AUD 5.5 - Reporting On Controls At A Service Organization

Question 1

A service organizations services are considered to be part of what?

Answer 1

A user entity’s information system

Question 2

Service organizations often have an auditor do what?

Answer 2

Perform an attestation examination engagement to report on the controls of the service organization that are relevant to the user entity’s internal control over financial reporting

Question 3

ABC firm audits Party Solutions. Party Solutions uses Quick Payroll to process its payroll transactions. XYZ Firm audits Quick Payroll.
Who is the user entity, user auditor, service organization, and service auditor?

Answer 3

ABC Firm = user auditor
Party Solutions = user entity
Quick Payroll = service organization
XYZ Firm = service auditor

Question 4

What are the objectives of a service auditor?

Answer 4

1. Obtain reasonable assurance about whether managements description of the service organizations system fairly presents the system that was designed and implemented through the specified period
2. Obtain reasonable assurance that the control related to the control objectives stated in managements description are suitably designed throughout the specified period
3. Report in accordance with the service auditors findings

Question 5

The service auditors should perform the following procedures:

Answer 5

Assess the suitability of the criteria
Understand the service organizations system
Beta evidence about the description of the service orgs. System
Obtain evidence about the design of controls
Obtain evidence about the operating effectiveness of controls (if a type 2)
Obtain written representation from management
Consider subsequent events

Question 6

What report is used when evaluating the impact that certain relevant controls at the service organization have on the financials of the user entity?

Answer 6

SOC 1

Question 7

What report is used to give assurance to a broad range of users regarding the controls in place at a service organization relevant to one or more of the Trust Service criteria of security, availability, processing integrity, confidentiality, and privacy?

Answer 7

SOC 2

Question 8

This type of report that a service auditor may provide is a report on the design and implementation of a service organizations controls

Answer 8

Type 1 report

Question 9

This type of report that the service auditor may provide is a report on the design, implementation, and operating effectiveness of a service organizations controls

Answer 9

Type 2 report

Question 10

This type of report contains the following information:
1. Managements description of the service org’s system
2. Written assertion by management containing:
-system fairly presents the design and implementation of the system as of a specified date
-managements description were suitably designed to achieve the control objectives as of a specified date
3. The auditors opinion on managements assertion

Answer 10

Type 1 report

Question 11

What paragraphs are included in the service auditors report on a service organizations design of controls that is really important?

Answer 11

The inherent limitations paragraph
The restricted use paragraph
The “other matter” paragraph used to explain we did not perform procedures regarding operating effectiveness of controls

Question 12

This type of report contains the following information:
1. Managements description of the service org’s system
2. Written assertion by management containing:
-system fairly presents the design and implementation of the system as of a specified date
-controls were suitably designed to achieve the control objectives as of a specified date
-controls operated effectively to achieve the control objectives throughout a specified period
3. The auditors opinion on managements assertion
4. Description of the services auditors test of controls and results

Answer 12

Type 2 report

Question 13

What paragraphs are included in the service auditors report on a service organizations design and operating effectiveness of controls that is really important?

Answer 13

The inherent limitations paragraph
The restricted use paragraph
The description of the tests of controls

Question 14

When a user auditor receives this report from the service auditor, it may aid the user auditor in obtaining an understanding of the controls

Answer 14

SOC 1, Type 1 report

Question 15

When a user auditor receives this report from a service auditor, it provides the user auditor with assurance about the design, implementation, and operating effectiveness of the service org’s internal controls and therefore reduces control risk:

Answer 15

SOC 2, Type 2 report

Question 16

If the user auditor is unable to obtain sufficient appropriate audit evidence regarding the service provided by a service organization relevant to the audit, the user auditor should issue what opinion?

Answer 16

Qualified or disclaimer of opinion

Question 17

If the user auditor issuers and unmodified opinion, should they make reference to the report of the service auditor in the auditors report?

Answer 17

No, BUT can reference in their report if issues a modified opinion