Application and Other Explanatory Material

Includes: Scope of this Standard on Assurance Engagements , Definitions , Ethical Requirements , Management and Those Charged with Governance , Acceptance and Continuance , Assessing the Suitability of the Criteria , Materiality , Obtaining an Understanding of the Service Organisation’s System, Obtaining Evidence Regarding the Description , Obtaining Evidence Regarding Design of Controls , Obtaining Evidence Regarding Operating Effectiveness of Controls , The Work of an Internal Audit Function , Written Representations , Other Information , Documentation , Preparing the Service Auditor’s Assurance Report , Other Communication Responsibilities, Example Engagement Letter, Example Representation Letter, Example Service Organisation’s Statements, Illustrative Example of a Service Organisation’s Description of the System Accompanying XYZ Service Organisation Management’s Statement, Example Service Auditor’s Assurance Reports, Example Modified Service Auditor’s Assurance Reports

Scope of this Standard on Assurance Engagements

(Ref: Para. 1 and 3)

A1

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives related to the reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable law and regulation.  Controls related to a service organisation's operations and compliance objectives may be relevant to a user entity’s internal control as it relates to financial reporting.  Such controls may pertain to assertions about presentation and disclosure relating to account balances, classes of transactions or disclosures, or may pertain to evidence that the user auditor evaluates or uses in applying auditing procedures.  For example, a payroll processing service organisation’s controls related to the timely remittance of payroll deductions to government authorities may be relevant to a user entity as late remittances could incur interest and penalties that would result in a liability for the user entity.  Similarly, a service organisation’s controls over the acceptability of investment transactions from a regulatory perspective may be considered relevant to a user entity’s presentation and disclosure of transactions and account balances in its financial report.  The determination of whether controls at a service organisation related to operations and compliance are likely to be relevant to user entities’ internal control as it relates to financial reporting is a matter of professional judgement, having regard to the control objectives set by the service organisation and the suitability of the criteria.

A2

The service organisation may not be able to assert that the system is suitably designed when, for example, the service organisation is operating a system that has been designed by a user entity or is stipulated in a contract between a user entity and the service organisation.  Because of the inextricable link between the suitable design of controls and their operating effectiveness, the absence of a statement with respect to the suitability of design will likely preclude the service auditor from concluding that the controls provide reasonable assurance that the control objectives have been met and thus from opining on the operating effectiveness of controls.  As an alternative, the assurance practitioner may choose to accept an agreed‑upon procedures engagement to perform tests of controls, or an assurance engagement under ASAE 3000 to conclude on whether, based on tests of controls, the controls have operated as described.

Definitions

(Ref: Para. 9(d) and 9(g))

A3

The definition of “controls at the service organisation” includes aspects of user entities’ information systems maintained by the service organisation, and may also include aspects of one or more of the other components of internal control at a service organisation.  For example, it may include aspects of a service organisation’s control environment, monitoring, and control activities when they relate to the services provided.  It does not, however, include controls at a service organisation that are not related to the achievement of the control objectives stated in the service organisation’s description of its system, for example, controls related to the preparation of the service organisation’s own financial report/statements. 

A4

When the inclusive method is used, the requirements in this ASAE also apply to the services provided by the subservice organisation, including obtaining agreement regarding the matters in paragraph 13(b)(i)‑(vi) as applied to the subservice organisation rather than the service organisation.  Performing procedures at the subservice organisation entails co‑ordination and communication between the service organisation, the subservice organisation, and the service auditor.  The inclusive method generally is feasible only if the service organisation and the subservice organisation are related, or if the contract between the service organisation and the subservice organisation provides for its use.

Ethical Requirements

(Ref: Para. 11)

A5

[Deleted by the AUASB.  Refer Aus A5.1.]

Aus A5.1

The service auditor is subject to relevant independence requirements, which comprise the requirements referenced in ASA 102 together with national requirements that are more restrictive.  In performing an engagement in accordance with this ASAE, relevant independence requirements do not require the service auditor to be independent from each user entity.

Management and Those Charged with Governance

(Ref: Para. 12)

A6

Management and governance structures vary by jurisdiction and by entity, reflecting influences such as different cultural and legal backgrounds, and size and ownership characteristics.  Such diversity means that it is not possible for this ASAE to specify for all engagements the person(s) with whom the service auditor is to interact regarding particular matters.  For example, the service organisation may be a segment of a third‑party organisation and not a separate legal entity.  In such cases, identifying the appropriate management personnel or those charged with governance from whom to request written representations may require the exercise of professional judgement. 

Acceptance and Continuance

Capabilities and Competence to Perform the Engagement (Ref: Para. 13(a)(i))

A7

Relevant capabilities and competence to perform the engagement include matters such as the following:

  • Knowledge of the relevant industry;
  • An understanding of information technology and systems;
  • Experience in evaluating risks as they relate to the suitable design of controls; and
  • Experience in the design and execution of tests of controls and the evaluation of the results.

Service Organisation’s Statement (Ref: Para. 13(b)(i))

A8

Refusal, by a service organisation, to provide a written statement, subsequent to an agreement by the service auditor to accept, or continue, an engagement, represents a scope limitation that causes the service auditor to withdraw from the engagement.  If law or regulation does not allow the service auditor to withdraw from the engagement, the service auditor disclaims an opinion. 

Reasonable Basis for Service Organisation’s Statement (Ref: Para. 13(b)(ii))

A9

In the case of a type 2 report, the service organisation’s statement includes a statement that the controls related to the control objectives stated in the service organisation’s description of its system operated effectively throughout the specified period.  This statement may be based on the service organisation’s monitoring activities.  Monitoring of controls is a process to assess the effectiveness of controls over time.  It involves assessing the effectiveness of controls on a timely basis, identifying and reporting deficiencies to appropriate individuals within the service organisation, and taking necessary corrective actions.  The service organisation accomplishes monitoring of controls through ongoing activities, separate evaluations, or a combination of both.  The greater the degree and effectiveness of ongoing monitoring activities, the less need for separate evaluations.  Ongoing monitoring activities are often built into the normal recurring activities of a service organisation and include regular management and supervisory activities.  Internal auditors or personnel performing similar functions may contribute to the monitoring of a service organisation’s activities.  Monitoring activities may also include using information communicated by external parties, such as customer complaints and regulator comments, which may indicate problems or highlight areas in need of improvement.  The fact that the service auditor will report on the operating effectiveness of controls is not a substitute for the service organisation’s own processes to provide a reasonable basis for its statement. 

Identification of Risks (Ref: Para. 13(b)(v))

A10

As noted in paragraph 9(c), control objectives relate to risks that controls seek to mitigate.  For example, the risk that a transaction is recorded at the wrong amount or in the wrong period can be expressed as a control objective that transactions are recorded at the correct amount and in the correct period.  The service organisation is responsible for identifying the risks that threaten achievement of the control objectives stated in the description of its system.  The service organisation may have a formal or informal process for identifying relevant risks.  A formal process may include estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address them.  However, since control objectives relate to risks that controls seek to mitigate, thoughtful identification of control objectives when designing and implementing the service organisation’s system may itself comprise an informal process for identifying relevant risks. 

Acceptance of a Change in the Terms of the Engagement (Ref: Para. 14)

A11

A request to change the scope of the engagement may not have a reasonable justification when, for example, the request is made to exclude certain control objectives from the scope of the engagement because of the likelihood that the service auditor’s opinion would be modified; or the service organisation will not provide the service auditor with a written statement and the request is made to perform the engagement under ASAE 3000.

A12

A request to change the scope of the engagement may have a reasonable justification when, for example, the request is made to exclude from the engagement a subservice organisation when the service organisation cannot arrange for access by the service auditor, and the method used for dealing with the services provided by that subservice organisation is changed from the inclusive method to the carve‑out method.

Aus A12.1

An example engagement letter is contained in [Aus] Appendix 0A.

Assessing the Suitability of the Criteria

(Ref: Para. 15-18)

A13

Criteria need to be available to the intended users to allow them to understand the basis for the service organisation’s statement about the fair presentation of its description of the system, the suitability of the design of controls and, in the case of a type 2 report, the operating effectiveness of the controls related to the control objectives. 

A14

ASAE 3000 requires the service auditor, among other things, to determine whether the criteria to be used are suitable, and to determine the appropriateness of the underlying subject matter.[11]  The underlying subject matter is the underlying condition of interest to intended users of an assurance report.  The following table identifies the subject matter and minimum criteria for each of the opinions in type 2 and type 1 reports.

 

 

 

Subject matter

Criteria

Comment

Opinion about the fair presentation of the description of the service organisation’s system (type 1 and type 2 reports)

The service organisation’s system that is likely to be relevant to user entities’ internal control as it relates to financial reporting and is covered by the service auditor’s assurance report.

The description is fairly presented if it:

(a) presents how the service organisation’s system was designed and implemented including, as appropriate, the matters identified in paragraph 16(a)(i)‑(viii);

(b) in the case of a type 2 report, includes relevant details of changes to the service organisation’s system during the period covered by the description; and

(c) does not omit or distort information relevant to the scope of the service organisation’s system being described, while acknowledging that the description is prepared to meet the common needs of a broad range of user entities and may not, therefore, include every aspect of the service organisation’s system that each individual user entity may consider important in its own particular environment.

The specific wording of the criteria for this opinion may need to be tailored to be consistent with criteria established by, for example, law or regulation, user groups, or a professional body.  Examples of criteria for this opinion are provided in the illustrative service organisation’s statement in Appendix 1.  Paragraphs A21‑A24 offer further guidance on determining whether these criteria are met.  (In terms of the requirements of ASAE 3000, the subject matter information[12] for this opinion is the service organisation’s description of its system and the service organisation’s statement that the description is fairly presented.)

 



 

 

Subject matter

Criteria

Comment

Opinion about suitability of design, and operating effective-
ness (type 2 reports)

The suitability of the design and operating effectiveness of those controls that are necessary to achieve the control objectives stated in the service organisation’s description of its system.

The controls are suitably designed and operating effectively if:

(a) the service organisation has identified the risks that threaten achievement of the control objectives stated in the description of its system;

(b) the controls identified in that description would, if operated as described, provide reasonable assurance that those risks do not prevent the stated control objectives from being achieved; and

(c) the controls were consistently applied as designed throughout the specified period.  This includes whether manual controls were applied by individuals who have the appropriate competence and authority.

When the criteria for this opinion are met, controls will have provided reasonable assurance that the related control objectives were achieved throughout the specified period.  (In terms of the requirements of ASAE 3000, the subject matter information for this opinion is the service organisation’s statement that controls are suitably designed and that they are operating effectively.)

The control objectives, which are stated in the service organisation’s description of its system, are part of the criteria for these opinions.  The stated control objectives will differ from engagement to engagement.  If, as part of forming the opinion on the description, the service auditor concludes the stated control objectives are not fairly presented then those control objectives would not be suitable as part of the criteria for forming an opinion on either the design or operating effectiveness of controls.

Opinion about suita-
bility of design
(type 1 reports)

The suitability of the design of those controls that are necessary to achieve the control objectives stated in the service organisation’s description of its system.

The controls are suitably designed if:

(a) the service organisation has identified the risks that threaten achievement of the control objectives stated in the description of its system; and

(b) the controls identified in that description would, if operated as described, provide reasonable assurance that those risks do not prevent the stated control objectives from being achieved.

Meeting these criteria does not, of itself, provide any assurance that the related control objectives were achieved because no assurance has been obtained about the operation of controls. (In terms of the requirements of ASAE 3000, the subject matter information for this opinion is the service organisation’s statement that controls are suitably designed.)

The control objectives, which are stated in the service organisation’s description of its system, are part of the criteria for these opinions.  The stated control objectives will differ from engagement to engagement. If, as part of forming the opinion on the description, the service auditor concludes the stated control objectives are not fairly presented then those control objectives would not be suitable as part of the criteria for forming an opinion on the design.

 

11

See ASAE 3000, paragraphs 24(b) and 41.

12

The “subject matter information” is the outcome of the measurement or evaluation of the underlying subject matter against the criteria, i.e. the information that results from applying the criteria to the underlying subject matter.

A15

Paragraph 16(a) identifies a number of elements that are included in the service organisation’s description of its system as appropriate.  These elements may not be appropriate if the system being described is not a system that processes transactions, for example, if the system relates to general controls over the hosting of an IT application but not the controls embedded in the application itself. 

Materiality

(Ref: Para. 19 and 54)

A16

In an engagement to report on controls at a service organisation, the concept of materiality relates to the system being reported on, not the financial reports/statements of user entities.  The service auditor plans and performs procedures to determine whether the service organisation’s description of its system is fairly presented in all material respects, whether controls at the service organisation are suitably designed in all material respects and, in the case of a type 2 report, whether controls at the service organisation are operating effectively in all material respects.  The concept of materiality takes into account that the service auditor’s assurance report provides information about the service organisation’s system to meet the common information needs of a broad range of user entities and their auditors who have an understanding of the manner in which that system has been used. 

A17

Materiality with respect to the fair presentation of the service organisation’s description of its system, and with respect to the design of controls, includes primarily the consideration of qualitative factors, for example: whether the description includes the significant aspects of processing significant transactions; whether the description omits or distorts relevant information; and the ability of controls, as designed, to provide reasonable assurance that control objectives would be achieved.  Materiality with respect to the service auditor’s opinion on the operating effectiveness of controls includes the consideration of both quantitative and qualitative factors, for example, the tolerable rate and observed rate of deviation (a quantitative matter), and the nature and cause of any observed deviation (a qualitative matter). 

A18

The concept of materiality is not applied when disclosing, in the description of the tests of controls, the results of those tests where deviations have been identified.  This is because, in the particular circumstances of a specific user entity or user auditor, a deviation may have significance beyond whether or not, in the opinion of the service auditor, it prevents a control from operating effectively.  For example, the control to which the deviation relates may be particularly significant in preventing a certain type of error that may be material in the particular circumstances of a user entity’s financial report/statements. 

Obtaining an Understanding of the Service Organisation’s System

(Ref: Para. 20

A19

Obtaining an understanding of the service organisation’s system, including controls, included in the scope of the engagement, assists the service auditor in:

  • Identifying the boundaries of that system, and how it interfaces with other systems.
  • Assessing whether the service organisation’s description fairly presents the system that has been designed and implemented.
  • Obtaining an understanding of internal control over the preparation of the service organisation’s statement.
  • Determining which controls are necessary to achieve the control objectives stated in the service organisation’s description of its system.
  • Assessing whether controls were suitably designed.
  • Assessing, in the case of a type 2 report, whether controls were operating effectively. 

A20

The service auditor’s procedures to obtain this understanding may include:

  • Enquiring of those within the service organisation who, in the service auditor’s judgement, may have relevant information. 
  • Observing operations and inspecting documents, reports, printed and electronic records of transaction processing. 
  • Inspecting a selection of agreements between the service organisation and user entities to identify their common terms. 
  • Reperforming control procedures.

Obtaining Evidence Regarding the Description

(Ref: Para. 21-22

A21

Considering the following questions may assist the service auditor in determining whether those aspects of the description included in the scope of the engagement are fairly presented in all material respects:

  • Does the description address the major aspects of the service provided (within the scope of the engagement) that could reasonably be expected to be relevant to the common needs of a broad range of user auditors in planning their audits of user entities’ financial reports/statements?
  • Is the description prepared at a level of detail that could reasonably be expected to provide a broad range of user auditors with sufficient information to obtain an understanding of internal control in accordance with ASA 315?[13]  The description need not address every aspect of the service organisation’s processing or the services provided to user entities, and need not be so detailed as to potentially allow a reader to compromise security or other controls at the service organisation.
  • Is the description prepared in a manner that does not omit or distort information that may affect the common needs of a broad range of user auditors’ decisions, for example, does the description contain any significant omissions or inaccuracies in processing of which the service auditor is aware?
  • Where some of the control objectives stated in the service organisation’s description of its system have been excluded from the scope of the engagement, does the description clearly identify the excluded objectives?
  • Have the controls identified in the description been implemented?
  • Are complementary user entity controls, if any, described adequately?  In most cases, the description of control objectives is worded such that the control objectives are capable of being achieved through effective operation of controls implemented by the service organisation alone.  In some cases, however, the control objectives stated in the service organisation’s description of its system cannot be achieved by the service organisation alone because their achievement requires particular controls to be implemented by user entities.  This may be the case where, for example, the control objectives are specified by a regulatory authority.  When the description does include complementary user entity controls, the description separately identifies those controls along with the specific control objectives that cannot be achieved by the service organisation alone. 
  • If the inclusive method has been used, does the description separately identify controls at the service organisation and controls at the subservice organisation?  If the carve‑out method is used, does the description identify the functions that are performed by the subservice organisation?  When the carve‑out method is used, the description need not describe the detailed processing or controls at the subservice organisation.

13

See ASA 315 Identifying and Assessing Risks of Material Misstatement through Understanding the Entity and Its Environment.

A22

The service auditor’s procedures to evaluate the fair presentation of the description may include:

  • Considering the nature of user entities and how the services provided by the service organisation are likely to affect them, for example, whether user entities are from a particular industry and whether they are regulated by government agencies.
  • Reading standard contracts, or standard terms of contracts, (if applicable) with user entities to gain an understanding of the service organisation’s contractual obligations.
  • Observing procedures performed by service organisation personnel.
  • Reviewing the service organisation’s policy and procedure manuals and other systems documentation, for example, flowcharts and narratives.

A23

Paragraph 21(a) requires the service auditor to evaluate whether the control objectives stated in the service organisation’s description of its system are reasonable in the circumstances.  Considering the following questions may assist the service auditor in this evaluation:

  • Have the stated control objectives been designated by the service organisation or by outside parties such as a regulatory authority, a user group, or a professional body that follows a transparent due process? 
  • Where the stated control objectives have been specified by the service organisation, do they relate to the types of assertions commonly embodied in the broad range of user entities’ financial reports/statements to which controls at the service organisation could reasonably be expected to relate?  Although the service auditor ordinarily will not be able to determine how controls at a service organisation specifically relate to the assertions embodied in individual user entities’ financial reports/statements, the service auditor’s understanding of the nature of the service organisation’s system, including controls, and services being provided is used to identify the types of assertions to which those controls are likely to relate.
  • Where the stated control objectives have been specified by the service organisation, are they complete?  A complete set of control objectives can provide a broad range of user auditors with a framework to assess the effect of controls at the service organisation on the assertions commonly embodied in user entities’ financial reports/statements.

A24

The service auditor’s procedures to determine whether the service organisation’s system has been implemented may be similar to, and performed in conjunction with, procedures to obtain an understanding of that system.  They may also include tracing items through the service organisation’s system and, in the case of a type 2 report, specific enquiries about changes in controls that were implemented during the period.  Changes that are significant to user entities or their auditors are included in the description of the service organisation’s system.

Obtaining Evidence Regarding Design of Controls

(Ref: Para. 23 and 28(b))

A25

From the viewpoint of a user entity or a user auditor, a control is suitably designed if, individually or in combination with other controls, it would, when complied with satisfactorily, provide reasonable assurance that material misstatements are prevented, or detected and corrected.  A service organisation or a service auditor, however, is not aware of the circumstances at individual user entities that would determine whether or not a misstatement resulting from a control deviation is material to those user entities.  Therefore, from the viewpoint of a service auditor, a control is suitably designed if, individually or in combination with other controls, it would, when complied with satisfactorily, provide reasonable assurance that control objectives stated in the service organisation’s description of its system are achieved. 

A26

A service auditor may consider using flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls.

A27

Controls may consist of a number of activities directed at the achievement of a control objective.  Consequently, if the service auditor evaluates certain activities as being ineffective in achieving a particular control objective, the existence of other activities may allow the service auditor to conclude that controls related to the control objective are suitably designed. 

Obtaining Evidence Regarding Operating Effectiveness of Controls

Assessing Operating Effectiveness (Ref: Para. 24)

A28

From the viewpoint of a user entity or a user auditor, a control is operating effectively if, individually or in combination with other controls, it provides reasonable assurance that material misstatements, whether due to fraud or error, are prevented, or detected and corrected.  A service organisation or a service auditor, however, is not aware of the circumstances at individual user entities that would determine whether a misstatement resulting from a control deviation had occurred and, if so, whether it is material.  Therefore, from the viewpoint of a service auditor, a control is operating effectively if, individually or in combination with other controls, it provides reasonable assurance that control objectives stated in the service organisation’s description of its system are achieved.  Similarly, a service organisation or a service auditor is not in a position to determine whether any observed control deviation would result in a material misstatement from the viewpoint of an individual user entity.

A29

Obtaining an understanding of controls sufficient to opine on the suitability of their design is not sufficient evidence regarding their operating effectiveness, unless there is some automation that provides for the consistent operation of the controls as they were designed and implemented.  For example, obtaining information about the implementation of a manual control at a point in time does not provide evidence about operation of the control at other times.  However, because of the inherent consistency of IT processing, performing procedures to determine the design of an automated control, and whether it has been implemented, may serve as evidence of that control’s operating effectiveness, depending on the service auditor’s assessment and testing of other controls, such as those over program changes. 

A30

To be useful to user auditors, a type 2 report ordinarily covers a minimum period of six months.  If the period is less than six months, the service auditor may consider it appropriate to describe the reasons for the shorter period in the service auditor’s assurance report.  Circumstances that may result in a report covering a period of less than six months include when (a) the service auditor is engaged close to the date by which the report on controls is to be issued; (b) the service organisation (or a particular system or application) has been in operation for less than six months; or (c) significant changes have been made to the controls and it is not practicable either to wait six months before issuing a report or to issue a report covering the system both before and after the changes.

A31

Certain control procedures may not leave evidence of their operation that can be tested at a later date and, accordingly, the service auditor may find it necessary to test the operating effectiveness of such control procedures at various times throughout the reporting period.

A32

The service auditor provides an opinion on the operating effectiveness of controls throughout each period, therefore, sufficient appropriate evidence about the operation of controls during the current period is required for the service auditor to express that opinion.  Knowledge of deviations observed in prior engagements may, however, lead the service auditor to increase the extent of testing during the current period.

Testing of Indirect Controls (Ref: Para. 25(b))

A33

In some circumstances, it may be necessary to obtain evidence supporting the effective operation of indirect controls.  For example, when the service auditor decides to test the effectiveness of a review of exception reports detailing sales in excess of authorised credit limits, the review and related follow up is the control that is directly of relevance to the service auditor.  Controls over the accuracy of the information in the reports (for example, the general IT controls) are described as “indirect” controls.

A34

Because of the inherent consistency of IT processing, evidence about the implementation of an automated application control, when considered in combination with evidence about the operating effectiveness of the service organisation’s general controls (in particular, change controls), may also provide substantial evidence about its operating effectiveness.

Means of Selecting Items for Testing (Ref: Para. 25(c) and 27)

A35

The means of selecting items for testing available to the service auditor are:

  1. Selecting all items (100% examination).  This may be appropriate for testing controls that are applied infrequently, for example, quarterly, or when evidence regarding application of the control makes 100% examination efficient;
  2. Selecting specific items.  This may be appropriate where 100% examination would not be efficient and sampling would not be effective, such as testing controls that are not applied sufficiently frequently to render a large population for sampling, for example, controls that are applied monthly or weekly; and
  3. Sampling.  This may be appropriate for testing controls that are applied frequently in a uniform manner and which leave documentary evidence of their application. 

A36

The means of selecting items for testing available to the service auditor are:

  1. Selecting all items (100% examination).  This may be appropriate for testing controls that are applied infrequently, for example, quarterly, or when evidence regarding application of the control makes 100% examination efficient;
  2. Selecting specific items.  This may be appropriate where 100% examination would not be efficient and sampling would not be effective, such as testing controls that are not applied sufficiently frequently to render a large population for sampling, for example, controls that are applied monthly or weekly; and
  3. Sampling.  This may be appropriate for testing controls that are applied frequently in a uniform manner and which leave documentary evidence of their application. 

The Work of an Internal Audit Function

Obtaining an Understanding of the Internal Audit Function (Ref: Para. 30)

A37

An internal audit function may be responsible for providing analyses, evaluations, assurances, recommendations, and other information to management and those charged with governance.  An internal audit function at a service organisation may perform activities related to the service organisation’s own system of internal control, or activities related to the services and systems, including controls, that the service organisation is providing to user entities.

Determining Whether and to What Extent to Use the Work of the Internal Auditors (Ref: Para. 33)

A38

In determining the planned effect of the work of the internal auditors on the nature, timing or extent of the service auditor’s procedures, the following factors may suggest the need for different or less extensive procedures than would otherwise be the case:

  • The nature and scope of specific work performed, or to be performed, by the internal auditors is quite limited. 
  • The work of the internal auditors relates to controls that are less significant to the service auditor’s conclusions.
  • The work performed, or to be performed, by the internal auditors does not require subjective or complex judgements.

Using the Work of the Internal Audit Function (Ref: Para. 34)

A39

The nature, timing and extent of the service auditor’s procedures on specific work of the internal auditors will depend on the service auditor’s assessment of the significance of that work to the service auditor’s conclusions (for example, the significance of the risks that the controls tested seek to mitigate), the evaluation of the internal audit function and the evaluation of the specific work of the internal auditors.  Such procedures may include:

  • Examination of items already examined by the internal auditors;
  • Examination of other similar items; and
  • Observation of procedures performed by the internal auditors.

Effect on the Service Auditor’s Assurance Report (Ref: Para. 36‑37)

A40

Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is not independent of the service organisation as is required of the service auditor when performing the engagement.  The service auditor has sole responsibility for the opinion expressed in the service auditor’s assurance report, and that responsibility is not reduced by the service auditor’s use of the work of the internal auditors.

A41

The service auditor’s description of work performed by the internal audit function may be presented in a number of ways, for example:

  • By including introductory material to the description of tests of controls indicating that certain work of the internal audit function was used in performing tests of controls. 
  • Attribution of individual tests to internal audit.

Written Representations

(Ref: Para. 38 and 40

A42

The written representations required by paragraph 38 are separate from, and in addition to, the service organisation’s statement, as defined at paragraph 9(o).

A43

If the service organisation does not provide the written representations requested in accordance with paragraph 38(c) of this ASAE, it may be appropriate for the service auditor’s opinion to be modified in accordance with paragraph 55(d) of this ASAE.

Other Information

(Ref: Para. 42)

A44

Relevant ethical requirements require that a service auditor not be associated with information where the service auditor believes that the information:

  1. Contains a materially false or misleading statement;
  2. Contains statements or information provided recklessly; or
  3. Omits or obscures required information where such omission or obscurity would be misleading.[14]

If other information included in a document containing the service organisation’s description of its system and the service auditor’s assurance report contains future‑oriented information such as recovery or contingency plans, or plans for modifications to the system that will address deviations identified in the service auditor’s assurance report, or claims of a promotional nature that cannot be reasonably substantiated, the service auditor may request that information be removed or restated. 

14

  See ASA 102.

A45

If the service organisation refuses to remove or restate the other information, further actions that may be appropriate include, for example:

  • Requesting the service organisation to consult with its legal counsel as to the appropriate course of action.
  • Describing the material inconsistency or material misstatement of fact in the assurance report.
  • Withholding the assurance report until the matter is resolved.
  • Withdrawing from the engagement. 

Documentation

(Ref: Para. 51

A46

ASQM 1 (or professional requirements, or requirements in law or regulation that are at least as demanding as ASQM 1) requires firms to establish a quality objective that addresses the assembly of engagement documentation on a timely basis after the date of the engagement report.[15]  An appropriate time limit within which to complete the assembly of the final engagement file is ordinarily not more than 60 days after the date of the service auditor’s report.[16]

 

15

See ASQM 1, paragraph 31(f).

16

See ASQM 1, paragraph A83.

Preparing the Service Auditor’s Assurance Report

Content of the Service Auditor’s Assurance Report (Ref: Para. 53)

A47

Illustrative examples of service auditors’ assurance reports, related service organisations’ statements and a description of the system are contained in Appendices 1, [Aus] 1A and 2.

Intended Users and Purposes of the Service Auditor’s Assurance Report (Ref: Para. 53(e))

A48

The criteria used for engagements to report on controls at a service organisation are relevant only for the purposes of providing information about the service organisation’s system, including controls, to those who have an understanding of how the system has been used for financial reporting by user entities.  Accordingly this is stated in the service auditor’s assurance report.  In addition, the service auditor may consider it appropriate to include wording that specifically restricts distribution of the assurance report other than to intended users, its use by others, or its use for other purposes.

Description of the Tests of Controls (Ref: Para. 54)

A49

In describing the nature of the tests of controls for a type 2 report, it assists readers of the service auditor’s assurance report if the service auditor includes:

  • The results of all tests where deviations have been identified, even if other controls have been identified that allow the service auditor to conclude that the relevant control objective has been achieved or the control tested has subsequently been removed from the service organisation’s description of its system. 
  • Information about causative factors for identified deviations, to the extent the service auditor has identified such factors.

Modified Opinions (Ref: Para. 55)

A50

Illustrative examples of elements of modified service auditor’s assurance reports are contained in Appendix 3.

A51

Even if the service auditor has expressed an adverse opinion or disclaimed an opinion, it may be appropriate to describe in the basis for modification paragraph the reasons for any other matters of which the service auditor is aware that would have required a modification to the opinion, and the effects thereof.

A52

When expressing a disclaimer of opinion because of a scope limitation, it is not ordinarily appropriate to identify the procedures that were performed nor include statements describing the characteristics of a service auditor’s engagement; to do so might overshadow the disclaimer of opinion.

Other Communication Responsibilities

(Ref: Para. 56)

A53

Appropriate actions to respond to the circumstances identified in paragraph 56, unless prohibited by law or regulation, may include:

  • Obtaining legal advice about the consequences of different courses of action.
  • Communicating with those charged with governance of the service organisation.
  • Determining whether to communicate with third parties (e.g., law, regulation or relevant ethical requirements may require the service auditor to report to an appropriate authority outside the entity or the external auditor of the service organisation,[17] or establish responsibilities under which such reporting may be appropriate in the circumstances).
  • Modifying the service auditor’s opinion, or adding an Other Matter paragraph.
  • Withdrawing from the engagement.

17

See, for example, paragraphs R360.31-360.35 A1 of APES 110 Code of Ethics for Professional Accountants (including Independence Standards).

Example Engagement Letter

[Aus] Appendix 0A

The following example of a service auditor’s engagement letter is for guidance only and is not intended to be exhaustive or applicable to all situations.

Download Example Engagement Letter

Example Representation Letter

[Aus] Appendix 0B

The following example of a representation letter is for guidance only and is not intended to be exhaustive or applicable to all situations. 

Download Example Representation Letter

Example Service Organisation’s Statements

Appendix 1

The following examples of service organisations’ statements are for guidance only and are not intended to be exhaustive or applicable to all situations. 

Download Example Service Organisation's Statements

Illustrative Example of a Service Organisation’s Description of the System Accompanying XYZ Service Organisation Management’s Statement

[Aus] Appendix 1A

The following example of the service organisation’s description of the system is illustrative only and is not intended to be exhaustive or applicable to all situations.  The preparation and presentation of the description of the service organisation’s system is the responsibility of management of the service organisation and the format is not prescribed by this ASAE, including this appendix.  Management’s description of the service organisation’s system should be developed as appropriate to suit the individual circumstances of the assurance engagement.

Download Illustrative Example of a Service Organisation’s Description of the System Accompanying XYZ Service Organisation Management’s Statement

 

 

 

Example Service Auditor’s Assurance Reports

Appendix 2

The following examples of reports are for guidance only and are not intended to be exhaustive or applicable to all situations.

Download Example Service Auditor's Assurance Reports

Example Modified Service Auditor’s Assurance Reports

Appendix 3

The following examples of modified reports are for guidance only and are not intended to be exhaustive or applicable to all situations.  They are based on the examples of reports in Appendix 2.

Download Example Modified Service Auditor's Assurance Reports