Service organizations : reporting on controls at a service organization relevant to user entities' internal control over financial reporting

This updated and improved guide is designed to help CPAs effectively perform service organization control (SOC) 1 engagements under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. With the growth in business specialization, outsourcing to service organizations has become increasingly popular, increasing the demand for SOC 1SM engagements. This guide will help you: * Gain a deeper understanding of Service Organization Control Guidance and common practice issues, giving you the foundational knowledge to effectively perform engagements. * Provide best in class services related to planning, performing, and reporting on a service auditor s engagement. * Successfully complete the transition from SAS No. 70, Service Organizations, to SSAE No. 16, Reporting on Controls at a Service Organization (issued in April 2010). * Understand the kinds of information auditors of the financial statements of user entities need from a service auditor s report. * Implement SSAE No. 16 requirement regarding obtaining a written assertion from management of a service organization by providing illustrative management assertion for a type 1 and type 2 report. * Provide management representation letters and control objectives for various types of service organizations. In addition, this guide contains over 20 illustrative service auditor s reports to help you with situations that may require modification of the report. This guide has been fully conformed to reflect changes resulting from the clarified auditing standards.

• 1 Introduction and Background 01-.10 Other Types of Internal Control Engagements 10 2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report .01-.20 Obtaining an Understanding of the Entity and Its Environment, Including the Entity s Internal Control When the Entity Uses a Service Organization 01-.03 Service Organization Services to Which AU-C Section 402 Does Not Apply 04 Understanding Whether Controls at a Service Organization Affect a User Entity s Internal Control 05-.11 Types of Service Auditor s Reports 12 Obtaining Evidence of the Operating Effectiveness of Controls at a Service Organization 13-.18 Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity s Internal Control 19-.20 3 Planning a Service Auditor s Engagement 01-.112 Responsibilities of Management of the Service Organization 01-.112 Defining the Scope of the Engagement 02 Determining the Type of Engagement to Be Performed .03-.06 Determining the Period to Be Covered by the Report .07-.09 Determining Whether Any Subservice Organizations Will Be Included In or Carved Out of the Description .10-.34 Selecting the Criteria for the Description of the System .35 Preparing the Description .36-.56 Specifying the Control Objectives .57-.77 Preparing Management s Written Assertion 78-.98 Assessing the Suitability of Criteria 99-.100 Planning to Use the Work of the Internal Audit Function .101-.108 Coordinating Procedures With the Internal Audit Function .109-.112 Chapter Paragraph 4 Performing an Engagement Under AT Section 801 .01-.147 Obtaining and Evaluating Evidence About Whether the Description of the Service Organization s System Is Fairly Presented 01-.14 Other Information in the Description That Is Not Covered by the Service Auditor s Report .11-.12 Materiality Relating to the Fair Presentation of the Description of the Service Organization s System .13-.14 Evaluating Whether Control Objectives Relate to Internal Control Over Financial Reporting 15-.41 Implementation of Service Organization Controls .18-.23 Changes to the Scope of the Engagement 24-.27 Complementary User Entity Controls .28-.31 Subservice Organizations 32-.40 Other Matters Relating to Fair Presentation 41 Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls 42-.65 Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement .66-.67 Determining Which Controls to Test .68-.73 Designing and Performing Tests of Controls 74-.99 Nature of Tests of Controls 79-.89 Timing of Tests of Controls 90-.91 Extent of Tests of Controls .92-.95 Superseded Controls .96-.99 Selecting Items to Be Tested .100-.103 Using the Work of the Internal Audit Function 104-.115 Direct Assistance .114-.115 Evaluating the Results of Tests of Controls 116-.128 Controls That Did Not Operate During the Period Covered by the Service Auditor s Report .120-.126 Documentation .127-.128 Extending or Modifying the Period 129-.147 Management s Written Representations for the Extended or Modified Period 139 Deficiencies That Occur During the Original, Extended, or Modified Period .140-.143 Examination Quality Control 144-.147 5 Reporting and Completing the Engagement .01-.102 Responsibilities of the Service Auditor .01-.64 Describing Tests of Controls and the Results of Tests .02-.13 Preparing the Service Auditor s Report .14-.23 Chapter Paragraph 5 Reporting and Completing the Engagement continued Modifications to the Service Auditor s Report .24-.64 Other Matters Related to the Service Auditor s Report .65-.74 Intended Users of the Report 65-.67 Determining Whether an Entity Is an Indirect User Entity 68-.73 Report Date .74 Completing the Engagement 75-.93 Obtaining Written Representations 76-.87 Subsequent Events Up to the Date of the Service Auditor s Report 88-.92 Subsequently Discovered Facts That Become Known to the Service Auditor After the Release of the Service Auditor s Report .93 Service Auditor s Recommendations for Improving Controls .94 Management s Responsibilities During Engagement Completion 95-.102 Modifying Management s Written Assertion 96-.99 Distribution of the Report by Management .100-.102 Appendix A Illustrative Type 2 Reports B Illustrative Assertions By Management of a Service Organization and Management of a Subservice Organization for a Type 2 Engagement in Which the Inclusive Method Is Used to Present the Subservice Organization C Illustrative Management Representation Letters D Reporting on IT General Controls Only
• Illustrative Management Assertions and Service Auditor s Reports E Illustrative Control Objectives for Various Types of Service Organizations F Comparison of SOC 1, SOC 2, and SOC 3 Engagements and Related Reports G Other Referenced Authoritative Standards H Schedule of Changes Made to the Text From the Previous