Service Organization Control Resources

Posted on by

11v2-understanding-the1

Audit and Attest

An obvious difference for the service auditor is the change from auditto attest. AICPA states that audit services are reserved for financial audit, and thus, what the service auditor does is attest. As such, the new standard was issued as an SSAE, applied under AT 101. Attest services are very definitive; management identifies specific procedures and the auditor then performs exactly those procedures (agreed-upon procedures [AUPs]). This approach fits the evaluation of controls for an SO (Service Organization).

A new requirement, among others, is that management must provide a written assertionabout the fairness of the presentation of the description of the system and the suitability of the design (type I) and effectiveness (type II) of the controls. The written assertion is part of the final report by the service auditor.

Source: Understanding the New SOC Reports

SSAE No. 18

  • Service organization. An organization or segment of an organization that provides services to user entities, which are likely to be relevant to those user entities’ internal control over financial reporting.
  • User entity. An entity that uses a service organization for which controls at the service organization are likely to be relevant to that entity’s internal control over financial reporting.
  • Service organization’s assertion. A written assertion about the matters referred to in part (b) of the definition of management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls, for a type 2 report, and, for a type 1 report, the matters referred to in part (b) of the definition of management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.
  • Type 1 report. See management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design of controls.
  • Type 2 report. See management’s description of a service organization’s system and a service auditor’s report on that description and on the suitability of the design and operating effectiveness of controls.
  • Test of controls. A procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in management’s description of the service organization’s system.
  • Service organization’s system. The policies and procedures designed, implemented, and documented by management of the service organization to provide user entities with the services covered by the service auditor’s report. Management’s description of the service organization’s system identifies:
    • the services covered,
    • the period to which the description relates (or in the case of a type 1 report, the date to which the description relates),
    • the control objectives specified by management or an outside party,
    • the party specifying the control objectives (if not specified by management), and
    • the related controls. (Ref: par..A8)
  • Controls at a service organization. The policies and procedures at a service organization likely to be relevant to user entities’ internal control over financial reporting. These policies and procedures are designed, implemented, and documented by the service organization to provide reasonable assurance about the achievement of the control objectives relevant to the services covered by the service auditor’s report. (Ref: par. .A7)
  • Control objectives. The aim or purpose of specified controls at the service organization. Control objectives address the risks that controls are intended to mitigate.

Leave a Reply