For purposes of this ASAE, the following terms have the meanings attributed below:

Carve‑out method―method of dealing with the services provided by a subservice organisation, whereby the service organisation’s description of its system includes the nature of the services provided by a subservice organisation, but that subservice organisation’s relevant control objectives and related controls are excluded from the service organisation’s description of its system and from the scope of the service auditor’s engagement.  The service organisation’s description of its system and the scope of the service auditor’s engagement include controls at the service organisation to monitor the effectiveness of controls at the subservice organisation, which may include the service organisation’s review of an assurance report on controls at the subservice organisation.

Complementary user entity controls―controls that the service organisation assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives stated in the service organisation’s description of its system, are identified in that description.

Control objective―the aim or purpose of a particular aspect of controls.  Control objectives relate to risks that controls seek to mitigate. 

Controls at the service organisation―controls over the achievement of a control objective that is covered by the service auditor’s assurance report.  (Ref: Para. A3)

Controls at a subservice organisation―controls at a subservice organisation to provide reasonable assurance about the achievement of a control objective.

Criteria―benchmarks used to evaluate or measure the underlying subject matter.  The “applicable criteria” are the criteria used for the particular engagement.

Inclusive method―method of dealing with the services provided by a subservice organisation, whereby the service organisation’s description of its system includes the nature of the services provided by a subservice organisation, and that subservice organisation’s relevant control objectives and related controls are included in the service organisation’s description of its system and in the scope of the service auditor’s engagement.  (Ref: Para. A4)

Internal audit function―a function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes.

Internal auditors―those individuals who perform the activities of the internal audit function.  Internal auditors may belong to an internal audit department or equivalent function.

Report on the description and design of controls at a service organisation (referred to in this ASAE as a “type 1 report”) ―a report that comprises:

1. The service organisation’s description of its system;
2. A written statement by the service organisation that, in all material respects, and based on suitable criteria:
   1. The description fairly presents the service organisation’s system as designed and implemented as at the specified date; and
   2. The controls related to the control objectives stated in the service organisation’s description of its system were suitably designed as at the specified date; and
3. A service auditor’s assurance report that conveys a reasonable assurance conclusion about the matters in (ii)a.‑b.  above.

Report on the description, design and operating effectiveness of controls at a service organisation (referred to in this ASAE as a “type 2 report”) ―a report that comprises:

1. The service organisation’s description of its system;
2. A written statement by the service organisation that, in all material respects, and based on suitable criteria:
   1. The description fairly presents the service organisation’s system as designed and implemented throughout the specified period;
   2. The controls related to the control objectives stated in the service organisation’s description of its system were suitably designed throughout the specified period; and
   3. The controls related to the control objectives stated in the service organisation’s description of its system operated effectively throughout the specified period; and
   4. A service auditor’s assurance report that:
      1. Conveys a reasonable assurance conclusion about the matters in (ii)a.‑c.  above; and
      2. Includes a description of the tests of controls and the results thereof.

Service auditor―an assurance practitioner who, at the request of the service organisation, provides an assurance report on controls at a service organisation.

Service organisation―a third‑party organisation (or segment of a third‑party organisation) that provides services to user entities that are likely to be relevant to user entities’ internal control as it relates to financial reporting.

Service organisation’s system (or the system) ―the policies and procedures designed and implemented by the service organisation to provide user entities with the services covered by the service auditor’s assurance report.  The service organisation’s description of its system includes identification of: the services covered; the period, or in the case of a type 1 report, the date, to which the description relates; control objectives; and related controls.

Service organisation’s statement―the written statement about the matters referred to in paragraph 9(k)(ii) (or paragraph 9(j)(ii) in the case of a type 1 report).

​​​​Subservice organisation―a service organisation used by another service organisation to perform some of the services provided to user entities that are likely to be relevant to user entities’ internal control as it relates to financial reporting.

​Test of controls―a procedure designed to evaluate the operating effectiveness of controls in achieving the control objectives stated in the service organisation’s description of its system.

User auditor―an auditor who audits and reports on the financial report/statements of a user entity.[7]

In the case of a subservice organisation, the service auditor of a service organisation that uses the services of the subservice organisation is also a user auditor.

User entity―an entity that uses a service organisation.