member:$69.00
Your Price:$86.25
To receive your AICPA member discount, Sign In now, or Register using your AICPA membership number.
Choose the Standing Order Option and get these discounts on your initial purchase:

Publications--10% discount
CPE Self-Study--20% discount

Each new future annual edition will then be automatically shipped to you at a 10% discount.