It may also be necessary for the user auditor to obtain additional evidence about significant changes to the relevant controls at the service organisation outside of the period covered by the type 2 report or determine additional audit procedures to be …

Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the user entity’s monitoring of controls. …

If the service auditor’s testing period is completely outside the user entity’s financial reporting period, the user auditor will be unable to rely on such tests for the user auditor to conclude that the user entity’s controls are operating effectively …

In certain circumstances, a service provided by the service organisation may be designed with the assumption that certain controls will be implemented by the user entity.  For example, the service may be designed with the assumption that the user entity …

If the user auditor believes that the service auditor’s report may not provide sufficient appropriate audit evidence, for example, if a service auditor’s report does not contain a description of the service auditor’s tests of controls and results thereon, …

The service auditor’s type 2 report identifies results of tests, including exceptions and other information that could affect the user auditor’s conclusions.  Exceptions noted by the service auditor or a modified opinion in the service auditor’s type 2 …

Communication of deficiencies in internal control identified during the audit …

The user auditor is required to communicate in writing significant deficiencies identified during the audit to both management and those charged with governance on a timely basis. [11]   The user auditor is also required to communicate to management at an …

(Ref: Para. 18 ) …

In the case of audits of smaller entities, the auditor may communicate in a less structured manner with those charged with governance than in the case of larger …