Product Image

Service Organizations: Applying SAS No. 70, as Amended – AICPA Audit Guide

Publisher: AICPA
Availability: In Stock
See Below To Add To Cart
View Online Catalog
Add This Page

Description

This Audit Guide, updated with conforming changes as of May 1, 2009, provides guidance to service auditors engaged to issue reports on a service organization's controls and to user auditors engaged to audit the financial statements of entities that use service organizations. Many entities use outside service organizations to accomplish tasks that affect the entity's financial statements. Service organizations provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity.

The guide summarizes applicable requirements and practices, and delivers "how-to" advice for handling audit issues common to Service Organizations. The appendices include examples of service auditors' reports, an illustrative representation letter for a service auditor's engagement, and an entire re-print of AU section 324, Service Organizations (AICPA, Professional Standards), AU section 324 (AICPA, PCAOB Standards and Related Rules, PCAOB Standards, As Amended), AU Section 9324, Service Organizations: Auditing Interpretations of Section 324 (AICPA, Professional Standards), and AU section 9324 (AICPA, PCAOB Standards and Related Rules, PCAOB Standards, As Amended).

Additionally, you'll find, included in this guide, the two exposure drafts the AICPA recently issued regarding service organizations. These proposed standards would create a new SSAE, Reporting on Controls at a Service Organization for use by service auditors, and a new SAS, Audit Considerations Relating to an Entity Using a Service Organization, for use by user auditors. The proposed SAS would supersede SAS No. 70 and the proposed SSAE would supersede the requirements and guidance for service auditors in AU section 324. The two exposure drafts were issued in November 2008 with comments due by February 2009.

For a topical listing of subject matter by chapter, click on the Table of Contents tab.

Table of Contents

  • Chapter 1 - Audit Considerations for an Entity That Uses a Service Organization
    • Applying AU Section 314 to the Audit of a User Organization's Financial Statements
      • Risk Assessment Procedures
      • Discussion Among the Audit Team
      • Understanding of the Entity and Its Environment
      • Understanding of Internal Control
    • The Effect of a Service Organization on a User Organization's Internal Control and Planning the Audit of a User Organization's Financial Statements
      • Examples of Service Organizations
      • Audit Planning
    • Sources of Information About a Service Organization
    • The User Auditor's Assessment of the Risks of Material Misstatement
    • Other Types of Internal Control Engagements
  • Chapter 2 - Form and Content of Service Auditor's Reports
    • Types of Service Auditors' Reports
    • Format and Content of Type 1 and Type 2 Reports
    • The Independent Service Auditor's Report
      • Use of a Service Auditor's Report
    • The Service Organization's Description of Controls
      • Aspects of the Control Environment That May Affect the Services Provided to User Organizations
      • Aspects of the Risk Assessment Process That May Affect the Services Provided to User Organizations
      • Aspects of Information and Communication That May Affect a User Organization's Internal Control
      • Aspects of Monitoring That May Affect the Services Provided to User Organizations
      • Level of Detail of the Description of Controls
      • Control Objectives, Related Controls, and Assertions in User Organizations' Financial Statements
    • Information Provided by the Service Auditor
      • The Description of Tests of the Operating Effectiveness of Controls and the Results of Those Tests
      • Other Information a Service Auditor May Provide
    • Other Information Provided by the Service Organization
    • Alternative Methods of Organizing Type 1 and Type 2 Reports
    • Other Matters
      • Engagements Involving Subservice Organizations
      • Certification of Computer Software
  • Chapter 3 - Using Type 1 and Type 2 Reports
    • Determining Whether to Use a Given Type 1 or Type 2 Report
    • Timing Considerations Related to Using a Service Organization's Description of Controls
    • The User Auditor's Consideration of Tests of Operating Effectiveness
    • Complementary Controls That May Be Required at User Organizations
    • Significant Deficiencies and Material Weaknesses
    • Uncorrected Errors at the Service Organization
  • Chapter 4 - Performing a Service Auditor's Engagement
    • Responsibilities of the Service Organization
    • Responsibilities of the Service Auditor
      • Procedures to Report on the Fairness of the Presentation of the Service Organization's Description of Controls
      • Procedures to Report on the Suitability of Design of Controls to Achieve Specified Control Objectives
      • Procedures to Report on the Operating Effectiveness of Controls to Achieve Specified Control Objectives
    • Describing Tests of Operating Effectiveness and the Results of Those Tests
      • Examples of Descriptions of Tests of Operating Effectiveness and the Results of Those Tests
    • Reporting When Controls Are Not Operating Effectively
    • Additional Comments Related to Type 2 Engagements
    • Other Matters Related to Performing a Service Auditor's Engagement
      • Complementary Controls at User Organizations
      • Other Design Deficiencies Irrespective of Specified Control Objectives
      • Changes in the Service Organization's Controls
      • Changes in the Control Objectives to Be Tested
      • Service Auditor's Recommendations for Improving Controls
      • Uncorrected Errors, Fraud, or Illegal Acts at a Service Organization
      • Representation Letter From the Service Organization's Management
      • Elements of the Service Organization's Description That Are Not Covered by the Service Auditor's Report
      • Going-Concern Matters
      • Significant Deficiencies and Material Weaknesses
      • Related Parties
      • Using the Work of Internal Auditors
      • Distribution of Reports
      • Board of Directors' Minutes
      • Legal Letters
      • Engagements to Report on Only the General Computer Controls of a Service Organization
  • Chapter 5 - Service Organizations That Use Other Service Organizations
    • Examples of Subservice Organizations and Subservicing Situations
    • The Effect of a Subservice Organization on a User Organization's Internal Control
    • Responsibilities of Service Organizations, User Auditors, and Service Auditors if Control Objectives Are Established by the Service Organization
      • Responsibilities of Service Organizations
      • Responsibilities of User Auditors
      • Responsibilities of Service Auditors
      • Sample Service Auditor's Report Using the Carve-Out Method
      • Sample Service Auditor's Report Using the Inclusive Method
    • Responsibilities of Service Organizations, User Auditors, and the Service Auditors if Control Objectives Are Established by an Outside Party
    • Subservice Organizations That Hold and Service Securities
  • Appendix A - Examples of Service Auditors' Reports, Descriptions of Controls Placed in Operation, and Descriptions of Tests of Operating Effectiveness
  • Appendix B - Illustrative Representation Letter for a Service Auditor's Engagement
  • Appendix C - Responsibilities of Service Organizations, Service Auditors, and User Auditors If Subservice Organizations Perform Significant Functions for User Organizations and Control Objectives Are Established by the Service Organization
  • Appendix D - Responsibilities of Service Organizations, Service Auditors, and User Auditors If Subservice Organizations Perform Significant Functions for User Organizations and Control Objectives Are Established by an Outside Party
  • Appendix E - Illustrative Control Objectives for Various Types of Service Organizations
  • Appendix F - AICPA Professional Standards, AU Section 324: Service Organizations
  • Appendix G - AICPA Professional Standards, AU Section 9324: Service Organizations: Auditing Interpretations of Section 324
  • Appendix H - AICPA, PCAOB Standards and Related Rules, AU Section 324: Service Organizations
  • Appendix I - AICPA, PCAOB Standards and Related Rules, AU Section 9324: Service Organizations: Auditing Interpretations of Section 324
  • Appendix J - Major Existing Differences Between AICPA Standards and PCAOB Standards
  • Appendix K - Proposed Statement on Auditing Standards, Audit Considerations Relating to an Entity Using a Service Organization
  • Appendix L - Proposed Statement on Standards for Attestation Engagements, Reporting on Controls at a Service Organization
  • Appendix M - Schedule of Changes Made to the Text From the Previous Edition

012779

Excerpts

Introduction*

   I-01 Many entities use outside service organizations to accomplish tasks that affect the entity's financial statements. Service organizations provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity. Over time, there has been a significant increase in the use of service organizations. Because many of the functions performed by service organizations affect an entity's financial statements, auditors performing audits of financial statements may need to obtain information about those services, the related service organization controls, and their effects on an entity's financial statements.

   I-02 Examples of service organizations that perform functions thatmay affect other entities' financial statements are bank trust departments that invest and service assets for employee benefit plans or for others, mortgage bankers that service mortgages for others, and application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions.

   I-03 An auditor may be engaged to issue a report on a service organization's controls for use by user organizations and their auditors. Statement on Auditing Standards (SAS) No. 70, Service Organizations, as amended (AICPA, Professional Standards, vol. 1, AU sec. 324), provides guidance to an auditor performing (1) an audit of a user organization's financial statements, and (2) procedures at a service organization that will enable the auditor to issue a service auditor's report on a service organization's controls that may be part of user organizations' information systems. Although a service auditor's report may be used by management of a service organization and its user organizations, its primary purpose is to provide information to auditors who audit user organizations' financial statements. The purpose of this guide is to help auditors of entities that use service organizations (user auditors) and auditors issuing reports on the controls of service organizations (service auditors) implement SAS No. 70, as amended.

   I-04 Publicly held companies and other issuers are subject to the provisions of the Sarbanes-Oxley Act of 2002 (act) and related Securities and Exchange Commission regulations implementing the act. Their outside auditors are also subject to the provisions of the act and to the rules and standards issued by the Public Company Accounting Oversight Board (PCAOB). The PCAOB adopted as interim standards, on an initial, transitional basis, the AICPA generally accepted auditing standards in existence on April 16, 2003. Since then certain of these interim standards have been amended. The PCAOB has also issued six auditing standards. These standards include

•  Auditing Standard No. 1, References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board (AICPA, PCAOBStandards and Related Rules, Rules of the Board, "Standards")
•  Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements
•  Auditing Standard No. 3, Audit Documentation (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards")
•  Auditing Standard No. 4, Reporting on Whether a Previously Reported Material Weakness Continues to Exist (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards")
•  Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards")
•  Auditing Standard No. 6, Evaluating Consistency of Financial Statements (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards")

   I-05 Because this guide is designed to provide guidance to service auditors engaged to issue reports on a service organization's controls that may be part of a user organization's information system in the context of an audit of financial statements and to provide guidance to user auditors engaged to audit the financial statements of entities that use service organizations, Auditing Standard Nos. 1-6 are not reflected in this guide, except to reflect certain conforming amendments made by those standards to certain of the interim standards discussed in this guide. For issuers, certain of these conforming amendments have been identified throughout this guide, as applicable. Certain of the provisions in Auditing Standard No. 5 are relevant to situations in which an auditor is engaged solely to audit a company's financial statements and not just when performing an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit). For information on PCAOB auditing standards, quality control standards, and related guidance that may have been issued subsequent to the writing of this guide, please refer to the PCAOB Web site at www.pcaob.org (audits of issuers only).

012779

Subscription Info

Paperback 2009
Product# 012779
Availability:In Stock
*Discounted price reflected in Shopping Cart
(What is the Standing Order Option?)
Regular:$87.50
AICPA Member:$70.00
Your Price:$87.50
To receive your AICPA member discount, Sign In now, or Register using your AICPA membership number.
Choose the Standing Order Option and get these discounts on your initial purchase:

Publications--10% discount
CPE Self-Study--20% discount

Each new future annual edition will then be automatically shipped to you at a 10% discount.