The extent of the understanding of internal control over derivatives and securities obtained by the auditor depends on how much information the auditor needs to identify the types of potential misstatements, consider factors that affect the risk of material misstatement, design tests of controls when applicable, and design substantive tests. The understanding obtained may include controls over derivatives and securities transactions from their initiation to their inclusion in the financial statements. It may encompass controls placed in operation by the entity and by service organizations whose services are part of the entity’s information system. Section 319.47 defines the information system as the procedures, whether automated or manual, and records established by an entity to initiate, record, process, and report entity transactions and to maintain accountability for the related assets, liabilities, and equity. Following the guidance in section 324, Service Organizations, a service organization’s services are part of an entity’s information system for derivatives and securities if they affect any of the following:
- How the entity’s derivatives and securities transactions are initiated.
- The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s derivatives and securities transactions
- The accounting processing involved from the initiation of those transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access information
- The process the entity uses to report information about derivatives and securities transactions in its financial statements, including significant accounting estimates and disclosures
[Revised, May 2001, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]