GAAS GAAS SERVICE UPDATE

Volume 09, Issue 06 March 30, 2009

PRONOUNCEMENT:

AICPA Proposed Statement on Standards for Attestation Engagements, Reporting on Controls at a Service Organization TBA; however, it is proposed to be concurrent with the effective date of proposed International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Third Party Service Organization

PROPOSED EFFECTIVE DATE:

Summary & Highlights

The American Institute of Certified Public Accountants (AICPAs) Auditing Standards Board (ASB) has issued an exposure draft (ED) of a proposed Statement on Standards for Attestation Engagements (SSAE) titled, Reporting on Controls at a Service Organization, which would supersede the requirements and guidance for auditors reporting on controls at service organizations currently included in AU Section 324, Service Organizations. Extant AU Section 324 contains guidance for auditors auditing the financial statements of entities that use a service organization (user auditors) and for auditors reporting on controls at a service organization (service auditors). The proposed SSAE will only contain guidance for service auditors reporting on controls at a service organization. Guidance for user auditors will be contained in a new Statement on Auditing Standards (SAS), Audit Considerations Relating to an Entity Using a Service Organization, which was exposed for comment concurrently with the proposed SSAE. The proposed SSAE would affect the guidance pertaining to service auditors in extant AU Section 324 as follows: In a type 2 report (i.e., report on a description of a service organizations system and the suitability of the design and operating effectiveness of controls),

the service auditor currently expresses an opinion as of a specific date. Under the proposed SSAE, the service auditors report would contain an opinion on the fairness of the description of the service organizations system and on the suitability of the design of the controls for a period (not as of a specific date). Management of the service organization would be required to provide the service auditor with a written assertion about the following matters as a condition of engagement performance: (1) the fairness of the presentation of the description of the service organizations system; (2) the suitability of the design of the controls to achieve the related control objectives stated in the service organizations description; and (3) in a type 2 engagement, the operating effectiveness of those controls to achieve the related control objectives stated in the description. A service auditor would be able to report on controls at a service organization other than the controls that are relevant to user entities financial reporting. When obtaining an understanding of the service organizations system, the service auditor would be required to obtain information to identify risks that, due to intentional acts by service organization personnel: (1) the description of the service organizations system is not fairly presented; or (2) the control objectives stated in the description were not achieved. When assessing the operating effectiveness of controls in a type 2 engagement, evidence obtained by service auditors in prior engagements about the satisfactory operation of controls in prior periods does not provide a basis for a reduction in testing in the current period (even if supplemented with evidence obtained during the current period). A service auditors report would identify the customers to whom use of the report is restricted as follows: (1) customers as of the date of the service organizations description covered by the report in a type 1 report; or (2) customers of the service organizations system during some or all of the period covered by the service auditors report in a type 2 report.

The proposed SSAE has been drafted using the ED of International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Third Party Service Organization, as a base. To the extent practicable, differences between the proposed SSAE and the ISAE 3402 ED have been eliminated. Yet, in other instances, the ASB has made certain changes so that the guidance provided in the proposed SSAE is tailored more appropriately for the U.S. environment.

Analysis & Explanation

Acceptance and Continuance of Engagements to Report on Controls at a Service Organization
The service auditor should accept or continue an engagement to report on controls at a service organization only if the following conditions are met: The criteria to be used will be suitable and available to the intended users. The service auditor will have access to sufficient, appropriate evidence. The scope of the engagement and the description of the service organizations system will not be so limited that they are unlikely to be useful to user entities and their auditors. Management of the service organization acknowledges and accepts responsibility for various specified aspects of the engagement.
2 2009 CCH. All Rights Reserved.

 Management of the service organization provides a written assertion that will accompany the description of the service organizations system provided to user entities.

Assessing the Suitability of the Criteria

The service auditor should assess whether management has used suitable criteria in: Preparing and presenting the description of the service organizations system. Suitable criteria for making this evaluation should address, at a minimum, whether the description: (1) presents how the service organizations system (made available to user entities) was designed and implemented to process relevant transactions; and (2) does not omit or distort information relevant to the scope of the service organizations system, while acknowledging that the description of the service organizations system is presented to meet the common needs of a broad range of user entities and their auditors. Evaluating whether controls were suitably designed to achieve the control objectives stated in the description. Suitable criteria for making this evaluation should address, at a minimum, whether: (1) the risks that threaten the achievement of the control objectives stated in the description have been identified; and (2) the identified controls would, if operating as described, provide reasonable assurance that those risks would not prevent the control objectives stated in the description from being achieved. In a type 2 report, evaluating whether controls operated effectively throughout the specified period to achieve the control objectives stated in the description. Suitable criteria for making this evaluation should address, at a minimum, whether the controls were consistently applied as designed, including whether manual controls were applied by individuals who have the appropriate competence and authority.

Using the Work of an Internal Audit Function

The service auditor should obtain an understanding of the aspects of the internal audit function that are relevant to the engagement. The proposed SSAE indicates that if the service auditor uses specific work of the internal audit function, the service auditor should not make any reference to that work in his or her opinion. However, in a type 2 report, if the service auditor has used the work of the internal audit function in performing tests of controls, the service auditors description of tests of controls and results thereof should include a description of: (1) the internal auditors work; and (2) the service auditors procedures with respect to that work.

Using the Work of a Service Auditors Specialist

If the service auditor intends to use the work of a specialist, the proposed SSAE indicates that the service auditor should: Evaluate whether the specialist has the necessary capabilities, competence, and objectivity for the service auditors purposes;
2009 CCH. All Rights Reserved. 3

 Inquire about interests and relationships that may create a threat to the specialists objectivity; Obtain a sufficient understanding of the specialists field of expertise to enable the service auditor to determine the nature, scope, and objectives of the specialists work and to evaluate the adequacy of that work; Establish a written understanding with the specialist regarding the following matters: (1) the nature, scope, and objectives of the specialists work; (2) the respective roles of the service auditor and the specialist; and (3) the nature, timing, and extent of communication between the service auditor and the specialist and the form of report, if any, to be provided by the specialist; and Evaluate the adequacy of the work performed by the specialist. The proposed SSAE indicates that if the service auditor uses the work of a specialist, the service auditor should not make any reference to that work in his or her opinion.

Requisite Understanding and Evidence to Report on Controls at a Service Organization

In a type 1 or type 2 report, the service auditor should perform the following procedures in order to obtain an understanding of the service organizations system, evidence regarding the description of that system, and evidence regarding the design of controls: Obtain an understanding of the service organizations system, including controls that are included in the scope of the engagement. Obtain and read the description of the service organizations system and evaluate whether those aspects of the description that are included in the scope of the engagement are presented fairly. Determine whether the service organizations system described in managements description has been implemented. Determine which of the controls at the service organization are necessary to achieve the control objectives stated in the description of the service organizations system and assess whether they were suitably designed to achieve those control objectives. Additional procedures required in a type 2 engagement. In addition to the preceding required procedures, when performing a type 2 engagement, the service auditor should obtain evidence regarding the effectiveness of controls by performing the following procedures: Test those controls that the service auditor has determined are necessary to achieve the control objectives stated in the description of the service organizations system and assess their operating effectiveness throughout the period. Perform other procedures in combination with inquiry to obtain evidence about: (1) how the control was applied; (2) the consistency with which the control was applied; and (3) by whom or by what means the control was applied. Determine whether the controls to be tested depend on other controls and, if applicable, whether it is necessary to obtain evidence supporting the operating effectiveness of those other controls.
4 2009 CCH. All Rights Reserved.

 Determine an effective method for selecting the items to be tested to meet the objectives of the procedure. Consider, in connection with determining the extent of tests of controls and whether sampling is appropriate, the following: (1) the characteristics of the population of the controls to be tested; (2) the nature of the controls; (3) the frequency of their application (e.g., monthly or daily); and (4) the expected rate of deviation. Investigate the nature and cause of any deviations identified and consider whether the deviations may be the result of intentional acts by service organization personnel. Inquire about changes in the service organizations controls that were implemented during the period covered by the service auditors report.

Obtaining Written Representations from Management

The proposed SSAE requires the service auditor to obtain a written representation letter from the service organizations management, as of the same date as the date of the service auditors report. Also, the service auditor should obtain these written representations from the management of the subservice organization, if a service organization uses a subservice organization and the description of the service organizations system uses the inclusive method. (Note: The inclusive method is a method of dealing with the services provided by a subservice organization whereby the service organizations description of its system includes: (1) a description of the nature of the services provided by the subservice organization; and (2) the subservice organizations relevant control objectives and related controls included in the scope of the service auditors engagement.)

Documentation
The proposed SSAE indicates that the service auditor should prepare documentation that would enable an experienced service auditor, having no previous connection with the engagement, to understand the following: The nature, timing, and extent of the procedures performed. The results of the procedures and the evidence obtained. Significant matters arising during the engagement, the conclusions reached, and significant professional judgments made in reaching those conclusions. Discussions with service organization personnel and others of significant matters, including when and with whom the discussions took place. If information regarding a significant finding or issue was identified that is inconsistent with the service auditors final conclusion, how the service auditor addressed the inconsistency in forming the final conclusion. If the service auditor finds it necessary to modify the engagement documentation or add new documentation after the assembly of the final engagement file, the service auditor should document the following: The date the changes were made; The individual who made the changes;
2009 CCH. All Rights Reserved. 5

 The individual who reviewed the changes and the date of the review, if applicable; The specific reasons for making the changes; and The effect of the changes on the service auditors conclusions.

The Service Auditors Report

Exhibit 1 provides a summary of the elements that should be included in a service auditors type 1 and type 2 reports.

Exhibit 1: Summary of Elements to be Included in Type1 and Type 2 Reports Type 1 Report 1. A title that clearly indicates that the report is an independent service auditors report. 2. An addressee. 3. Appropriate description of the service organizations system prepared by management, including: (1) identification of those parts not covered by the service auditors report; (2) modifying language addressing complementary user entity controls, if applicable; and (3) identification of services performed by a subservice organization and whether the inclusive method or the carve-out method was used in relation to them. 4. Managements assertion. 5. Identification of the criteria. 6. A statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to the future any evaluation of the description or any conclusions about the effectiveness of controls in achieving control objectives. 7. A description of the service organizations and the service auditors responsibilities. 8. A statement that the engagement was performed in accordance with SSAEs. 9. A summary of the service auditors procedures to obtain reasonable assurance. Yes Yes Yes Type 2 Report Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

Yes Yes Yes

2009 CCH. All Rights Reserved.

Exhibit 1 (Continued) Type 1 Report 10. A statement that the service auditor has not performed any procedures regarding the operating effectiveness of controls and, therefore, expresses no opinion thereon. 11. The service auditors opinion on whether, in all material respects, based on the criteria specified in managements assertion: a. The description of the service organizations system fairly presents the service organizations system that was designed and implemented (as of the specified date in type 1 report; throughout the specified period in a type 2 report). b. The controls related to the control objectives stated in the description of the service organizations system were suitably designed to provide reasonable assurance that those control objectives would be achieved if the controls operated effectively (as of the specified date in type 1 report; throughout the specified period in a type 2 report). (Note: Modifying language should be added if the application of complementary user entity controls is necessary to achieve the described control objectives.) c. The controls the service auditor tested operated effectively throughout the specified period. (Note: Modifying language should be added if the application of complementary user entity controls is necessary to achieve the described control objectives.) 12. A paragraph at the end of the report that contains the following elements: a. A statement restricting the use the service auditors report to management of the service organization, customers of the service organizations system as of the end of the period covered by the service auditors report, and their auditors. b. A statement restricting the use of the service auditors report and a description of tests of controls and results thereof to management of the service organization, customers of the service organizations system during some or all of the period covered by the service auditors report, and their auditors. Yes Type 2 Report No

Yes

Yes

Yes

Yes

No

Yes

Yes

No

No

Yes

2009 CCH. All Rights Reserved.

Exhibit 1 (Continued) Type 1 Report c. A statement that the report is not intended to be and should not be used by anyone other than these specified parties 13. A separate section after the opinion, or an attachment, that describes the service auditors tests of controls and the results thereof. 14. The date of the service auditors report. 15. The name of the service auditor and the city where the service auditor maintains the office that has responsibility for the engagement. Yes Type 2 Report Yes

No

Yes

Yes Yes

Yes Yes

The proposed SSAE also discusses various circumstances under which the service auditors opinion should be modified.

About the Author George Georgiades, CPA, has more than 28 years of experience in public accounting, including seven years with an international public accounting firm. He currently has his own firm and consults exclusively with CPA firms on technical accounting and auditing issues. He is a member of the American Institute of Certified Public Accountants and the California Society of Certified Public Accountants and is the author of GAAS Practice Manual and GAAP Financial Statement Disclosures Manual.

GAAS UPDATE SERVICE is published semimonthly by CCH, 4025 W. Peterson Ave., Chicago, Illinois 60646. Periodicals postage paid at Chicago, Illinois, and at additional mailing offices. POSTMASTER: SEND ADDRESS CHANGES TO GAAS UPDATE SERVICE, 4025 W. PETERSON AVE., CHICAGO, IL 60646. Printed in the U.S.A. 2009 CCH. All Rights Reserved.

2009 CCH. All Rights Reserved.

MUPS