Under a contract, offer document or service level agreement, the service organisation may agree to provide the user entity periodically with a type 1 or 2 report on controls, prepared in accordance with ASAE 3402, with respect to the services provided to the user entity and/or a Statement, with respect to the user entity’s assets, liabilities or transactions recorded by the service organisation for the period, accompanied by a service auditor’s report on the Statement or specified assertions, issued in accordance with ASA 805.

Service auditor’s engagements to report on controls are assurance engagements, which are defined under the Framework for Assurance Engagements as engagements in which the auditor expresses a conclusion or opinion about the outcome of the evaluation of a subject matter against criteria. The criteria for an engagement to report on a service organisation’s controls, include control objectives.^[38] The control objectives collectively reflect the level of control over user entities’ balances or transactions that the user entity could reasonably expect from the service organisation for the purpose of the user entity’s financial reporting. The service organisation’s controls are designed to meet those control objectives. Appendix 3 of this Guidance Statement sets out the control objectives which the user entity can expect to be included in type 1 or 2 reports for each of the relevant investment management services. The service organisation may choose to include additional control objectives in the type 1 or 2 report. Additional control objectives may be included where those objectives are relevant to user entities’ financial reporting or to meet compliance reporting requirements or the terms of the service level agreement, offer document or contract.

When agreeing to accept, or continue, an engagement to report on controls at a service organisation, ASAE 3402^[39] requires the service auditor to assess whether the criteria will be suitable and available to user entities and their auditors. In doing so, the service auditor determines whether the criteria include the control objectives provided in this Guidance Statement for the relevant investment management services and, if any objectives are omitted or amended, whether the service organisation has adequately disclosed and justified that omission or amendment.

An example of an engagement letter for engagements to report on controls is provided in Appendix 1 Example 1.

ASAE 3402 requires the service auditor to comply with relevant ethical requirements including those pertaining to independence, relating to assurance engagements, which does not necessitate the service auditor being independent from each user entity.^[40]

However, threats to independence may arise with respect to user entities where there are only one or few user entities for the services subject to audit. Threats to independence may also arise with respect to subservice organisations where the controls of the subservice organisation are included in the service organisation’s description of its system, under the inclusive method.^[41]

Service auditors may also need to consider the manner in which their type 1 or 2 report is used and distributed by the service organisation. Examples of how this matter may be addressed in the engagement letter and in the service auditor’s type 2 report are contained in Appendix 1 Example 1 and Appendix 4 respectively.

It is for management, or, where appropriate, those charged with governance, of the service organisation to decide whether to prepare a report on controls and whether to have this report audited by a service auditor. In certain circumstances, the service organisation may, for example, consider it more appropriate to allow access for user entities and user auditors to the service organisation’s records or provide a report on a specific aspect of its operations as it impacts an individual user entity. However, the following guidance is only applicable if the service organisation provides a controls assertion and a description of the system on which the service auditor is engaged to provide an assurance report.

The service organisation typically prepares a description of its system to meet the needs of all user entities of a particular investment management service or services. A type 1 or 2 report on the controls at a service organisation covers investment management services provided to user entities which are likely to form part of those user entities’ information systems relevant to financial reporting. Circumstances in which the user auditor may require a type 1 report on design and implementation of controls only are set out in paragraph 22 of this Guidance Statement. The value of a type 1 report to the audit of the user entity is limited, so it is appropriate for the service auditor to prepare a type 1 report only in the first year of reporting on controls, to provide a starting point for future reports, or if none of the user entities require a report on the operating effectiveness of controls. Due to its limited value, an example of this report is not provided in this Guidance Statement.

The frequency with which the service organisation provides a report on controls and the time period to be covered may be agreed in the contract and/or service level agreement between the user entity and the service organisation or may be set out in an offer document.

An example of a service organisation’s assertion and description of its system is shown in Appendix 2 of this Guidance Statement.

In assessing whether the service organisation has used suitable criteria in preparing the description of the system, evaluating whether controls are suitably designed and, in the case of type 2 reports, in evaluating whether controls are operating effectively, in accordance with ASAE 3402,^[42] the service auditor determines whether the minimum control objectives provided in this Guidance Statement^[43] for the relevant investment management service or services are included in the description of the system.

It is the responsibility of the service organisation to ensure that the control objectives are sufficient to meet the expectations of user entities and that any omissions or amendments to the minimum control objectives are appropriate. A service organisation may therefore consider the need to add further objectives and supporting controls where appropriate. The service auditor evaluates the suitability of any additional control objectives specified by the service organisation, by determining if they meet the characteristics of relevance, completeness, reliability, neutrality and understandability.^[44]

If the service organisation omits or amends a control objective from GS 007 or adds further control objectives, the service auditor can expect those omissions, amendments or additional objectives to be clearly identified in the service organisation’s description of the system. If a control objective is omitted, the service organisation may list that objective and note briefly the reasons for its omission. If a control objective is amended to clarify the intended meaning, such as use of terms appropriate to the service organisation’s circumstances, or the control objective is expanded, the relevant GS 007 control objective may be treated as included. However, if the meaning of the control objective is changed or the scope of the objective reduced by the modifications, then it is appropriate for the service organisation to report the relevant GS 007 objective as omitted and report the modified objective as an additional objective in the description of the system.

ASAE 3402^[45] requires the service auditor to obtain an understanding of the service organisation’s system, including controls that are included in the scope of the engagement. In doing so, the service auditor identifies the boundaries of that system and ensures that the boundary of the investment management services included in the description of the system does not omit aspects of the services provided which are part of user entities’ information system relevant to financial reporting. The description of each investment management service provided in this Guidance Statement is indicative and not definitive. The service organisation may provide multiple investment management services, in which case the service auditor identifies how the services interface.

The service auditor complies with the requirements of ASAE 3402 when conducting an assurance engagement to report on controls at the service organisation when:^[46]

1. obtaining evidence regarding the description, design and operating effectiveness of controls;
2. considering the work of an internal audit function;
3. obtaining written representations from the service organisation;
4. considering other information;
5. enquiring and, if necessary, disclosing subsequent events; and
6. preparing and assembling documentation.

In obtaining evidence regarding the fair presentation of the description, the service auditor evaluates whether the control objectives are reasonable in the circumstances. In doing so, the service auditor determines whether the control objectives from Appendix 3 of this Guidance Statement for the relevant investment management service/s have been included or, for any objectives which have been omitted or amended, the adequacy of the reasons for their omission or amendment. If there are any unjustified omissions or misstatements with regard to the control objectives, the service auditor asks management, or those charged with governance, to amend the description. If it is not amended, the service auditor considers the reasons, if known, for the omission or misstatement and the effect on the service auditor’s type 1 or 2 report.

^[47] The service auditor’s opinion is expressed in a written assurance report on controls attached to the service organisation’s description of its system and assertion.

The service auditor’s type 1 or 2 report, includes the basic elements required by ASAE 3402 with specific consideration of matters relevant to investment management services, including:

1. A statement that the criteria include the minimum control objectives provided in this Guidance Statement for the relevant investment management services; and;
2. A statement that the service organisation is responsible for:
   1. Providing the investment management services covered by the service organisation’s description of its system; and
   2. Stating the control objectives, including those for the relevant investment management services from this Guidance Statement, and if any minimum control objectives are omitted or amended, providing an explanation of that omission or amendment.

An example of a service auditor’s type 2 assurance report is shown at Appendix 4.

Describing Tests of Operating Effectiveness

The service auditor’s type 2 report includes a separate attachment that describes the service auditor’s tests of controls and the results thereof. An explanation of the service auditor’s description of the nature, timing and extent of tests applied to controls is in Appendix 5 of this Guidance Statement.

Modified Opinions

When preparing the assurance report, the service auditor is required to modify their opinion in the circumstances set out in ASAE 3402. If the service auditor concludes that the control objectives for the investment management services are incomplete and the service organisation refuses to amend their report to address those control objectives, the service auditor may modify their opinion if it has a material impact on the fair presentation of the description.

Other Communication Responsibilities

ASAE 3402 requires the service auditor to determine whether non-compliance with laws and regulations, fraud, or uncorrected errors which are not clearly trivial, have been communicated to affected user entities and, if not, to take appropriate action.

If the service auditor is engaged to provide a report on financial information, the service auditor issues a separate auditor’s report in respect of each user entity concerning only that user entity's balances and/or transactions.

In performing an engagement to report on specified assertions or on a Statement the service auditor applies the Australian Auditing Standards and reports on the engagement under ASA 805.

If the service auditor has provided assurance on controls in a type 2 report, it provides assurance as to the reliability of controls over the investment management services which relate to the user entity’s balances and/or transactions. Accordingly, the service auditor may be able to reduce the extent of substantive testing that might otherwise be necessary in preparing a service auditor’s report on financial information.

Before accepting the engagement, the service auditor is required under Auditing Standard ASA 210^[48] to determine the acceptability of the financial reporting framework, which in the case of a single financial statement or element, includes determining whether application of the financial reporting framework will result in a presentation that provides adequate disclosures to enable the intended users to understand the information conveyed and the effect of material transactions and events on the information conveyed.^[49]

The service auditor also complies with ASA 210 in agreeing the terms of engagement. In addition to the matters specified in ASA 210, the engagement letter or other written agreement between the service auditor and the engaging party may include:

• The service auditor’s responsibility to conduct the engagement with reference to this Guidance Statement.
• The service auditor’s responsibility to report, in an attachment to the service auditor’s report, uncorrected misstatements which have been aggregated during the audit, other than amounts which are clearly trivial.
• Reference to the performance materiality level provided by the user auditor, if applicable.

Example engagement letters for engagements to report on specified assertions and on a Statement are included in Appendix 1, Examples 2 and 3 respectively.

The service auditor may be engaged by the service organisation or directly by the user entity or user auditor. If the user entity or user auditor engages the service auditor directly, access to the service organisation’s records will need to be agreed with the service organisation. Access to the service organisation’s records may be allowed for in the service level agreement with the user entity or by separate agreement. The agreement may provide for the service organisation to receive a copy of the auditor’s report and notification of any matters of governance interest communicated as described in paragraph 88 of this Guidance Statement.

In accordance with Auditing Standard ASA 200,^[50] the service auditor is required to comply with relevant ethical requirements, including those pertaining to independence, when performing an audit of a Statement or specified assertions.

Relevant ethical requirements, defined in Auditing Standard ASA 102, include the fundamental principles of professional ethics, relating to the engagement to be undertaken, which are:

1. integrity;
2. objectivity;
3. professional competence and due care;
4. confidentiality; and
5. professional behaviour.

Where the service auditor is undertaking an audit of a Statement or specified assertion particular consideration needs to be given to any threats to independence with respect to the user entity since the service auditor is reporting on financial information of the user entity. Threats to independence with respect to the user entity may be present, such as self-interest or familiarity threats, notwithstanding that the user entity may not be an assurance client of the service auditor.

In evaluating threats to independence and considering applicable safeguards, the service auditor considers the nature of the engagement. It may be sufficient, for example in the case of a restricted use report, to apply independence requirements in evaluating the independence of the engagement team members and their immediate and close family with respect to the user entity, along with limited consideration of the firm’s interests and relationships with the user entity.

Examples of safeguards that may be considered appropriate by service auditors to manage identified threats to independence include:

• Prohibiting the holding of direct, or material indirect, financial interests in the user entity or its affiliates by members of the service auditor’s engagement team and their immediate and close family.
• Removal from the service auditor’s engagement team of any personnel with a close relationship with directors, officers or employees of the user entity or its affiliates.

When conducting an audit of specified assertions or a Statement, the service auditor considers materiality under ASA 320 in determining the nature, timing and extent of audit procedures and evaluating the effect of misstatements. The relevant benchmark, for investment management services, on which the service auditor bases materiality, under ASA 320, in most cases is either:

1. the assets of the user entity for which specific assertions are being audited;
2. total assets of the user entity reported in the Statement; or
3. net assets, where assets and liabilities are reported, of the user entity reported in the Statement.

The service auditor often applies a percentage to the benchmark as a starting point in determining materiality under ASA 320. The user auditor may request that a particular benchmark or percentage be used by the service auditor as a basis for determining performance materiality. In the absence of a basis for materiality specified by the user auditor, the service auditor may apply a percentage of 0.5% to any of the benchmarks listed in paragraph 84 of this Guidance Statement as a reasonable basis for determining performance materiality for auditing specified assertions or a Statement, where investment management services are provided. Where an alternative benchmark is used, this percentage may not be appropriate for determining materiality.

Service auditor’s reports on specified assertions or on a Statement, need to comply with the requirements in ASA 805 and as such include the basic elements of an auditor’s report as set out in that standard. In addition to these elements, the service auditor includes in their report:

1. identification of the specific assertions audited (if the report is limited to specific assertions);
2. identification of the investment management services provided by the service organisation to the user entity;
3. a description of the responsible party’s (management, or those charged with governance, of the service organisation) responsibilities for the investment management services provided to the user entity; and
4. reference to the use of the report by the user entity and the user auditor.

Examples of a service auditor’s report on specified assertions is provided in Appendix 6 Example 1 and a service auditor’s report on a Statement is provided in Appendix 6 Example 2 of this Guidance Statement.

When performing an audit engagement at a service organisation, the service auditor may restrict the audit procedures to information that is held by the service organisation on behalf of the user entity. The Statement, however, may include information which is provided by the user entity or by another party to the service organisation for inclusion in the Statement. Documentation or other audit evidence may not be available at the service organisation to substantiate that information. Where certain information within the Statement has not been audited, the service auditor identifies that information and specifically excludes it from the scope of the audit opinion.

In the course of performing procedures for an audit engagement at a service organisation on financial information of the user entity, the service auditor is required to communicate any of the following matters identified to those charged with governance of the engaging party on a timely basis:

1. significant deficiencies in internal control;^[51]
2. significant findings from the audit;^[52]
3. uncorrected misstatements and the effect they, individually or in aggregate, may have on the opinion in the auditor’s report;^[53] and
4. fraud, identified or suspected involving management, employees who have significant roles in internal control or others where the fraud results in a material misstatement, as well as any other matters related to fraud that are relevant to their responsibilities.^[54]

In addition, the service auditor states in their report whether they have identified any uncorrected misstatements in the course of the audit, other than amounts which are clearly trivial, and, if so, details the uncorrected misstatements in an attachment to their report. An outline for an attachment on uncorrected misstatements is shown in Appendix 6, Examples 1 and 2.

When the service auditor is engaged by the service organisation and considers that any of the matters reported to those charged with governance of the service organisation may affect one or more user entities, the service auditor determines from the appropriate level of management whether this information has been communicated to the affected user entities. If the matter is not communicated satisfactorily, the service auditor may consider whether it affects the service auditor’s ability to conduct the engagement or necessitates a modification to the service auditor’s report.