AI 18: Consideration of an Entity's Use of a Service Organization: Auditing Interpretations of AS 2601

View AS 2601, Consideration of an Entity's Use of a Service Organization

Summary Table of Contents

• .01  Describing Tests of Operating Effectiveness and the Results of Such Tests
• .04  Service Organizations That Use the Services of Other Service Organizations (Subservice Organizations)
• .35  Responsibilities of Service Organizations and Service Auditors With Respect to Forward-Looking Information in a Service Organizationʹs Description of Controls
• .38 Statements About the Risk of Projecting Evaluations of the Effectiveness of Controls to Future Periods 

1.Describing Tests of Operating Effectiveness and the Results of Such Tests

.01        Question—Paragraph .44f of AS 2601, Consideration of an Entityʹs Use of a Service Organization, specifies the elements that should be included in a description of tests of operating effectiveness, which is part of a report on controls placed in operation and tests of operating effectiveness. AS 2601.44f states:

". . . The description should include the controls that were tested, the control objectives the controls were intended to achieve, the tests applied and the results of the tests. The description should include an indication of the nature, timing, and extent of the tests, as well as sufficient detail to enable user auditors to determine the effect of such tests on user auditorsʹ assessments of control risk. To the extent that the service auditor identified causative factors for exceptions, determined the current status of corrective actions, or obtained other relevant qualitative information about exceptions noted, such information should be provided."

When a service auditor performs an engagement that includes tests of operating effectiveness, what information and how much detail should be included in the description of the "tests applied" and the "results of the tests"?

.02        Interpretation—In all cases, for each control objective tested, the description of tests of operating effectiveness should include all of the elements listed in AS 2601.44f, whether or not the service auditor concludes that the control objective has been achieved. The description should provide sufficient information to enable user auditors to assess control risk for financial statement assertions affected by the service organization. The description need not be a duplication of the service auditorʹs detailed audit program, which in some cases would make the report too voluminous for user auditors and would provide more than the required level of detail.

.03        In describing the nature, timing, and extent of the tests applied, the service auditor also should indicate whether the items tested represent a sample or all of the items in the population, but need not indicate the size of the population. In describing the results of the tests, the service auditor should include exceptions and other information that in the service auditor's judgment could be relevant to user auditors. Such exceptions and other information should be included for each control objective, whether or not the service auditor concludes that the control objective has been achieved. When exceptions that could be relevant to user auditors are noted, the description also should include the following information:

• The size of the sample, when sampling has been used
• The number of exceptions noted
• The nature of the exceptions

If no exceptions or other information that could be relevant to user auditors are identified by the tests, the service auditor should indicate that finding (for example, "No relevant exceptions noted").

2. Service Organizations That Use the Services of Other Service Organizations (Subservice Organizations)

.04        Question—A service organization may use the services of another service organization, such as a bank trust department that uses an independent computer processing service organization to perform its data processing. In this situation, the bank trust department is a service organization and the computer processing service organization is considered a subservice organization. How are a user auditorʹs and a service auditorʹs procedures affected when a service organization uses a subservice organization?

.05        Interpretation—When a service organization uses a subservice organization, the user auditor should determine whether the processing performed by the subservice organization affects assertions in the user organizationʹs financial statements and whether those assertions are significant to the user organizationʹs financial statements. To plan the audit and assess control risk, a user auditor may need to consider the controls at both the service organization and the subservice organization. AS 2601.06 through .17 provide guidance to user auditors on considering the effect of a service organization on a user organizationʹs internal control. Although AS 2601.06-.17 do not specifically refer to subservice organizations, when a subservice organization provides services to a service organization, the guidance in these paragraphs should be interpreted to include the subservice organization. For example, in situations where subservice organizations are used, the interaction between the user organization and the service organization described in AS 2601.06 would be expanded to include the interaction between the user organization, the service organization and the subservice organization.

.06        Similarly, a service auditor engaged to examine the controls of a service organization and issue a service auditorʹs report may need to consider functions performed by the subservice organization and the effect of the subservice organizationʹs controls on the service organization.

.07        The degree of interaction and the nature and materiality of the transactions processed by the service organization and the subservice organization are the most important factors to consider in determining the significance of the subservice organizationʹs controls to the user organizationʹs internal control. AS 2601.11-.16 describe how a user auditorʹs assessment of control risk is affected when a user organization uses a service organization. When a subservice organization is involved, the user auditor may need to consider activities at both the service organization and the subservice organization in applying the guidance in these paragraphs.

.08        Question—How does a user auditor obtain information about controls at a subservice organization?

.09        Interpretation—If a user auditor concludes that he or she needs information about the subservice organization to plan the audit or to assess control risk, the user auditor (a) may contact the service organization through the user organization and may contact the subservice organization either through the user organization or the service organization to obtain specific information or (b) may request that a service auditor be engaged to perform procedures that will supply the necessary information. Alternatively, the user auditor may visit the service organization or subservice organization and perform such procedures.

.10        Question—When a service organization uses a subservice organization, what information about the subservice organization should be included in the service organizationʹs description of controls?

.11        Interpretation—A service organizationʹs description of controls should include a description of the functions and nature of the processing performed by the subservice organization in sufficient detail for user auditors to understand the significance of the subservice organizationʹs functions to the processing of the user organizations' transactions. Ordinarily, disclosure of the identity of the subservice organization is not required. However, if the service organization determines that the identity of the subservice organization would be relevant to user organizations, the name of the subservice organization may be included in the description. The purpose of the description of the functions and nature of the processing performed by the subservice organization is to alert user organizations and their auditors to the fact that another entity (that is, the subservice organization) is involved in the processing of the user organizations' transactions and to summarize the functions the subservice organization performs.

.12        When a subservice organization performs services for a service organization, there are two alternative methods of presenting the description of controls. The service organization determines which method will be used.

1. The Carve-Out Method—The subservice organization's relevant control objectives and controls are excluded from the description and from the scope of the service auditor's engagement. The service organization states in the description that the subservice organization's control objectives and related controls are omitted from the description and that the control objectives in the report include only the objectives the service organization's controls are intended to achieve.
2. The Inclusive Method—The subservice organization's relevant controls are included in the description and in the scope of the engagement. The description should clearly differentiate between controls of the service organization and controls of the subservice organization. The set of control objectives includes all of the objectives a user auditor would expect both the service organization and the subservice organization to achieve. To accomplish this, the service organization should coordinate the preparation and presentation of the description of controls with the subservice organization.

In either method, the service organization includes in its description of controls a description of the functions and nature of the processing performed by the subservice organization, as set forth in paragraph .11.

.13        If the functions and processing performed by the subservice organization are significant to the processing of user organization transactions, and the service organization does not disclose the existence of the subservice organization and the functions it performs, the service auditor may need to issue a qualified or adverse opinion as to the fairness of the presentation of the description of controls.

.14        Question—How is the service auditor's report affected by the method of presentation selected?

.15        Interpretation—If the service organization has adopted the carve-out method, the service auditor should modify the scope paragraph of the service auditor's report to briefly summarize the functions and nature of the processing performed by the subservice organization. This summary ordinarily would be briefer than the information provided by the service organization in its description of the functions and nature of the processing performed by the subservice organization. The service auditor should include a statement in the scope paragraph of the service auditor's report indicating that the description of controls includes only the control objectives and related controls of the service organization; accordingly, the service auditor's examination does not extend to controls at the subservice organization.

.16        An example of the scope paragraph of a service auditor's report using the carve-out method is presented below. Additional or modified report language is shown in boldface italics.

Sample Scope Paragraph of a Service Auditor's Report Using the Carve-Out Method

Service Auditor's Report of Independent Registered Public Accounting Firm

To the Board of Directors of Example Trust Company:

We have examined the accompanying description of the controls of Example Trust Company applicable to the processing of transactions for users of the Institutional Trust Division. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Example Trust Company's controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the design of Example Trust Company's controls; and (3) such controls had been placed in operation as of June 30, 20XX. Example Trust Company uses a computer processing service organization for all of its computerized application processing. The accompanying description includes only those control objectives and related controls of Example Trust Company and does not include control objectives and related controls of the computer processing service organization. Our examination did not extend to controls of the computer processing service organization. The control objectives were specified by the management of Example Trust Company. Our examination was performed in accordance with the standards of the Public Company Accounting Oversight Board (United States) and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion.

[The remainder of the report is the same as the standard service auditor's report illustrated in AS 2601.38 and .54.]

.17        If the service organization has used the inclusive method, the service auditor should perform procedures comparable to those described in AS 2601.12. Such procedures may include performing tests of the service organization's controls over the activities of the subservice organization or performing procedures at the subservice organization. If the service auditor will be performing procedures at the subservice organization, the service organization should arrange for such procedures. The service auditor should recognize that the subservice organization generally is not the client for the engagement. Accordingly, in these circumstances the service auditor should determine whether it will be possible to obtain the required evidence to support the portion of the opinion covering the subservice organization and whether it will be possible to obtain an appropriate letter of representations regarding the subservice organization's controls.

.18        An example of a service auditor's report using the inclusive method is presented below. Additional or modified report language is shown in boldface italics.

Sample Service Auditor's Report Using the Inclusive Method

Service Auditor's Report of Independent Registered Public Accounting Firm

To the Board of Directors of Example Trust Company:

We have examined the accompanying description of the controls of Example Trust Company and Computer Processing Service Organization, an independent service organization that provides computer processing services to Example Trust Company, applicable to the processing of transactions for users of the Institutional Trust Division. Our examination included procedures to obtain reasonable assurance about whether (1) the accompanying description presents fairly, in all material respects, the aspects of Example Trust Company's and Computer Processing Service Organization's controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements; (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations applied the controls contemplated in the design of Example Trust Company's controls; and (3) the controls had been placed in operation as of June 30, 20XX. The control objectives were specified by the management of Example Trust Company. Our examination was performed in accordance with the standards of the Public Company Accounting Oversight Board (United States) and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion.

In our opinion, the accompanying description of the aforementioned controls presents fairly, in all material respects, the relevant aspects of Example Trust Company's and Computer Processing Service Organization's controls that had been placed in operation as of June 30, 20XX. Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations applied the controls contemplated in the design of Example Trust Company's controls.

In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in Schedule X to obtain evidence about their effectiveness in meeting the control objectives, described in Schedule X, during the period from January 1, 20XX, to June 30, 20XX. The specific controls and the nature, timing, extent, and results of the tests are listed in Schedule X. This information has been provided to user organizations of Example Trust Company and to their auditors to be taken into consideration, along with information about internal control at user organizations, when making assessments of control risk for user organizations. In our opinion the controls that were tested, as described in Schedule X, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in Schedule X were achieved during the period from January 1, 20XX, to June 30, 20XX.

The relative effectiveness and significance of specific controls at Example Trust Company and Computer Processing Service Organization, and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations.

The description of controls at Example Trust Company and Computer Processing Service Organization is as of June 30, 20XX, and information about tests of the operating effectiveness of specific controls covers the period from January 1, 20XX, to June 30, 20XX. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at the Service Organization and Computer Processing Service Organization is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions.¹

This report is intended solely for use by the management of Example Trust Company, its users, and the independent auditors of its users.

July 10, 20XX

[3.] Responsibilities of Service Organizations and Service Auditors With Respect to Information About the Year 2000 Issue in a Service Organization's Description of Controls

[.19-.34]         [Paragraphs deleted.]

4. Responsibilities of Service Organizations and Service Auditors With Respect to Forward-Looking Information in a Service Organization's Description of Controls

.35        Question—AS 2601.32 requires a service auditor to consider "whether any other information, irrespective of specified control objectives, has come to his or her attention that causes him or her to conclude (a) that design deficiencies exist that could adversely affect the ability to initiate, record, process, or report financial data to user organizations without error, and (b) that user organizations would not generally be expected to have controls in place to mitigate such design deficiencies." A service auditor performing a service auditorʹs engagement may become aware that a service organization, whose system is correctly processing data during the period covered by the service auditorʹs examination, has not performed contingency planning or made adequate provision for disaster recovery, and may not be able to retrieve or process data in future periods. Does AS 2601.32 require a service auditor to identify, in his or her report, design deficiencies that do not affect processing during the period covered by the service auditor's examination but may represent potential problems in future periods?

.36        Interpretation—No. AS 2601.32 addresses design deficiencies that could adversely affect processing during the period covered by the service auditorʹs examination. AS 2601.32 does not apply to design deficiencies that potentially could affect processing in future periods. If the computer programs are correctly processing data during the period covered by the service auditorʹs examination, and such design deficiencies currently do not affect user organizationsʹ abilities to initiate, record, process, or report financial data, the service auditor would not be required to report such design deficiencies in his or her report, based on the requirements in AS 2601.32. However, if a service auditor becomes aware of design deficiencies at the service organization that could potentially affect the processing of user organizationsʹ transactions in future periods, the service auditor, in his or her judgment, may choose to communicate this information to the service organizationʹs management and advise management to disclose this information and its plans for correcting the design deficiencies in a section of the service auditorʹs document titled "Other Information Provided by the Service Organization."

.37        If the service organization includes information about the design deficiencies in the section of the document titled "Other Information Provided by the Service Organization," the service auditor should read the information and consider applying by analogy the guidance in AS 2710, Other Information in Documents Containing Audited Financial Statements. In addition, the service auditor should include a paragraph in his or her report disclaiming an opinion on the information provided by the service organization. The following is an example of such a paragraph.

The information in section 4 describing XYZ Service Organizationʹs plans to modify its disaster recovery plan is presented by the Service Organization to provide additional information and is not a part of the Service Organization's description of controls that may be relevant to a user organizationʹs internal control. Such information has not been subjected to the procedures applied in the examination of the description of the controls applicable to the processing of transactions for user organizations and, accordingly, we express no opinion on it.

A service auditor also may consider communicating information about the design deficiencies in the section of the service auditorʹs document titled "Other Information Provided by the Service Auditor."

5. Statements About the Risk of Projecting Evaluations of the Effectiveness of Controls to Future Periods

.38        Question—AS 2601.29g and .44l state that a service auditorʹs report should contain a statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to future periods any evaluation of the description. AS 2601.44l goes on to state that the report also should refer to the risk of projecting to the future "any conclusions about the effectiveness of controls in achieving control objectives." The sample service auditorʹs reports in AS 2601.38 and .54 include illustrative paragraphs that illustrate this caveat. The following excerpt is from AS 2601.54:

The description of controls at XYZ Service Organization is as of ____________, and information about tests of the operating effectiveness of specific controls covers the period from ____________ to ____________. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at the Service Organization is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes may alter the validity of such conclusions.

The validity of projections to the future about the effectiveness of controls may be affected by changes made to the system and the controls, and also by the failure to make needed changes, for example, changes to accommodate new processing requirements. May a service auditorʹs report be expanded to describe the risk of projecting to the future conclusions about the effectiveness of controls?

.39        Interpretation—The sample reports in AS 2601.38 and .54 may be expanded to describe this risk. The first and second sentences of the illustrative paragraph above address the potential effect of change on the description of controls as of a specified date; accordingly, they do not require modification because new processing requirements would not affect the description as of the specified date. However, the last sentence in the sample report paragraph above could be expanded to describe the risk of projecting an evaluation of the controls to future periods because of changes to the system or controls, or the failure to make needed changes to the system or controls.

.40        Suggested additions to the paragraph in the illustrative service auditorʹs reports in AS 2601.38 and .54 are the following (new language is shown in italics.):

The description of controls at XYZ Service Organization is as of ___________, and information about tests of the operating effectiveness of specific controls covers the period from ____________ to _____________. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at the Service Organization is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that changes made to the system or controls, or the failure to make needed changes to the system or controls, may alter the validity of such conclusions.

[6.] Responsibilities of Service Organizations and Service Auditors With Respect to Subsequent Events in a Service Auditorʹs Engagement

.41        [Paragraph deleted.]