|
|
 |
|
Sarbanes Oxley Act -
Auditing Standards |
|
Public
Company Accounting Oversight
Board
Bylaws
and Rules – Standards – AS2
Auditing
Standard No. 2: An Audit of Internal Control
Over Financial Reporting Performed in
Conjunction With an Audit of Financial
Statements
Use of Service
Organizations
B18.
AU sec. 324, Service Organizations, applies to
the audit of financial
statements
of
a company that obtains services from another
organization that are part of
its
information
system. The auditor may apply the relevant
concepts described in AU sec.
324
to the audit of internal control over financial
reporting. Further, although AU
sec.
324
was designed to address auditor-to-auditor
communications as part of the audit
of
financial
statements, it also is appropriate for
management to apply the
relevant
concepts
described in that standard to its assessment of
internal control over financial
reporting.
B19.
Paragraph .03 of AU sec. 324 describes the
situation in which a service
organization's
services are part of a company's information
system. If the service
organization's
services are part of a company's information
system, as described
therein,
then they are part of the information and
communication component of the
company's
internal control over financial reporting. When
the service organization's
services
are part of the company's internal control over
financial reporting, management
should
consider the activities of the service
organization in making its assessment
of
internal
control over financial reporting, and the
auditor should consider the activities
of
the
service organization in determining the evidence
required to support his or her
opinion.
Note:
The use of a service organization does not
reduce management's
responsibility
to maintain effective internal control over
financial reporting.
B20.
Paragraphs .07 through .16 in AU sec. 324
describe the procedures that
management
and the auditor should perform with respect to
the activities performed by
the
service organization. The procedures
include:
a.
Obtaining an understanding of the controls at
the service organization that
are
relevant
to the entity's internal control and the
controls at the user
organization
over
the activities of the service organization,
and
b.
Obtaining evidence that the controls that are
relevant to management's
assessment
and the auditor's opinion are operating
effectively.
B21.
Evidence that the controls that are relevant to
management's assessment and
the
auditor's opinion are operating effectively may
be obtained by following the
procedures
described in paragraph .12 of AU sec. 324. These
procedures include:
a.
Performing tests of the user organization's
controls over the activities of
the
service
organization (for example, testing the user
organization's independent
reperformance
of selected items processed by the service
organization or testing
the
user organization's reconciliation of output
reports with source documents).
b.
Performing tests of controls at the service
organization.
c.
Obtaining a service auditor's report on controls
placed in operation and tests
of
operating
effectiveness, or a report on the application of
agreed-upon procedures
that
describes relevant tests of
controls.
Note:
The service auditor's report referred to above
means a report with the
service
auditor's opinion on the service organization's
description of the design of
its
controls, the tests of controls, and results of
those tests performed by the
service
auditor, and the service auditor's opinion on
whether the controls tested
were
operating effectively during the specified
period (in other words, "reports
on
controls
placed in operation and tests of operating
effectiveness" described in
paragraph
.24b of AU sec. 324). A service auditor's report
that does not include
tests
of controls, results of the tests, and the
service auditor's opinion on
operating
effectiveness (in other words, "reports on
controls placed in operation"
described
in paragraph .24a of AU sec. 324) does not
provide evidence of
operating
effectiveness.
Furthermore,
if the evidence regarding operating
effectiveness of controls comes from
an
agreed-upon procedures report rather than a
service auditor's report issued pursuant
to
AU sec. 324, management and the auditor should
evaluate whether the agreed-upon
procedures
report provides sufficient evidence in the same
manner described in the following
paragraph.
B22.
If a service auditor's report on controls placed
in operation and tests of
operating
effectiveness
is available, management and the auditor may
evaluate whether this
report
provides sufficient evidence to support the
assessment and opinion,
respectively.
In
evaluating whether such a service auditor's
report provides sufficient
evidence,
management
and the auditor should consider the following
factors:
•
The time period covered by the tests of controls
and its relation to the date of
management's
assessment,
•
The scope of the examination and applications
covered, the controls tested,
and
the
way in which tested controls relate to the
company's controls,
•
The results of those tests of controls and the
service auditor's opinion on
the
operating
effectiveness of the controls.
Note:
These factors are similar to factors the auditor
would consider in determining
whether
the report provides sufficient evidence to
support the auditor's assessed
level
of control risk in an audit of the financial
statements as described in
paragraph
.16
of AU sec. 324.
B23.
If the service auditor's report on controls
placed in operation and tests
of
operating
effectiveness contains a qualification that the
stated control objectives might
be
achieved only if the company applies controls
contemplated in the design of
the
system
by the service organization, the auditor should
evaluate whether the company is
applying
the necessary procedures. For example,
completeness of processing
payroll
transactions
might depend on the company's validation that
all payroll records sent to
the
service organization were processed by checking
a control total.
B24.
In determining whether the service auditor's
report provides sufficient evidence
to
support
management's assessment and the auditor's
opinion, management and the
auditor
should make inquiries concerning the service
auditor's reputation,
competence,
and
independence. Appropriate sources of information
concerning the professional
reputation
of the service auditor are discussed in
paragraph .10a of AU sec. 543, Part
of
Audit
Performed by Other Independent
Auditors.
B25.
When a significant period of time has elapsed
between the time period covered
by
the tests of controls in the service auditor's
report and the date of
management's
assessment,
additional procedures should be performed. The
auditor should inquire of
management
to determine whether management has identified
any changes in the
service
organization's controls subsequent to the period
covered by the service
auditor's
report
(such as changes communicated to management from
the service organization,
changes
in personnel at the service organization with
whom management interacts,
changes
in reports or other data received from the
service organization, changes
in
contracts
or service level agreements with the service
organization, or errors
identified
in
the service organization's processing). If
management has identified such
changes,
the
auditor should determine whether management has
performed procedures to
evaluate
the effect of such changes on the effectiveness
of the company's internal
control
over financial reporting. The auditor also
should consider whether the results
of
other
procedures he or she performed indicate that
there have been changes in the
controls
at the service organization that management has
not identified.
B26.
The auditor should determine whether to obtain
additional evidence about the
operating
effectiveness of controls at the service
organization based on the
procedures
performed
by management or the auditor and the results of
those procedures and on an
evaluation
of the following factors. As these factors
increase in significance, the
need
for
the auditor to obtain additional evidence
increases.
•
The elapsed time between the time period covered
by the tests of controls in the
service
auditor's report and the date of management's
assessment,
•
The significance of the activities of the
service organization,
•
Whether there are errors that have been
identified in the service
organization's
processing,
and
•
The nature and significance of any changes in
the service organization's
controls
identified
by management or the auditor.
B27.
If the auditor concludes that additional
evidence about the operating
effectiveness
of controls at the service organization is
required, the auditor's
additional
procedures
may include:
•
Evaluating the procedures performed by
management and the results of
those
procedures.
•
Contacting the service organization, through the
user organization, to obtain
specific
information.
•
Requesting that a service auditor be engaged to
perform procedures that will
supply
the necessary information.
•
Visiting the service organization and performing
such procedures.
B28.
Based on the evidence obtained, management and
the auditor should determine
whether
they have obtained sufficient evidence to obtain
the reasonable assurance
necessary
for their assessment and opinion,
respectively.
B29.
The auditor should not refer to the service
auditor's report when expressing
an
opinion
on internal control over financial
reporting.
|
|
.
| | |
