Types of Reports

7

This Guidance Statement provides guidance for the preparation and use as audit evidence of the following reports:

  1. Reports on the description and design of controls at a service organisation (type 1 report) or description, design and operating effectiveness of controls at a service organisation (type 2 report), relating to the service organisation’s system over the investment management services provided to user entities, prepared in accordance with ASAE 3402.
  2. Service auditor’s reports on financial information, prepared in accordance with ASA 805,[4] comprising either:
    1. a service auditor’s report on specified assertions regarding balances or transactions of the user entity reported in a financial statement by the service organisation, which provides investment management services, (“service auditor’s report on specified assertions”); or
    2. a service auditor’s report on a financial statement of the user entity’s balances or transactions (“statement”) reported by the service organisation which provides investment management services (“service auditor’s report on a statement”).

8

Type 1 and 2 reports on controls comprise:[5]

  1. A service organisation’s description of its investment management services system, including identification of:
    1. the services covered;
    2. the date or period to which the description relates;
    3. control objectives, including the control objectives listed in Appendix 3 of this Guidance Statement, for the relevant investment management services provided; and
    4. related controls.
  2. A written assertion by the service organisation that, in all material respects, and based on suitable criteria:
    1. the description fairly presents the service organisation’s system as designed and implemented;
    2. the controls related to the control objectives stated in the service organisation’s description of its system were suitably designed as at the specified date, for a type 1 report, or throughout the period, for a type 2 report; and
    3. for a type 2 report, the controls operated effectively throughout the specified period.
  3. A service auditor’s assurance report that conveys reasonable assurance about the service organisation’s assertions, including for type 2 reports, a description of the tests of controls and the results thereof.

9

The use of a type 1 report by a user auditor is limited to understanding the entity in accordance with Auditing Standard ASA 315,[6] whereas a type 2 report may also be used by a user auditor in responding to assessed risks in accordance with Auditing Standard ASA 330.[7]

10

Other reports may be required by the user entity as set out in the contract and/or service level agreement for purposes such as monitoring the performance of the service organisation, however the reports covered by this Guidance Statement are limited to those that may be used by user auditors as audit evidence for the audit of the user entity’s financial report.

11

The following table, entitled Table 1: Service Auditor’s Reports, outlines the context in which each of these reports is prepared and used as audit evidence. Table 1 lists the reports included in this Guidance Statement, the subject matter covered by each report, the circumstances for which each report may be useful to user auditors, standards relevant to the preparation and use of each report and references to appendices containing examples of each report and related engagement letters.

12

The guidance in this Guidance Statement is based on engagements to provide an opinion based on reasonable assurance, with respect to controls or financial information. It does not apply to an engagement to provide a review conclusion on controls based on limited assurance, however, it may be adapted, as necessary in the circumstances, to an engagement to provide limited assurance on specified assertions or a Statement. A review conclusion from the service auditor may be appropriate where the user auditor is engaged to perform a review of the user entity’s financial report. The service auditor exercises professional judgement in applying this Guidance Statement to a review and, when reporting on specified assertions or a Statement, complies with the requirements of relevant standards on review engagements.

 

Table 1: Service Auditor’s Reports

Type of Report

Subject Matter Covered by Report

Circumstances for Which Report is Used by User Auditors 

Relevant Standards

Appendix Reference for Examples

Reports on controls

1. Type 1 report[8]

Description and design of controls at the service organisation.

Planning: Obtaining an understanding of the user entity and its environment, including controls over services provided by the service organisation, in order to assess the risk of material misstatement and design further audit procedures.  This report cannot be relied on to reduce substantive procedures.

User Auditor: ASA 402 and ASA 315

Service Auditor: ASAE 3402

Engagement letter and service auditor’s type 1 report: No example provided as this report is not likely to meet the needs of all user auditors.

2. Type 2 report[9]

Description, design, and operating effectiveness of controls at the service organisation.

Planning: Obtaining an understanding of the user entity and its environment: as for type 1 reports.

Responding to the assessed risks of material misstatement when evidence is required of the operating effectiveness of controls over the services provided at the service organisation

User Auditor: ASA 402 and ASA 330

Service Auditor: ASAE 3402

Engagement letter: Appendix 1 Example 1.

Service Organisation’s  assertion and description of its system: Appendix 2.

Minimum Control Objectives: Appendix 3.

Service auditor’s type 2 report: Appendices 4 and 5.

Reports on financial information

3. Service auditor’s report on specified assertions[10]

Service auditor’s report on specified assertions

Service auditor’s report on specified assertions

Service auditor’s report on specified assertions

Service auditor’s report on specified assertions

4. Service auditor’s report on a Statement[11]

Service auditor’s report on a Statement

Service auditor’s report on a Statement

Service auditor’s report on a Statement

Service auditor’s report on a Statement

13

The user auditor may request the user entity to obtain from the service auditor, or directly engage the service auditor to provide, a report on agreed-upon procedures. Agreed-upon procedures engagements may be appropriate in certain circumstances to provide evidence that the user auditor requires, for example when:

  • A type 2 report is provided, however the user auditor requires more evidence with respect to controls over a specified area, such as unit pricing.
  • Provision of a service auditor report on controls is not agreed in the service level agreement or contract, but the user auditor nevertheless requires selected controls to be tested at the service organisation.
  • A service auditor’s report on specified assertions is provided for assets under the custody of a custodian, but does not address assets outside the custody of the custodian for which the custodian provides investment administration services. Additional agreed-upon procedures are performed to assist the user auditor to obtain evidence on the existence or valuation of the assets outside the custody of the custodian.
  • A service auditor’s report on specified assertions is provided as described in this Guidance Statement, however further audit procedures are required by the user auditor in obtaining sufficient appropriate audit evidence with respect to particular assertions. For example, with respect to the assertion of valuation, agreement of valuation input variables to source data may be required by the user auditor.

 

Such engagements are conducted under Standards on Related Services[12] and no further guidance on agreed-upon procedures engagements is provided in this Guidance Statement.

4

ASA 800 Special Considerations—Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks is also applicable if the financial information is a financial report or complete set of financial statements prepared in accordance with a special purpose framework.

5

See ASAE 3402, paragraph 9.

6

See ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment.

7

See ASA 330 The Auditor's Responses to Assessed Risks.

8

See paragraph 8 of this Guidance Statement.

9

See paragraph 8 of this Guidance Statement.

10

See paragraph 7(b)(i) of this Guidance Statement.

11

See paragraph 7(b)(ii) of this Guidance Statement.

12

See ASRS 4400 Agreed-upon Procedures Engagements to Report Factual Findings.