This Audit Guide, updated with conforming changes as of May 1, 2009, provides guidance to service auditors engaged to issue reports on a service organization's controls and to user auditors engaged to audit the financial statements of entities that use service organizations. Many entities use outside service organizations to accomplish tasks that affect the entity's financial statements. Service organizations provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity.
The guide summarizes applicable requirements and practices, and delivers "how-to" advice for handling audit issues common to Service Organizations. The appendices include examples of service auditors' reports, an illustrative representation letter for a service auditor's engagement, and an entire re-print of AU section 324, Service Organizations (AICPA, Professional Standards), AU section 324 (AICPA, PCAOB Standards and Related Rules, PCAOB Standards, As Amended), AU Section 9324, Service Organizations: Auditing Interpretations of Section 324 (AICPA, Professional Standards), and AU section 9324 (AICPA, PCAOB Standards and Related Rules, PCAOB Standards, As Amended).
Additionally, you'll find, included in this guide, the two exposure drafts the AICPA recently issued regarding service organizations. These proposed standards would create a new SSAE, Reporting on Controls at a Service Organization for use by service auditors, and a new SAS, Audit Considerations Relating to an Entity Using a Service Organization, for use by user auditors. The proposed SAS would supersede SAS No. 70 and the proposed SSAE would supersede the requirements and guidance for service auditors in AU section 324. The two exposure drafts were issued in November 2008 with comments due by February 2009.
For a topical listing of subject matter by chapter, click on the Table of Contents tab.
012779
Introduction*
I-01 Many entities use outside service organizations to accomplish tasks that affect the entity's financial statements. Service organizations provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity. Over time, there has been a significant increase in the use of service organizations. Because many of the functions performed by service organizations affect an entity's financial statements, auditors performing audits of financial statements may need to obtain information about those services, the related service organization controls, and their effects on an entity's financial statements.
I-02 Examples of service organizations that perform functions thatmay affect other entities' financial statements are bank trust departments that invest and service assets for employee benefit plans or for others, mortgage bankers that service mortgages for others, and application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions.
I-03 An auditor may be engaged to issue a report on a service organization's controls for use by user organizations and their auditors. Statement on Auditing Standards (SAS) No. 70, Service Organizations, as amended (AICPA, Professional Standards, vol. 1, AU sec. 324), provides guidance to an auditor performing (1) an audit of a user organization's financial statements, and (2) procedures at a service organization that will enable the auditor to issue a service auditor's report on a service organization's controls that may be part of user organizations' information systems. Although a service auditor's report may be used by management of a service organization and its user organizations, its primary purpose is to provide information to auditors who audit user organizations' financial statements. The purpose of this guide is to help auditors of entities that use service organizations (user auditors) and auditors issuing reports on the controls of service organizations (service auditors) implement SAS No. 70, as amended.
I-04 Publicly held companies and other issuers are subject to the provisions of the Sarbanes-Oxley Act of 2002 (act) and related Securities and Exchange Commission regulations implementing the act. Their outside auditors are also subject to the provisions of the act and to the rules and standards issued by the Public Company Accounting Oversight Board (PCAOB). The PCAOB adopted as interim standards, on an initial, transitional basis, the AICPA generally accepted auditing standards in existence on April 16, 2003. Since then certain of these interim standards have been amended. The PCAOB has also issued six auditing standards. These standards include
| • | Auditing Standard No. 1, References in Auditors' Reports to the Standards of the Public Company Accounting Oversight Board (AICPA, PCAOBStandards and Related Rules, Rules of the Board, "Standards") |
| • | Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements |
| • | Auditing Standard No. 3, Audit Documentation (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards") |
| • | Auditing Standard No. 4, Reporting on Whether a Previously Reported Material Weakness Continues to Exist (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards") |
| • | Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards") |
| • | Auditing Standard No. 6, Evaluating Consistency of Financial Statements (AICPA, PCAOB Standards and Related Rules, Rules of the Board, "Standards") |
I-05 Because this guide is designed to provide guidance to service auditors engaged to issue reports on a service organization's controls that may be part of a user organization's information system in the context of an audit of financial statements and to provide guidance to user auditors engaged to audit the financial statements of entities that use service organizations, Auditing Standard Nos. 1-6 are not reflected in this guide, except to reflect certain conforming amendments made by those standards to certain of the interim standards discussed in this guide. For issuers, certain of these conforming amendments have been identified throughout this guide, as applicable. Certain of the provisions in Auditing Standard No. 5 are relevant to situations in which an auditor is engaged solely to audit a company's financial statements and not just when performing an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit). For information on PCAOB auditing standards, quality control standards, and related guidance that may have been issued subsequent to the writing of this guide, please refer to the PCAOB Web site at www.pcaob.org (audits of issuers only).
012779
