Clarified Auditing Standards: An Entity Using a Service Organization (AU-C 402)

calculator spreadsheet
Larry Perry
CPA Firm Support Services, LLC
Columnist
Share this content

The following is a summary of changes in AU-C Section 402 from the previous Statement on Auditing Standards No. 114:

1. Terminology describing a user organization has been changed to “user entity.”

2. In a type 2 report, the service auditor's report would contain an opinion on the fairness of the description of the service organization's system and on the suitability of the design of the controls for a period rather than as of a specified date, as it does in a type 1 report.

A type 1 report covers management's description of a service organization's system and the suitability of the design of controls. It contains the following:

  • Management's description of the service organization's system.
  • A written assertion by management of the service organization about whether management's description of the service organization's system fairly presents its system that was designed and operating to accomplish its control objectives as of a specified date.
  • A service auditor's report that expresses an opinion on the matters above.

A type 2 report covers management's description of a service organization's system and the suitability of the design and operating effectiveness of controls for a period of time. The report would include the following:

  • Management's description of the service organization's system.
  • A written assertion by management of the service organization about whether management's description of the service organization's system fairly presents its system that was designed and operating throughout the period of time and includes descriptions of the controls related to management's control objectives that were suitably designed and operated throughout the specified period.
  • A service auditor's report that expresses an opinion on the above matters and includes a description of the service auditor's tests of controls and results.

3. A user auditor is permitted to make reference to the work of a service auditor in his or her report to explain a modification of the user auditor's opinion. In those circumstances, the user auditor's report would be required to indicate that such reference does not diminish the user auditor's responsibility for that opinion.

4. A user auditor is required to inquire of management of the user entity about whether the service organization has reported to the user entity any fraud, noncompliance with laws and regulations, or uncorrected misstatements. If so, the user auditor would be required to evaluate how such matters affect the nature, timing, and extent of the user auditor's further audit procedures.

5. This clarified auditing standard is applicable to situations in which an entity uses a shared-service organization that provides services to a group of related entities.

Practical Note
As with the previous SAS No. 70 report, reliance on either a type 1 or a type 2 report requires specific determination that the service auditor's procedures provide sufficient evidence about specific internal-control procedures that may be necessary to evaluate all relevant financial statement assertions in the audit of the user entity.

A CPA firm partner auditing a user entity shared in one of my live seminars that a service auditor's report did not contain evidence of testing certain key controls in the service entity's system to prevent error or fraud from occurring and going undetected. Because the user auditor could not perform additional tests of the service auditor's system to obtain sufficient evidence about the performance of these key controls, this scope restriction resulted in a qualified opinion on the user entity's financial statements.

When the user auditor's strategy is to rely on evidence from the results of tests of controls, the user auditor should obtain a type 2 report from a service auditor and, early during engagement planning, determine that the report contains sufficient evidence regarding all significant key controls operated at the service entity.

More Information
These eBook resources, without CPE credit, can be obtained from my website:

  • Small Audits Made Easy and Profitable
  • Performing Auditing Tests of Balances Procedures
  • Staff Training Series for Entry-Level Accountants, New In-Charge Accountants and Engagement Leaders
  • Key Accounting Issues for Non-Profit Organizations
  • A Practical Potpourri of Time Savings on Audits
  • The Financial Reporting Framework for Small- and Medium-Sized Entities

My exclusive presentation of webcasts on CPEcredit.com and self-study courses covering various applications of auditing standards can be accessed by clicking the appropriate box on the left side of my home page, www.cpafirmsupport.com. Registered users on my website receive a 20 percent discount on CPE materials presented by myself and numerous other authors on a variety of professional topics.

My assistance in CPA firm quality-control consulting, audit planning, and peer-review preparation can be obtained by sending an email using the “Contact Us” tab on my home page.

Replies

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.