Beruflich Dokumente
Kultur Dokumente
SSAE NO. 16
b.
tl-re control
been
designed by the user entity or the design is stipa contract betrveen the user entrty and
the service organization). (Ref: par. A4)
ulatccl in
(Supersedes the guidance
fot' sewice auditors in
AU section 324, Service Organizations IAICPA,
DEFINITIONS
INTRODUCTION
results ofagreed upon procedures related to the controls of a service organization or to transactions or
balanccs of a user entitl' maintained by a senice
I0l , Aucsf
r'ol. l),
to rcport cln controls at a service organization
d. other than those rl.rat are likely ro bc relo'ant to
of the sen'ice organization (also refcrred to as managernent) rvill proviclc rhe service auditor rvith a
rvrilten .rssenrtrn tlt.rr is inclrtded jn or rltrchcd Lo
man:lgernent's clescription of the serr.ice organization's s1'5gc11. Paragraph 10 oI this SSAE aclclresses
thc circumstance in rvhich managctnent refuses to
provicle such a written assertion. AT section lOl
OBJECTIVES
'
rr
ing (,n
or
cc
rtai Ii In
r nct t
ional
i.
ii.
82
ilied
iii.
specilrcd (onlrols :ll the scrvi(e organizatlon. Control objectives address the risks
that controls are intended to mitigare.
Controls at a service organization. The policics and prot cdurcs at I scnice organization
likely to be relevant to user entiries'intern,rl control orcr linrncirl rcporrrng. Thc>c
r ation oJ
1. Earlier
call (978)
F e dc
2O 1
a.
rcp(
pra61111st.tc.1 1r
Effective Date
b.
rvrrh specified
SSAE.
75 0
in this
I ). r5 rpplic,rhJc i[
claLe).
rww
eg dJuElunorJvJolEurnof
0I0Z lsn8nv
1,ra
-? alqlBaqtu3rearqtrr:qlqsuaqlSulljllurPl
^
sa,ttt:a[qo
lortuor
.1o
-czrueS:o
(lIV
'uouasse
lo;
slseq aiquuoslleJ r 3utlr11 tr
str
(gIV red :J3ll) uourassE Puu
,gurtets
i11y
uortdu:sap
Lu3i{1
Sutll3las tll
"rud
:.1a111
8ur
8ui'reclar4 I
:;
'slotlpnE llaql
puu s3urtu3 r3sn or 1n1asn
:c1
aspJ aqt ur
uy
ro;
's1o.uuot
sau
Jo sseuontpa[c Suno'rado
1"Loda'4 1o
ualrll\ y
q
luarua8uue141
'uolllzl
rasn
lolluol
eu J n ol'/vt/11/v1
jo uondu:s:p s,tuaruaBeuell
uJlln,tr V
3o tuaura8eueru,(c1 uoutassu
'tu:ts{s s,uotleztueS:o al
-^las aqr
:3ur,tro11o1
uJoc'A3uell
3ql
'uorlPzl
loltuol
:ql s:sucl
aql
-lnsse ?lqu0
as:q1 Surtrr
-lalul,sJllllr
uorlezuBS:o
-llod 3qI'ul
'aleFtt
$islr aql
ss
-ezrueBro a
'uottdr
ale 'ruats.{s
loltuoJ aql
puB
saunu
'uoneztue8rr
aqt 1o u8rs
3Jr^l3S aqi
'slorluoJ
t ed&
.1o asod:nd
01
'uoneztueB
'EIl3llrJ alqEllns
y se EVSS slqt ur
11:.tr se
trodar s,tot
-ruu3:o atu
,{Etrl qJlqN
tP slo-i]uol
uouBztueBr
tuauraBeBu;
uoudursap
pur salu:aI
3frl"iSsQOS:
aqr 1o ado:
ulo.u sJpnl
aqr dq p3
saurluapi
3o uotldt'tl
-ezrueS'to
aqt Surssar
:lxal luanb
srutat 8ui,
sB
latl)
tsute8u
qlr.A\ sJuet
ala,{ ual
uoudursap
lo.ltuoJ a
-orcl ol,(1ar
"Ilalu]
LLt3lsAs
uottdu:sap s,luatua8euttr
u sapnlcur
(9V rEd
satniE^a Jottprlrl
ot pouacl
esor{l a^alqlE
d1r1ua
cl,{t u
ptn
s,uo11Dz1u03.to
3lll
3q1
(EIV-'IV
asoql puB
jo
ol dla4qun :rc
-uotu no
plnoqs
srNf uueulnoSu
-ue8ro allt-ras
arhr?sqns e
'BLlalu:) 3lqBllns
tr
s3sv313U lVlSlJJO
OFFICIAL RELEASES
description and designing, rmpler,renting,
and documenting controls that are suitabiy
designed
ar-rcl
reasonable assurance that the control objcclives stated in the descnptior"r oI thc service
organizatior.r's systern
vi.
will
sen'
at a mtnlmum,
whether management's description of Lhe
a.
be achieved. (Rel:
par. A18)
implementecl, inclucling the fbllowing in forn-ration about thc sen'ice organizatiol.l's systcm, if
i.
ii.
ol
engagement;
mlncc il
cssary',
a scope
iii.
is nccussrry
lirnitalion
iri
ancl
oplnlon.
Rd.prcst to Changc thc Scopc ty' the l-rrL.l.gcnicnl
ur
84 JournalofAccountancy
August2010
ncc-
as
b.
lutlitor
ancl
applicable:
scrwiec
b.
c.
Ho$' the sen ice organization s systenr captures and aclclresses signi{icant events ancl
conrlitions r)thcr lhrn trxns.l( tions.
v Thc process used to prepate reports ancl
other information for user e nurtes.
vi. Thc specified control objectives and cot-tttols
dcsignecl to achieve thosc obectives,
incluclir-rg as applicable, colrlplementar)'
LISCr er-itity controis contctnplatecl in tl.re
cicsign of thc service organization's contlols.
vii. Other aspects of thc scrvice organization's
control environme nt, t isl< assesslrctlt
proccss, infort.nation and contmunicati.ott
systcms (inclucling the relatccl business
proccsses), control activities, and monitoring controls thal are relcvant to the scrviccs providccl. (Re[: par. Al7 and A24)
in the case ofa Lype 2 rcport, lvhethcr lllanagcment's cle scription ol the scn'ice organlzatiou's
systelr includcs rclcvant cletaiis of changes to
the servicc organization's system cluring the
pcriocl covered by tl.re description. (Re[: par.
in
me
20. Th
inquiri
nranagement's
dures r
been ir
service
being achievecl.
includt
other
are aptr
Obtain
Contn
16. ln assessing the suitability ofthe criteri:r to e\,alurrc rvlrctlrer ronlrols ol)er'.rlcd c[[cetircl1 lo pro'
2I.
sary r0
agerner
statecl
Thr
the cor
system
we re su
a.
rder
mel
mel
sysr
b.
Materiality
eva
inn
1r11[.rrp1111*
lhc .'ng]SC-
nizt
Obtaining an Understanding
Obtain
Effectir
A40-A.
Assessi4
22. Wt
service
sel.,/ice
achieve
of the
Service
Organization's System (Rel: par. A2B-A30)
I8. Thc servicc auclitor should obtain an ttnclcr-
ment's
engaSen
ir.rcluclccl
in the
sccryc
of
tl-re
engagemcnt.
tem and
rhrough
controls
tor a rec
ed rvith
od. (Ref
23. Wh
sen4ce a
service o
ed durir
changes
A++)
enttLles
should d
ing whethcr'
.r. thc control ollcctivcs statecl in lltanageneut's
nrzation'
tort
information relevant
to the servicc
nization's syster.ll is preparecl to mect the colrmon ncecls of a broad rangc of user entitics ancl
b.
llarticular environtnent.
15. ln asscssing the suitability ofthe ctiteria to o'aluatc rvhcther the controls are suitably clesigned, the
in
describe
cor.rLrclsiclcntifieclinmanagcment'sclescriptiot-t
of thc sclr,ice organization s systern rvcre implerncr-rLccl. (Re f: par.
c.
J.
ed in ma
435)
the
and
dete
report.
li
achieven
descripti
test the
the sen''i,
relevant
stated in
dete
rmir
lwvwjo
98
:paluarrnJop puu
'pa,^i\ar^3l 'pasm:dns
.i.T::1T,1
:":
-rpne albrJs 3llt ro1lrunbape slr auluxatap
01
IJOA
lol
:lglcads asn
&risn
suolSnlluot
JJrr\]Jc Jtll ol
Iro^\
tEqlJU JJUs.rrjruSrs
d1a>1q sr tr
{o
3Jr^-r3s 3Ll1
4.1o,11
atll
Jo
)ilo,r
red
qortuoc
3utuuo14
A eqr Sursn
u.roc'Acuelunoccelol eu,tno['/wvvv\
'troclaJ s,Jorpnu 3fr^,lJs JLp Llo tta1Ja allt autulatap
JI
santr:[qo lortuo:
ilgy
:JaU)
are
uroq patlnsal
lue tuqt
]l:::i ::-.]l
Lru'-'d('
..
Ln
patBts
tuul3l3l
sr slorl
Hdq'JJui
sauttua
raqtar{.4
fuesslru
ltlu9N
'sqde:8r:ed
asoqt Suillropun saldDuud aqr Surpru8a: a:ruepin8
lplrorirppe apr.tord gE6 uolt)as nVJo 9t -g| puE
1-1 -16 sqde.r8cled sloluor Jo slsJt ut Surldurs
ss3rppe rllqa '0E uonras gy jo gy -lg sqder8
-pred ut stuarua:rnbar aqt ,{yddr: plnoqs rorrpne arr
-^r3s 3qt 'aleudordde sr Surldures teqt sauruuJtJp
JorpnE 3f,rl-r3s 3qt g1 saldrues trpne SunEnle,\a pus
'3urru:o1:ad'8uruue1d sassolppe (I Io^'sl2irpuDlS
luuorss:/iri4 'y.131y) 3u1ldruus 4pr1y '0Et uorl
-las ny uouerlap.;o a:ur pat:adxa aqt pue '(dlrp rad
saurt dueru flep {lqtuoru 'alduruxa roj) uorlmqdde
lorp 3o 6uanba4 aqt 'sloluoJ arlt Jo arntuu aql
Surpnpur 'patsat aq ot sloluor aqt 1o uonepdod
aql Jo srllsuatJPrELIJ ?rl:1 l3pisLl()i) plnoqs rotrpnP alr
-^las 3qt 'ater:dordde sr 8u11durus raqtaq.u puu slort
-uoJ Jo stsat .lo tuatxa aqi SuiururJJt?p u3rlAySZ
'arnp3J
u3qA\ '62
csSl ot
lBuortrppe
'pouad paq
raqtaql
:3uvrro1
ar11
.r
s.lLll
Jq1
J3qtar{lA r
aq1 r
lDu.Le1u1
sE,\\
3qt ot tull^alar aq ot
sr uourlrn; trpne lcu
^lalrl ot rap:o ur parurojrad
-lalur 3qt l3ritaq,{\ auruuatap
sanr^nJu 3ril Jo puE uoltJurlJ IpnE lcuJatur allt Jo
Iro
-lpn[
uorlJunJ tlpnE
.JunJ lpne
lpulJlur rqt uo plcld srroLtJllsJl
:o sturrlsuo: due Jo tla3J3 aqt Jo uoltpJaprsuoJ
Surpnlcur 'rorpnr? eoul3s ?qt pue uol]
-JUnJ lrpnB lEuralur aql uaa,4Ataq rnlro lll.t\ uoll
-JrunruuloJ 3^rtJ3JJ3
tql
3-rEl lE
-uorssa3ord
uolrunJ
'tuaruaScSua
sEA
Ioluol
IoIuoJ
ql^\
uloc'ncu
1110-3.\,tEJ
Surpnpur
'uotluzluEl
e.rr ',{uu
1r
-alctur a:
rioIch.i:s:
'.rud
:1a91
ur:Is,(s s.
s.lu:ui:3
-pnllur
ltl
3qt ur Pr
Jsorll,r3rl
pl]],r
Purl
qu
qluau
pa
lqr
1o :c
-pnlnr'r,r
-.rapun
(o
3JrAras
_1,.^.-.-
J,\f,lqfr o
'trocb:7:
-uol
s3,\
Jo u
-uzrurS:o
Jo
u0r]ul
-l.raluru
-a8u8u:
Jr^las
s.
-:cLuor
',
sa^u
paqddu a
-Lrrd pJUl
-]Ll3lStSUC
1u JllnlJr
JJI,\I35 J
3Jr,\-lJS 3
s:rrtrakl
-lE,\3 o1 E
rLlo{ uoll
3lll tu3.\?r
{q :o uroq,tr,,{g
ur
'parlddu
aqf
-uzruu8ro
::lues
(ttV-0'V
srseq e apr.lord
pJl[ls
(Erv-0tv
pue 9ZV rpd :Jr1) slolluo3 Jo ssrrra,4.rlJaJJE
Surlzradg aql Surprp8ag aJuaprAE Sururetqg
^q ara.tr
-:alqo lo.uuor aqt a^alqJE ot pru8rsap dlqetrns
slo,lluol 3soqt laqtaqa ssasss plnoqs pue ur:tsds
s,uonrzrueS:o allr?s 3lrll Jo uoudu:sap s,luarua8p
-ueur Lri pJ:tr?ls sa,rrtra[Qo lo.nuor aqt aaarq:e ot &es
-s3Jau 3-iE uo0ezrue8ro 3llt.ras aqt lE sloltuoJ aql
'Iz
JO qJlq,!\ 3u[u,r3t3p pllrorls lo]rpnE all'^las aql
(6y-9y pue 9ZV rrd lad) sloluo)
Surpre8aU aJuaprla Sururetqg
;o uBrsaq oql
'pa11ddc
rr
^ruJtsrsuol
?rit 1\\ol{ !
loluor
alqEu0sE:
'pln0.{\
r,
-duosap
Ltlals,(s s.
s,tuaruaB
aLll Jo lu
El,l3lt.tJ
se5ve13u'tvrf,tJlo
d.
e.
conclusions teached are appropriaLe in the circumstances and any reports preparecl by the
internal audit lunction are consistent with the
resuits oI the worl< performed; and
exceptions relevant to the engagenent or
unusual matters disclosed by the intcrnal auclit
function are properly resolved.
Eft'ecL
on
llepori
OFFICIAL RETEASES
v
subsen'ice otgan-
Lhe
krving:
c.
Dirrcf Assi.sl.lllcc
35. When the service auditor uses members of thc
service olganization's internal audit fllnction to pro-
o.f
thc
a.
b.
c.
ol
the
con-
iii.
lf managetnent reluscs to provide the representations in paragraphs 36(a) and 36(b) of this SSAE'
the service auditor should disclair.r-L an opinion or
rvithdraw from the engagentcnt.
Subsequent Events
42. The service auditor should inquire whether
management is arvare of anl' events subsequent to
the period coveted by managemcnt's description oi
the sewice organization's systcm up to the date oI
the service aucliLor's report that coulcl have a sig-
as described.
. Scc
86
l0l,
AIifsl Fnld,gcrl.nls
comple
the final
than 60
release
50. Afte
has beer
delete o
Its reten
51.
lfr
ity existi
docume
engagen
auditor
itication
a.
b.
The
Wh
revit
Prepari
Content
)l'.
A se
the foll
4.
b.
b.
c.
c.
A trt
An
Iden
i.r
tLz
iii.
engagement,
tl-Le
irt
va
a.
i
(
d.
lfma
niza
abilit
the
ment
s
wwwjo
OFFICIAL RELEASES
number of items tested), and the number
and nature of the deviations noted (even if,
p.
-^-;^^
organization
hl
the men
ii.
'
iii.
iv
n
par. A56)
any information included in a document
containing the service ruditor repofl thr( is
nol covercd by thc senrcc atrditor's rcport.
(Ref: par. A56)
the criteria.
ion
app
tem,
ced
Lt.
about the suitability oI Lhe design of the controls to achieve the r-elatccl controi objectives.
The sewice auditor's opinion on whether, in all
in tho decerirrtinn
orglnlzil-
iv
in management's assertion,
i. management's clescription ol the service
organization's system fairly presents the
vi.
designed
tron;
ii.
iii.
cont rol ohjcct ivcs :rrc spcci ficrl by larv, r'egn[ the scrulce
tion's system,
achievement of the control objectives,
ified
ii.
ating effectively to achieve the related contro) ohjcctivcs strlc(l in thc dcscription o[
rlrc cnnriec nrornizqtinn'c... sysl(m
A statement that the seruice auditor's responsibility is to express an opinion on the fairness of
the presentation ofmanagement s description of
the service organization's system and on thc
suitability ofthc design of the controls to achieve
the related control objectives stated in the
56.
wa5
clate.
iii. if
'lrn,l
rlet,'
the
his,
57.
ion,
desc
ination.
mlgl
(1)
ed controls at relevant
uLSdL"zaLru,,J,
-'.r
dL'u
subservice
that
r
the seruicc audi-
(2)
lf
If
88
d.
of the seruice
system prepared
tl.re
i.
A'6I-464)
(Ref: par.
^,^^-i-^ri^-
reference
manage ment's
par.
46l-464)
cedt
engi
Oth
58. l
oInr
oru
OI OI
clear
efiec
achit
entit
tion
ice a
Report Ddte
I0r
no opinion thereon.
A statement that an examination of management's description of a semce organization's
system and the suitability of the design of the
service organization's controls to achieve the
related control objectives stated in the description involves performing procedures to obtain
evidence about the fairness of the presentation
54. The service auditor sl-rould date thc seruice auditor's report no earlier than the date on lvl.rich the
been
nrcat
es
the
sl
entrtr
tion i
take
55. The scrvice auditor's opinion should be modified and the ser.,'ice auditor's report should contain
a clear description of all the reasons lbr the n.rodification, il the servicc auditor concludes that
d. management's dcscription of the seruice organization's system is not fairly presented, in all
material respects;
b. the controls are not suitably designed to pror'rde reasonable assurance that the control objective s stated in management's description of tl.re
service organization's system would be achieved
if the controls operated as described;
wwwjou rnalofaccountancy.com
APT
EXF
Scop
AT. I
Itas0
objec
inu
comI
Conf
and c
entit)
Wwv
6g
uoc'ncuelunocceloleurno['/v\r
/v\
'slorluoJ
f4 Elratul alqellns lnoqB uouEru'loJul
:t1t
,o ,.rrr.r,'r4ta Surtelado
'.,.a.
u, pr".u'lt'tt:qt1o
r.rt
qlns
trodr'r 7 ld'(t e
1o
uorttlr'rrs;tp aqt ut
slolluoJ.Jo
uru,t
Io
*oitlutlrp
(urtu
aqt ;o
ut
1y55 slql Jo / qdcr8errd
ssrullrudorddr Pur :JuEralrl
trod:r rqt
lo slasn
r1 I
tqt puElsr3pun
sa11uu3
or
usql
3lq8ua
lasn ol alqullc^E
3JuBplolJE Ul
,o o] pr"., llslul 'avss slql qllnA
pr*lo3l.a
roJ '9V
sluaura8e8ua 1o sasodrnd 3q1
pu I red :1a1; rrtetrt3
(9I-tI
'slualu3lBls IEIJUEUU
U'IAO S'UOII
3ql o1 pslelal
-uzrur8ro 3Jl,uas arll 1o uotlereda:d
s'uorlezrue8ro acr
slortuor 'a1.1-"ta ro1 lualsls
ul p3lllls salll
-,urs aqt;o ,,ou.1t rsap s,luauraBeueu
aql o] p31ul3-l lou
-cafqo p:tuoo aql Jo luaura^alqrz
slolluoJ apnllul
, l,
roc uoullzl
sluauodutol
t,"].tjl|i
12 .'n.t
1lx) r,orrn:run3'9
rl^iJS P lU Sl0lltlo]
suoulu{a(
((q)Z rEd l3d) I01
ssaua'rura31a 8ur
uoulas IV rapun slolluol aqt 1o
-r"rr.lo ,,tt lo uollt;ulu]cx'l ut; -lo'( I lo\'si)lpl)unlS
ol uotttsod
Jo
tuaur8esua luln:ttrcd lq
pu'
uottc:t1tturp1'
'ran,rralqo lortuo:atrtldorddulo
1o
dpuerl
Irt
rapun luarr
ot trodar e ltulad
:o'Sutlrodal lellueui1
ac1
.]rrirn
'la.{a,^
B tE
oq'tou
uaq^\'tV
ol
urns
Burr.rodar lelf,ueur1
s'Alrlua
'*i"r.:.,
uoure aleudordde
119y red :J3U)
o>1ur
uotl
'OS Op 01 Suqlltun
plnoqs rollpnE alluss aql
'palullu
-rr,r-,n:ro 311^las alll lo luaru:Serittu PUB
os u3aq lou sEq
st
-nurulol
u.ro?'Acuelun(
:paqu:
pa^3llpE aq plnr
3rl1 Jo
ns
3Ll1
113
-old ol
PJuBls:
lBql sapr
-lpm 3Jl\las:
'tu:ur;8cBua
aql sulBlulrl
puc (tn aqt
'1rocl:
:J3U) s3llllu
all,\l3s aql
afluas
3ql
'uolllpuoJ'
-zztueBro
-a8rueut u
Jql a^3lql
:asn drelu
-arrtlraJJa
.q
plnor
afulllnssB
,(lqeltns a
aql Jo uo
Sa,rtl::[qO
-:ads aqt
sur,r te{
pal3ltpr
3ql
slu3
SflAl3S :
paqurs3
'l3
liB ut
's3^llJa
ut 'po]u:sard
?ql
-uol 3i
suolsnlJ
1o
]snc)Jq uol
:qt Jo
luJr)rllns ul[lqo ol '(lr1lqeul
JJt IJS
-uttlo'ue ulrel.rstp olsttcld lollpnll
ru Jr Jr
3ur-(1dde ut
{las
uollduls
-lafqo lo.uuoJ
ll ut'p3lu3sJl
-e8lo aJl\.ras
'uorurdo s,ro
ateudo:dde l
?ql qllqlA
lol
a:t
ronr rr,n.,r, aqr dlleuourppy llodar s'roitpnu
,,rlr*a,rt,
i;
aql
isl:adsal l[IJaleur
luc \f,
c uor'1
: rrt::ds-r:d '{rotrln8ar
s,tuaruaSeuBur
,q
-,a.,
J-rnsolJslp pur
raqlo
aql Furqtl]sap
,,rot,pn" af,r^r3s e Jo sfllsualJslEtll
paurojlad ala't lvql s3lnp3J
"pt't1.,'t:ou
allrlas 3Lp 'uol
-o:cl aqt dlltuapl tou plnoqs lolrpnB
-urcIo ur o,,uF ,p or suuld:otlPne.alt'rrasr::ij:
,lnr,ro, ,,"ur,'lrod::
ol pspualul
ll
:psqulsap se paterado slolluol
a:ttuas :qt;o
aq plno^ tualsds s,uot.lBzrueBro
uI pal'ls s3^ur3lqo
a:ur:as
sr 7 qde:8u're4 uorlezruu8ro
o1 I0l uolllas IV rapun uo
slolluoJ uo lrodar
tJ,iitr.rrp
ul 3q 1f'\l uoll
^13{uun
lou st
d11lu3-lasn
e'(pellulls
'
-;;;.1";":
alul3s
1et:
:ruuqduto: pue
pue
lvlu3rvt'u AuolvN\ndxa
uSllro oNv Noll\Dllddv
ol
^'.nif-rf*t"otqlr,^r
orci.,.-"hn3.,.
fv
aqr Jo lu3ura^alqlB
-.uJs aqt pue 's3^rrrafqo 1olluor
uoll
,qt '*rtrda s,uorleztucBro 3)llras oql Jo
qJns Jo lJaJ'13
-du:sap s,tuarua?ueru uo sluaptlul
arf 's3lltlua
,u, arr,-trraP plnoqs lollpnE aIAl3S
(eru lcql pue lcl^ul
r.'r.,-r r.o-.,o'a.ro tca;p
^lical:)
afr'\'l;s laqlo
'ro
tou ale lBql lauuos:ad uoueztue8ro
slolle palJellolun lo
tuarua8suelu ol alqelnqllllE
:pnrr1 'ruono1.,8rl pull s'{\Bl q1!4\ acuctldruo:uou 3o
'8E
saluolsq rollpne alluas aql l1
ar.,rptrni;o
'
"rn^E
sa.rllrqts.rodsauuolleJrunuurof
l3sn
1n,-nnq la^o lolluol lEulalul 's3lll1u3
uddll
1[7uott]as
1o
stql rapun
.,ortdrn.ap 3lll ul ?pnlrul o1 aVSS
ur iarl
p.nr.l ,,.,o.I.i tlrurad ol 2 qder8e'red
lr{, lrolluzlurS.,o ,r1,t1?s pu! uollDzlurr3-10 2rlat2s
:prlord
3ql Jo uoller?lle aqt ro1
Jo suollluuap
uB
1eq] ll3ssll
Nql
-ezrue8ro allr\Jas aql lo luaura8eucur
tl 'tuals,{s 3ql
'tollpnE
alulss
drlut lou 3lll urals{s s,uotlpztup8ro
tr
s.tuauta8eueurlo sll:dse urrual
'1o uortal,lrrrp
s:rnpar
leql p3pnpuo) seq'paurroyad
uopaseq'put'aruapua alrudorddc
or.,rpuuo, '{eut
lLll r3^o
.uo,'rnruart luaullsl\ul jo '{trlLqrtda::c
papnllul
u)q^\ 'l0l
qlul
'3utlodar
aql Jo
lo s3luEtsurnJlll aql ul s3^lllafqo lo]luoJ
s,luaura8euutu ;o
-eB.ro'al,r:as atp 1o uortclursap
ro1 'I0I
uourruasard lo ss3ulJ aql Suuunlela
--',.tt
ur paqu:sard
rv ro +g -gT iqde:3ered
uouEllllluapl
sE'su3luJ elqEllpr\E pu alqllns Jo
loltpne
-ttuFts.t:11tp leql sJnssl lJlunoJua "(eut
teqt Surturo3::d pue Suruur:1d
';;'r;tr'Jrr.br8ua
ul aVSS slql ul
aql puB'Suurodar lzllueull lalo loll
-rpnn
"at-"t
aq ol '{laIll
-.,o. 1r,rr",,.r, ,s3lluua lasn ol luEAsl3J
3]r lJs B lE
slo.uuoJ asoql uBql J?q]o uorluzrurS:o
.ior,.,o,, uo trodar o1 I0I uollJas
B uaq^A'V
((s)Z red :ia1) Surlrodar
'r?sn
lrJueuu la^o lolluol lEulalul 's3rlrlua uo
slolluos
ol tu^alal aq ot ,{1a1q lou ale llllp
qlr'r'r'8utl:odar
ioi"oto"t to ,.punBuurodar
slolluol s'uollEz
or r.ro,rr1a, ,q ot dla{ll alE ]eq]
Burt:odar
-rrr,:3.o ar.nris e uo avSS srqt rapun
saulquol leql panssl
r3sn ol 1uAa
l3AO
lEulalul ,salliluJ
lorluoJ
pull s?^11
{al aq ol d1a1q lou (slorluol p3lelal
:laql
-ra[qolorlr,or lue.lalarSurpnpul) saJl^las
aql 1o
rualsds s,uotleztue8ro a:luas
slsal rilloJ
-ord uodn-paar8e uE J3qll3 ul slolluol Jo
uE sV slorluoJ
-:ad deu :auoutl:urd aqt 'antleutallB
uo Ftrrurdo utoll ldl
lo ssJuJ.\rlJJllJ Sutlc:ldo rqt
1,nnr r.^r,l.l'.pn1:ard {1''>1t1 11rm
u31s:p1o At111qe
atruasqr aql
Jo
-,,n, aap ot ,trd,,l qlll\ uolllssse
tloltuoc;o u8rsap
'rra.,anr,.aI, C"r,nrado '"tql pttt
*ru,{, ,q,
sl
-ruEx3 uE Ul
"rrd
ol a8enBuel aqt Surdolalap
-rr.d aqt r,, pasn
"q
'tuauraBe8ua'relnrtlrcd aql Jo saluelslunfilJ
a.1, ut dtrtnrra,ro,
uorlerqddu
lo ldatuot aqt 1o
flu
Surtrpne
-ded e 'aldruexa rog sarnpacord
aJuapl\a ol
.arn:lo ,"wnl",ra lollpnE rasn aql lEql
suollJsuzll Jo s3ssell
ureuad deu ro 'salnsopstp lo
a:nso1:slp pue uoll
's?JuElBq lunoJfe ol Sutlelar
deut slorluoc
-o,rarard tnoqr suoluassu ol utel.tad
(suollJ3s nV)
aqt apr,rord ol papualul arB lq]
uourclldde
sprepuuts Suurpn ol s3lualsJal Jo
alrlar (1eryreds
lolluol lEuralul ol
-ueuq r?^o
J1.11
Il
3lll'uodll
7 rd'{l
rscJ
1o
aql Jo
ul
rql
SSaur
3ql sa^i
'uoud
lltttt
3o
ol pouad
p,p .1ortuo.
uoudl
JO
ot 8un:
jo suol
9E
siq roj
::ii"'':1i: t
Jo
a'ratqrc
sa,nt:alqo lor]uol p?]lll3l aqt
rnoqStto'rqr'{l'r^rllqlr rlcr:tlo lou
oli,rrai.qr
11813^
sa5Va13U lVltlJJO
OFFICIAL RELEASES
is provided in paragraphs .23-.34 ol AT section
101. Paragraphs l4-16 of this SSAE discr.tss the
criteria for evaluating the fairness of the presenLation of management's description of the service
organization's system and the suitability of Lhe
design and operatlng effectiveness ol the controls.
Al2.
with
by entitli reflecting influences such as size and orvnershrp characteristics. Such diversity means that it
not possible for this SSAE to specify fbr all engagements the person(s) with whom the service auclitor is to interact regarding particular matters. For
ln such c:rsts. rdcntify ing thc rppropl'iJlc m:tnagument personnel or those charged with govcrnance
lr,rrrr rvhorn lo requcsl wlillcn rcpr(scntltions mry
rcquirc thc cxerci'u erI prolcssionel judgment.
is
Al4.
following:
. Knowledge ofthe relevant industry
. An understanding of information technology
and systems
. Experience in evaluating nsl<s as they relate to
the suitable clesign of controls
. Experience in the design and execution oftests
of controls and the evaluation of the resu'lts
Al5. ln performing a service auditor's engageuent,
the seruice auditor need not be independent of each
description of the sen ice organization's system provided, including the relevant controi objectives ancl
related controls at the subservice organization, the
sen ice auditor is unable to use the inclusrve method
AI3. If onc
to
Pe
r.fornt the
as the
Or)
opn
Jair,
oJm
desc
servl
otSa
syst(
cnd
rep0
Al8. Conrrol
Opin
suitdr
desig
oper6
elJect
(type
Managementi Responsibiiity
t'or
Doctnnenting the
9(c)(i))
AI6. Managcmcnt o[ the seruice orgrnizstion rs
responsible for documenring the service organization's system. No one particular fbrm of docurnentation is prescdbed ancl the extent oldocur.nentation
may vary depending on the size and complexity of
r hc serviLc organizrt ion and rts moniloring rcl iYir ics.
Reasonablc BasisJor Managentent\ Assertion (Ref: par.
7, definition of
will
Al7.
par. 12)
A20. A request to change the scope of the engagement may not have a reasonable justification if, for
example, the request is made
. to exclude certain control objectives at the seryice organization from the scope of the engagement because of the likelihood thaL the sen'ice
auditor's opinion rvould be modifiecl rvith
l'espcet ro thosc control objcctrvcs.
. to prevent the disclosure of deviations identified at a subsen-ice organization by requesting
ness
of controls in support of
as5c rl
ion.
management's
r proccss
o assL ss
situations that may cause management to be unrulling to provide the service audrtor rvrth a written
90
A I 9. A rccent chenge in
wwwJo
J6
urog'nsuelunocceloleuJno J'rwrl/l^
.{
luos'A3u
Suus:nba.
'pa,r.arq:e Suraq urorl uortdu:sap aqi ur patcls
'slolluoJ aql
jo ssauattJala Sutterado
-nuapl
ra11lp
ar{l Jo
3ll^las
qr4\
3r{t
Iq
'nlnnr
'(suoda.t
lolluol
Jl uI3ls,{s
sloluol 3rll
patEts sa^ulalqo
aql Jo
su
-,uas aqt
pJ,r3^ol
1atIftS u8sap
patj
3Jl^r3S a
-aBu8ua
r',r.1r' c
lo]tuol rql
aql
lo {tt1lqotlns
uo uorurdo
roJ
Jl uol
-a8p8ua
:Jau) lueu.
ig1 rrd
3qt l33ru
3q1 uBIs '
juautaBB
B
llhun
ac
1o saldu-rr
loIpnB
-uEiII UO!
se paqdde
u01l_lrssv
'pa^arqJE
's)isrJ
ue asudru
.pouad
psr]rJads aqt tnoqSno:qt
pa^arqJe aJa,r
alqeuosEar papnord
^-. - .^,._---,,.I^
^^^,-.
dql
>uuLuLu(, d>dLll
aq-L
s uonpzrueFro
uats,{s s,uonezrue8ro
arl^las aqt Jo uoudursap
^ -,.^.,,^a-.,-,,,
>.luJuJouuL:u
ur p?lEts salrtralqo
arueJnssE
JOJ
ruo{
rualsls s,uorlBZruu8lo
alt,\lJs 3r{l Jo uorldu:sap
s,luarua8euBru ul patEls
uoltdulsap
santlalqo lortuol
^llllqllllns
uallul\
'slolluof
aql Jo ssau3^uJ3lJs
Surturado puu u8rsap aqt
uo uorurdo ue Suruuo3
se alqetrns 3q tou plno,4A
santca[qo lor]uor asoqt
uaqt 'patuasa,rd dprrj tou
ere uoudr:rsap aqt ur
patets saNtraIqo [o:tuo:
aql leql sapnlJuol
lolrpnE 3fr^.i3s
oqr.;1 ruaura8e8ua or
iuarua8e8ua
allt Jo
s,tuauraScusru ur patEts
lo]
Er_t3]utr arp
uaq^\
aqr
aqt
Suuu
uaq^\ sslr
-uapr lnJl
allal s
o1
ssarppE 0
JO
r3qt Jo
Jo aJue)u
uralstrs s,uorlezrueS:o
art.t.las aq] Jo uottdu:sap
^-,.^,,.^a-.,-,,,,,, uL
>.turudouuEuL
'(sttodat
Z ?d{1)
Suqopdo
ssauanpa$a
puo u8sap
lo
tr!1tc1orns
uo uorutdg
'lualuuoJnua
reln:rlred
u,{\o slr ur lurlrodurr
ltrtua rasn lenpl^rpur
.r3prsuoJ .{uur
lBuuoj
-rojur l0
s,uorlezru
-uEur ul p
u3tE3,iqt
sr tuJua
tf,arloJ a
-:alqo lor
aqt ul Jo
-suu,rl
a:lu:s :qt
l
l
sloltuoJ
'u
pJrEClaJd sr Luals,{s
O] SSSSJ]C
3lrl^\
-rlsqns
aql
lo sllet3p
BIJA}ITJ
luauuro)
3ql,uoq stuosald
'patuasald
s.loliprle
'suoltrnlr
'6ltoda't
puz'uodar
::t.as aqt,{q
aur
lEul3tur I
3ur:olruo
Z ?d& put)
?df,D l'/r.a${s
-uour Sur
3rl-L tus
pue stuie
s,ttollDzruDSto
srualqo.rd
?)!L]ds
uoqnluasotd
s,luewaSouotu {o
ot tuE^3l3l aq ot
sl
^l3lll
tEllt Luats{s s,uonEzrullSlo
s,tuaut:3ruuy,1
?qi
lo uoltdl.tis?p
^ll
nol
uo uoruldo
os1u,{uru
-r8ro aln
suoulunJ
lEUratul
.rrlnBar a
lEuuou 3
SuroEu6
rallul tralqns
sasvSlau lvtf,lJlo
OFFICIAL RELEASES
a change from thc inclusive mcthod to the
carve-out method.
A21. A request to change the scope ol the engagen-rent may have a rcasonable justification whcn, for
example, thc request is madc to cxcludc from the
cngagement a subservice organization because the
sen-ice organization cannol arrange for access by thc
service auclitor, and the nrethod usccl for addressrng thc services provided by that subsen'ice otganization rs changcd frorn the inclusive method [o the
carve-out method.
Assessing the Suitability of the Criteria (Ref:
par. 13-I6)
A22. Af section l0l rcquircs;r pr,leliliollcr. JlnunS
othcr things, to dctemine wl-tether thc subicct matter is capable of evaluation againsL clitcria lhat are
suitable and availablc to uscrs. As indrcated in patagraph .27 of AT section 1Ol, regardless of rvho
establishes or develops the criteda, management is
responsible for selecting the critena and {br deterrnining whether the criterja are appropriate. The
subject matter is the underlying conclition of interest to intended usets 0f an attestaLion report. The
table on page XX identifics the subjcct matter and
of clc-
as
appropriate. These elcments may not be appropdate iI the system being described is not a systcm that
processes transactions; for exalnple, if the system
rclates to general controls over the hosting of an IT
application but not tl-re controls embedded in thc
application itself. (Ref: par. 14)
A24. The requrrement to include in mal.lagemcnt's
clescription ol the semce organization's systcm
"other aspccts oI thc scrvicc organization's control
environment, r isk assessmenL process, information
and comrnunication systcms (including the related business proccsscs), control acLivities, ancl monitoring contro)s, that al'e relevant to the scn'ices
provicled" is also applicable to the internal conLrol
components ofsubserwice otganizations used by the
seruice organization when the inclusive method is
used. See AU section 314, Undcrstdndingth. Elltiql
andltsEnvironrncnt an.l A.sscssing thc Rishs oJMcre rial
Misstdtdmcnt (AlCPA, ProJcssitlnal Srrindclds, r'ol. 1),
for a discussion of thcsc components. (Rcf: par. 14
(aXvii))
Materiality
(Ref: par.
l7)
to
92
tor (R
432.(
the ser
MCNL
tem is
.Do
col
au(
tiolls.
brc
management's descr\ttion of the service organization's system omits or distorts relevant infbr-
nal
mation.
Thr
.
.
nde reasonable assurance that thc connol objectives statcd in tnanagement's description of the
identificcl. This is bccause, in the particular circumstances of a spccific usel entiLy ot- user auditor', a
deviation may have signilicance bcyond whether or
not, in thc opinion of the sewice auditor, it prevents
a control from operating effectit'el)r For example,
relate s to the
rial respects, whether conLrols at the service organization are suitably designed in all n-taterial respects
ance,
achieved.
t'tut.r.tber
trol ob
ot ltse
ma
reports.
CTIOIS
of contr ol ol.rjectivcs, thcy may nevertheless 1le necessary to achieve the specificd control objectives
A29. Management's descnption of thc servlce organization's system inclucles "aspects ol Lhe service
organization's control environtnent, risk assessment
process, information and communication systems
(inclucling relcvant business proccsses), control
acti\lties and monitoring activities that are relevant
to the scrvices provided." Although aspects oI the
sen'ice organization's control environment, risk
rs>us5mcrll proccss. rncl moniiot ing rt tir ili(5 ma)'
not be prescnted in the description in thc context
.
.
inc
the
tie:
Ist
tha
inft
oft
service organization lvho, in the scn'ice auditor's juclgment, nay have re levant information
sen
ber
Observing operations and inspecting documents, reports, and pdnted and electronjc
AI
trol
Ist
doe
afler
toIs
any
rega
tor i
Doe
char
the
Hav
'
Arer
ing
actu
adec
woI(
trol
achieved.
achit
Absolute assurancc is not attainable becausc of Iactors such as the need fbrjudgment, the use ofsampling, and the inherent limitations of conttols at the
alonr
achie
beca
auth
coml
alonl
cann
alone
and
trols
objer
conf
This
c0nti
descr
lfthe
descr
sen ir
r.ice
used.
that
www.iou rnalofaccountancy.com
wwwJo
g6
'gtry
lortuo: u 'rorrpnu rasn eJo rurod.alar.l aqt ruo:g
(LZ-ZZ'red :jad) slolluol Jo ssaua^rlraJjE
Surluradg aqr Surpre8ag aluaprAA Sururetq6
loluoJ
aqt ot patlar
sloluor teql
,{1a>111
"ras
qlqa
ot suon
-llllr;
dELu
sr
rrlnIlred
tl
3qt s3ss3lppE
srotrpnr lasn
lo
s3rl
pue stuaruatBts
lErluBuu
[uoe'^3r
lo
11m d1
aI
jo
B
aql '9V
ur
p3r
lq
pa.narqre aq touueJ
aqt qrr,$ 3uo1e
llrads
l:sn
luol
laqt
asnzJaq
Surssaco:d Surp:e8a.r
pur.{l1od s,uouuzrue8ro
suotsst
aqt Jo sel
E pu
uorsnll0J
lou
al3,tA
puE
uou
tou
sa"rrnba.t tuarua,rarqJu
1r
i3,lE,r\B sr -rol
qlq,tlo
JO
-uollu3lur
puE 'uoll
relnlued
loltuol aqt
ara,r
-ualurun
'oslY 3ln
sr lollpnE
rlJnur asn
ol,tl3^tl
3,r8
SIoIU(
aqt
3q1
raqtz
lc sloll
-ruPsJ0 Js
-JEJ JO asn
'pa^3lr]JE
ul
ssJuElsl
1o uortdur
Surt:atap.l
-a8eBua a
'tu:ua8uSr
quo
qluauaE
Jo slrElap tue^313r
S3AIl
se
-lquroJ ur asn
.spaau
ltlllqlsuodsar aqt
a:e sa,utrafqo
'aroJalaqt 'touuEJ
uoc'^cuelunocceloleui nol'/vvvvv\
prqt
aqt
-uof
'uoutuaunlop raqto
Jo
-nuJ lJSn
-uor
itI
-:alur
1o
tu3rJq1rls
qtl^ srolpne
Jo JJUll
,{uur sa:np:
i0Iuo
ot saulu3
uaa.rtaq s]
lruollJ?la
-nrop
3uu
uorlEtxloJu
-rpnf, 3Jrru:
3q1
urqlrrr
Ieu
g7y
3qt ulutqo
-ulot
asaql
'sa,utlalqo
Surturado :
uaIEl'SIollr
Jll^,l3s 3ql
ur s3DuarJU
sa,rrt:afqo
-Jau 3q ssJl:
txatuoJ aql
LEu saul\u:
)isu 'tusuru
aqt 1o st:ads
lullr\3lal 3,i9;
uOU
sUals,{s
(sa
lo]]uoJ
lu3LussassE
aJr^l3s aql
alluas
-e8ro
sf sv313u lvtJtJlo
OFFICIAI RELEASES
ifindividually or in con.rbination with other controls, it pror,rdes reasonable assurance that material misstatemens whether due to fraud
is operating eflectively
would
affect
entities.
Therefore, from the viewpoint ofa service auditor, a
control is operating elfectively if individually or in
combination wlth other controls, it provides reason-
requir
3t-32)
4J4.1
,i)
in
a position to determine whether any obsewed control deviation would result in a matedal misstatement
from the viewpoint ofan individual user entity (Ref:
A4l.
446. An internal audit funcrion may be responsible for providing analyses, evaluations, assurances, recommendations, and other information
to management and those charged with governance. An internal audit function at a seNice
as
evi-
effectiveness,
related to the services and systems, inciuding controls that the service organization provides to user
entities.
is less
than six months is unlikely to be useful to user entities and their auditors. 1f management's description
structure ofthe service organization and the requirements of management and those charged with gov-
sewice auditor's reporr may include that information as well. Circumstances that may result in a
report covering a period of less rhan six months
include the following:
. The service auditor was engaged close to the
date by which the report on controls is to be
issued, and controls cannot be tested for operating effecriveness [or a six month period.
. The service organization or a particular system
or application has been in operation for less than
six months.
. Signilicant changes have been made to the controls, and it is not practicable either to wait six
months before issuing a repori or to issue a
This may include controls relevant to the services provided to user entiries. The intemal audit
function may be assigned specific responsibil-
. by
to
the
resentt
Other
A56.
'
Inll
tior
auc
Infi
lo
con
infc
org,
52('
A57. tf
contain
ice orga
report
cannot
auditor
remove(
Documt
A58.
Par
Standari
(AICPA,
requires
dures thz
\ls10n re
The reqr
rvork
per
accordan
acldressir
a need [o
evidence
means do
(Ref: par
Preparinl
rer.iewed
Content q
5Z-53)
459. Exar
by manag
dures.
460.
Evaluation o[the economy, efficiency, and effectiveness of operating activlties includir-rg non-
ice organi;
sented in
presented
53(o))
A6l.
requircments.
The
descriptio
sented in
requin
consid
96
tion w
bul co
455.
be
assigned to review the means by which the service organization idenrifies, measures, classifies,
thereto.
lowing:
. Examination of items ahcady exan.rined by the
internal auditors
. Examination of other similar items
. Observation of procedures performed by the
internal auditors
par.22)
Iives
organt
and the evaluation ol the specific work of the internal auditors. Such procedures rnay include the fol-
ten rel
servicc auditor's conclusions (for example, the significance o[ the risks thaL the controls rend to mitigate), the evaluation of thc internal auclir function,
dence
Use
oJ the 5
Paral
wvvwJou
3trr^ras
Zlx
.:rtr
'uortdu:sap aqt ur
patets sa,lrcafqo loJluol palBl3l aql a^alqJe o1 slo-ll
-uolJo ssaua^nJalla Surre:odo pue u8rsap aqr.;o {rr
llE
ol
:of
3lqEJ
Jo
t"::,.^"1::
'/9V
suonrv
r,uoc'/[cuElunogceloleu/no['/v\
teqt sarnbar
A/v1
lo
)\l
ZI{
Jo ssaua^ItJaJJE 3ur1u:ad6
1u3"
E lprlt
:.Ja111
l,rodag
nltpny
r!o3'^3
urats(s
s,tuaruaBr
3qt
01
u0
-erud,{q
ruas
aQ1
a)tllas
v tlqrqxs
-a:d are uolezrue8ro a:r,nas aqt
suonrasse a^ueJlsnlll puB
aqf
6gV
'uonrau
-rppe ur s
,,(ru:olrp
ur paluas
1o tuarua8eurur
dq
P lo'su(
SuroBuo
(6
1u:t1tto2
-^las arlt
-:ado al
'trpnE
lr?
suouezrueS:o
pa8,rer1:
alrpe
{rru:orpnE aJi^l3s
((o)es
{o uollduJsz1
;tdotg
uottezrue8rg aJr^las
sloluol
siuodou
tpltr Sunelunuruo3
qdu8
-lo8 qtqtr
",:
apnlJui (os op ot 8uq1,,nun st uoueztue8ro altllas
JLit puE's3nuua Jasn p3lr3ljE ol uolleuuoJul silll
pstEf,runruuor llatflrclo.rdde tou seq uorleztueSro
aJhrSs 3qt qflq,^\ ur saluelsut ol uollElaplsuo:)
leuourppr Suur8 :argr) riortrzrueSro aJLu3s arll tE
'pne{ 'suoueln8ar puu s,t\r?l
a:uerlduro:uou Jo are,\\E s3urolaq aqs ro ar{
sroJJa patf,anolun Jo
qtlr
uaq.n :1et
1gg rrd
:Jad)
lluo p:
lyp rud
:3a5)
',tt.3t,l.ar aqt
SB,^A
UOI]:
reqr Sun
aqt ot
'red
:.;a6)
s,Jo'lrpne
s,Jottpne
'uoillt
-:ad ur p
'(OI
ras
fb 'Z lo^'sli\puDls
lo ur1sf5
1o.tluo3 [l11onS
1o:tuo3
iDuoissrprd'Vdltv)
'1
s,iu.irg V
dlqenf uo ruauarErs
oN sprepue]S
'ggy
uollPluaIunloc
Jo LE qde:8e"ru4
IJO^\ aql
aqt Sursn
Sulular
lDrll'uraq
aql pue
'3utuil3l2
s,rollpne
{las
$rlf
:8ur.tro1o3 aqt aq
leur
1.p
Jo
lro,r.
-8pn[ 8ur
uodar
s,:
puE'saDL
-rad stsal
Surta:dc
lrpne lB
-lpne 3J
-a^l]JaJJz
puE luats,
s,tu:ura8t
(te- r
aqr
lq
puu 6g sqdrr8
aqf '9SV
raqto
uorlBruroJul
'suollEluasar
p:
aqr {q
-loj aqt
-Jatur aql
'LrolllunJ
3Jhlas a
-latur aql
(q^Xr)6 qdur8e:ud
lq
-Iru
ot p
-8rs aqt'a
3q1 or
Il
s,rolrpnP
'tsv
pa:rnba-r
:rd
:.1a1t;
s:rsvfl!tu lvrf,lJlo
OFFICIAL RELEASES
Organization
is
responsible
tl-Le
for preparing
the
Opinion
control objectives and statrng them in the description, identifying the risks that threaten the achievement ol the control objectivcs, selecting the criteria,
and designing, implementing, and documenring
controls to achicve the related control objectives
ctrtprl rn rh,, de<crint ion
a.
b.
ro
c.
[date]
to provide reasonable assurance that the control objectives stated in the description rvere
achieved, operated effectively throughout the
period idriteJ to [datc].
Description oJ tests oJ conLrols
The specific controls tested and the nature, tirning,
end rcsults o[ thosc tcsts ere listcd on p.rgcs [yy-211.
Re.stricled usc
Scope
We hav
descripL
oJ the [tn
and the
achieve
J^-^-i-,
Scrvice o
i)rr
nns
lairness
suitabilil
Lhc relatr
tlon. XY
prepann
includin
oIpreser
providin
specifyir
in the de
en the ac
docuner
trol objer
So-vice ar
Our resp
An examination of a descnption of a service organization's system and the suilability of the design
trols and rcsults thcrcof on pagcs lyy-221. rs intcnded solely for thc information and use of XYZ Serwice
descriptir
ducted o
service organization for use in a type 2 sen'ice auditor's report when the control objcctives have been
tation
oJ)
ol XYZ
Service
designed
tion) and the suitability of the design and operating elfectiveness of controls to achieve the
related control objectives stated in the descrlprion . The desciption indicates thot certqin control objectives specified in the description can
be achieved only iJ complementary user entity controls contemplated in the design of XYZ
98
material
Inherent lifi1itdtions
standard:
examinal
fairly
st
lnstitute
of
sr
tiveness of those controls that we consider nccessary to provide reasonable assurance that the related
fairness
on the
achieve t
pre
stated in
An exami
nizations
of the sen
related co
invoh'es p
about the
tion of thr
o[
Lhe
con
lives slat(
included
not lairiy
suitably
objectives
engageme
overall prr
Example 2: Type
ability of
the suitab
lce organl
We did n,
oilerating
To: XYZ Service Organization
wwwjourna lofaccountancy.com
descriptrc
wvvw.lol
66
.t
stradsag Irratul4tr IIV ur
paluasard dFreg tog sr uralsd5 quorlezrueS:6
af,r^laS arlt Jo uorlducsaq aq1-trodag
ro3 uorurd6 pagllenf :1 aldurexl
7tdf,1u
nsn
wfllDJ jDUl salD)tpu uotj
'(nluatualdwn
-dutsap a4l uorrdu:s:p aqt ur patcts sa,tn:a[qo
3^alLIlB ot slolluoc 10 uSrsap
:qi
1o
'y xrpuadclu
ur stroci.rr a,rne:tsnlll aqt uo p3sr?q arr
laql
suoue
3ur.tro11o1
aq1
silodeu s.rollpnv
of,!ruos peltlpol l a^llerFnlll :8 xlpueddv
'69V
laqt
lo sauuua rasn ot
tu.rts,{s
Io
)Luru
Sutssaro:cl
urats{s aqt
ZI{
paururexa a^Br{ 3
sJqu)srp
jo
s:,ru:alqo 1o:l
sr s1o.rt1o...(t
ur ssardx:
'1.'rpfl
etatagl
Jo sc ,{1e,ttt-::;1r pJlr.rrdo
loluor
puE '[]7Dpl lo
sE
'Ltotu3ssE
zx{
'slo.tt
t)Jlrl:n
llt;'t]J.l.lol pur
ur paqursap Euatul
11e
ur 'uoturclo :no u1
|w1l
2.1
t qu
srqt jo tuarua8e8ua
aqt ur palpts sa^nJalqo
or pau8rsap dlqcirns
Jo uollduJsap
Jo uolteulluexa uV
nr^-tls
slor
B
[Db] ?
'qt3u
?^DUs"
patBls
slollu0
-uoL5df
aqr dq
puc u
r'"
'[uou]:
roJ ai
'uorldl
{Elal
-durs:
tnoqE
alrAla
sr a8r
uaaq J
-rpne
3qt Jo t
rEqr q
arll tnc
alal\
lolluoJ
-ord ol
-ndo l
olpau
2q1
l1
[2\D
-uoJ E
wPaN
-ayhuo:
Ir/rPl p
sloIu0:
-uoJ
as
pau8rsa
sa,\nJa
-ur?l ,r3
-dursal
3^alqle
srtlipqrsuods:r.r
'uorldr-r:sap
sL | 0 11t )
-ro1
uo
a:mas
sarTrlrqrsriodsa-t s,-toirpnD
-aldruo:
uoi:/lr:iu1r3.ro rlln-lJS
-IIns
adlt
uv uondrrrsap
Surlura
'I?jDpl
Jo se uortdursap aqt ur pilEts
sa,rlrafqo loltuoJ patelal JLit a,\3rLlJE 01 pau8rsap
llqrtrns a.ra,,n slo,ulrol aqt pue patuasard lprel
sr uortdu:sap arlt Jaqtall^\ tnoqr 's]:aclsa: leuateru
ll8 ul'3JuElnssB alqeuoseal ulEtqo ol uorleulrucxa
:no uuol:acl puu uulcl c-ar teqt a:rnbar sprrpugts
asoqJ stuetunorrv suqnd paijltral Jo 3tntltslrl
uB3uaLuV aqt ,4q prllsllqtsa splepupts uoltBl
-s3l1E qll4\ aruprolJc ur uortEulurBxa lno palJnp
-uoJ a1yuourlurln?xa Jno uo pasuq 'uorldursap
aqt ur patets sa.nt:a[qo lo]tuor patelal aqt a^3rqJe
lqt uo uorurclo
outott
s.uoltEzruB8lo alr^Jas
uo1u1(lO
tE
-ue8:o alr,u:s r
'uoa:arp uorurdo
uroc,
ruatsd
'[DDl
]E paqrrJsJp pue uouezlue8ro a)l
"8ed
-^i?s aqt ,(q par3rcads Euatur alll Jo llqrqulrns aqt
patEts sr^uJalqo loluoJ 3r{t Jo.{lllqg
puu'uraraqt
-lns 3llt
uouBunuExa
'err
-puEtsiJplrn tu3lllilns
)sn p)])uls)\d
ul p3llts
ro.1
s,uouEZruBSrO atrr^.rJs
'uorldutsap ?U1
lo [DD] aSod uo pa1o6
p)iuD er\ Sutt{pads KtiDd
adlt
uoltclr.rJSJp s,tuarua8eucru
Lrof pf,trlJ.r
srsuq 3lqELtosuaJ ll
tdo:t5
-qns
3l
-uaru2l(
uSrap
?Al'uor:
lillrB
[1qo11nt
OFFICIAL RELEASES
The lollowing is an illusrrative paragrapl.r dcscribing the basis for the qualiliccl opinion. Tl.rc para_
graph would be inserred before rhc rnoclifiecl
opinion paragraph. All other report pamgraphs are
unchanged.
Basis for qualiJicd
opitiort
Thc accompanying descriprion statcs on page Imn]
that XYZ Servicc Organization uscs operator iden_
tification numbcrs ancl passwords [o prevent unau_
thorizecl access to the systcln. Based on inquiries of
sta[f personncl rncl obscn a[ion olactivities, we have
Opitliotl
ln our opinion, exccpt lbr rhe matter dcscribcd in
the prececling paragraph, and basccl on thc cdteria
clescribecl in XYZ Serrrice Organization's asscl-tion
on page laai, in all rnaterial respecrs...
Example 2: Qualified Opinion-The Controls
are not Suitably Designed to provide
Reasonable Assurance that the Control
Objectives Stated in rhe Description of rhe
Service Organization's System Would be
Achieved if the Controls Operated Effectively
The following is an illusrrattve paragraph clescrib_
ing the basis for rhc qualifiecl opinion. The paragraph wouJd be inserred belore the modified
opinion paragraph. All orher report paragraphs are
unchangcd.
A70.
System
The lollowing is an illustrative paragraph describing the basis lbr Lhc qualified opinion. The para_
graph rvonlcl be insertecl befbre the modifiecl
opinion paragraph. All other report paragraphs arc
unchangcd.
Basis Jor qutrlified opnion
XYZ Sen'ice Organization states in its descriprion
that it has automated controls in place to reconcile
loan paymcnts received rvith the various olltput
reports. l-{orvever, as noted on page fmnl ol Lhc
description oI tests of controls and results thereo[,
this conrrol wirs not operating effecLiveiy through_
olrt the pcriod ldatal to ldatcl clue ro a prognmming
error. fhis resulted in thc nonachievement of rhc
Opution
Opinion-The Service
ro
rime
, XyZ
Servicc
provide reasonable assurance that changes ro existing applications are aurhorized, tested, approved,
properly implemcnrecl, and documentecl.',
Opinktn
100 Journal
inch
ofp
pr0v
sPec
ln th
en rh
ing r
docu
trol
Scope
unchanged.
Basis Jor qualificd opinion
Inher
Becar
or de
ltcr_
[dnte]
cessii
tion t
ol
the
clusic
aung
reiate
uscs
a computer pro-
trols
rzatio
computer processing semice organiTation. Our examinaliotl dicl not extentl to controls
oJ the contputer processittg semice organizdtion.
oJ the
contr(
0rgan
Oltittir
ln our
cnten
ABC
kLal,
d.
th(
Or
AE
ofl
and
to)
e paragraph clcscrib_
ing the basis fbr rhc qualified opinion. The paragraph would be inserted befbre the modified
opinion paragraph. All other report paragraphs arc
sible
l,
rhe
state
ide
Scopc
sef
des
od
b.
xyt
OrE
Organizatiotr\ controls to achieve the related control oblecLives stated in the clescription. ABC
Subsemice Organization is an independent sem-
sult
anc(
achi
lhro
c.
u'hi,
able
ed ir
effec
Ali other
47I.
Exhibit
rhe
AB(
the
Manag
Service
wwwjou rnalofaccountancy.com
The
asse
ization n
tion
01
tl
attached
wwwja
,;
!Ol
'pazuoqlnB'pstuurur
aJE suollfESuBJl
-3131
s3op ll
3utpn1:ut'suott
,^,-.t,,
---^
LtUl
lUlr.rsJP
Jql
ollu3s ZIX
1o
ar{t
>1su
Surpnllut'suott
-Jtsurl luglalJl ssalo:d ol p:ru:rualdut
iucltlPztue8ro
lcql slsll
3ql
t8r{t
so.urr:k1o
prluor
twnu
-to
ld[1]:qr
1,aoul lno
Jo ts3cl 3qt ot
ol
aqt
.;o sertrtua:asn
I]ua1IJ:)
aqtJo.{ltu3
1lb auLou
:qt
lq
'r
s.rotrpnB r3sn
rasn JoJ
.1o 11c ro auros 8ul inp urats,(s aqt.1o saonu3
(uortdurs3p) ruarstrs fo twnu.ro tdfi] s,uortezrue8r6
3l^lrs ZI{ Jo uortdurs:p aqr pa:cdard 3^q r \
LlourJSSV s,uortuzturSr6 aJI^JeS
ZI{
Jq ot paplr3tut tou
pur
LuJ}
3,rE
ro3
lfql
SUOUI3SSB JOJ
l/vvv\
uratsds s,uorezturS"to
altuas
3qt Jo uolt
uJoc'I3
Jo Ssaua,
Jlns pur
-11J
aql
uorluzr
3f,rAras
lo luouaoeueuu
'ILv
'pa8uoqtun
t.n
lrsll
sll
2)1^.DS
'[JtDl] ol
I.'t,ill pourd :qr tnoqBnorqt,(1:.ril::1;.r
paterado'pa^3tLlJE a.ran uottdu:sap 3qt ur pa
-tets sa,ut:alqo lo]tuor aqt tEqt 3JuElnsse alqe
-uoseal apr,rord ot {IBSSJrau 3soqt aJo,tr rlJrtl,tt.
'p3rsar aA y)tli uotlDznDSto aJruasqns, )gv
puv uotiDzruD8to zoruas 4yp s1o:ruor aqt
'Il1Dpl o)
lrlDpl pouad aql lnoqSnorql
,4ia,utraga pateraclo sloituor 3r{t Jl pa^lqre
:r
quouoz
sapn
zIX',u(
-ssatot
'
fgv
lu
-d-r2s
-uoJ pa
2)rMzsq
jo,{trtiq
zLx p
aruB
aqt
por:ad
uotlnnl
q
'plDPl 01 IrlDpl po
21aM
rasn 3u
g
IO IIT
pil,
s,u
)gV
'uot?D?
-uo)p21
-DztuDg.
slotluo)
'IDD]
aSud uo suorrasse
tuotuttl6
uot7Dz
-1Dl?1
uo u0!l(
p31Ets
-lwlwo:
-otd n
3Ll1
ot
ul p
sloJtr
jo
aqr
Jr?rl,l p
uot
-nd
-llu3 l3
s,uonczl
sarttralqo 1or]
,{q r4\o
u,roqs
sasn uor
ur 3sn
ad,{r an
JJP
uroc'^cuelunocseloleuJno['
-errsn11r 8urmo11o1
:q {cru:o
uollpz!ue6ro arl/trss
puD sa
u 3o tuauraSeuuy,l dq
aql
-tuts s:,rnrak1o
auut 1o
'ero1al3qt
s+
uortezrueBr6 JlrNaS
zIt
s!tsv:r13u lvlclJlo
OFFICIAL REIEASES
recorclecl, processed, conected as necessary and transfcrrcd ro lhe rcporls
presented to user entities of the system.
(3) the related accounting records, supporting information, ancl specific accounts
that are used to initiate, authorizc,
Controls
dt a
Ser\)ice
(7) other aspects o[ our control environment, risk assessment process, in[orma-
tion rnd
communicution systcnls
thc
description
rs
in the
description
of AU
6. Docun
Paragrapl
TOT TO
of
ment file
ASS
of asseml
ly basis af
ance repo
the senicr
umentatic
Personnel
tor to investigate the nature and cause of any deviations iclentified, as does paragraph 28 of ISAE
3402. Paragraph 27 ofthe SSAE indicates that ifthe
service auditor becomes aware that the deviations
rcsulturl lrom intentionll r(ls by s(rvtrc orgcnlziltion persomrel, the setwice auditor shoulcl assess rhe
risk that the description of the service organization s
system is not fairly presented and that the controls
arc not suitably designed or operating eflectively
The ISAE does not contain the reqllirement included in paragraph 27 ol the SSAE. The Auditing
Standards Board (ASB) believes that inlbrmation
about intentional acts affects the nature, timing, and
extent ofthe service auditor's procedures. Therefore,
paragraph 27 provides follow-up action fbr the seruice auditor when he or she obtains rnfbrmatbn
about intentional acts as a result of perlorming the
procedures in paragraph 26 of the SSAE.
Paragraph 36(c)(ii) of the SSAE, which is not includ-
to reqlrest written representations liom management that it has disclosed to the service allclitor
knowledge of any actual, suspected, or alleged
intentional acts by management or the service organization's crnployees, ofwhich it is aware, that could
adversely alfect the fairness of the presentation o[
mxnagemenl.s description o[ Ihe scrvicc organization's system or the completeness or achievement
of the control objectives stated in the description.
2. Anomalies
trrirgraph 2q of lsA[ 3402 ronlrins a rcquircrncnl
that enables a serwice auditor to conclude that a
deviation identilied in tests of controls involving
sampling is not representative of the population
from which the sample was drawn. The SSAE does
not include this requirement because of concerns
about use of terms such as, "in the extremely rare
circumstances" and "a high degree of certainty."
These terms are not used in U.S professional standards and the ASB believes their introduction in the
SSAE could have unintended consequences. The
ASts also believes that the deletion of this requirement will enhance exanination quality becar-rse
deviations identified by the seNice auditor in tests
of controls involving sampling will be treate d in the
same manner as any other deviation identified by
the practitioner, rather than as an anomaly
3. Direct Assistance
Paragraph 35 of the SSAE requires the service audj-
graph .27
102 Journal
rs
l.
(4) how the system captures and addresscs sipnilrcant evcnls :rnJ condiLiorrs,
ii.
on
b.
Assurcrrce Rcports
ii.
admrnrstr
engageme
that a tim
made this
4. Subsequent Events
With respect to events that occur subscquent to the
period covered by the description of the service
organization's system up to the date o[ the senice
ruditor's rcpun. paragraph 42 ofthc SSAE lcquircs
the service auditor to disclose in the sen'ice auditor's report, if not disclosed by management in its
description, any event that is of such a nature and
signilicancc that rts disclosure is neccss:rly to prcvent users o[ a type 1 or type 2 report fiom being
misled. The ASB believes that information about
such events could be important to user entities and
their auditors. ISAE 3402 lirnits the types of subscqucnt events that would need to be disclosed in
the service auditor's report to those that could have
a significant eflect on the service auditor's report.
ument\tio
scction
PioJessionr
7. Engagr
Paragraph
the accepl
to feport (
o[ the con
ancl accep
audrtor wt
sior.r
o[the
rhis *:qui
acCeptancr
8. Disclai
1i manager
Paragraph 43 ol the SSAE requires the service auditor to adapt and apply the guidance in AU section
56I,itbsequent Discoyery oJ Facts ExistiKat the DaLe
oJ the AuditorlReport (AICPA, Proldssional Slnndards,
vol. l.) if, after the release o[ the service auditor's
report, the service auditor becomes aware of conclitions thar existed at the report date that might
tor with
ce
40 ot ISAI
discussing
an oprnlor
39 of the
appropriat
an oprnror
Paragraphs
incrementz
plans to dr:
9. Elemenr
Required
Paragraphs
requiftlmenj
tors repon,
Auditor's Report
The SSAE requires the serwice auclrtor's report to
in paragrapl
3402. Thes
o l nanagcnrcnt oI thc
se
rvit
orgrnizet ion.
usc r ent
i-
53(eXiv); (:
Darrel R.
Sr
Emest E
Bz
Sheila M. B
Brian R. Bh
state-
Robert E.
Jacob J. Co
David D.
Charles E.
it does noL prohibrt the inclusion ol restricted use lanorro,'in rhp rpnnrr
Andrerv Nf
wwwjournalofaccou ntancy.com
wwwjoul
David M.
6.
0lOZ tsn8nv
sassJrppr
-nV
iluDUduo)
'
lII
oN (SVS)
qtlr
tl3llp
tl
'
lo {tlyqrsuo ds aA
00b8-09t
n[
a4DLu o1
ttoLssruuad9utlnnba.t
llv'sll8-9t00't
arnsua ot 'aJuErxs^o8 qtl,\\ paSlEqt ssoqt Jo lq36Jaro
aql
yawaSouo
1,t1
pl!fry-D)
':l-lqt MeN
''1111
patLasa.L
s1t13t,r
's?uD1unD)v1\qnd
s1
BZluOrlelualxnJoc
27-1 77:rueqdruoruo5l
patradsn5 ro paUuurpl Jo Suruodag
OZ-lI/patladsnS ro p3Uuu3pl
a:uerldurocuoN uaq1\ sarnpaJotd lpnV
stuaruarrnbad
I I/uorlrurJac
617saanra[q6
6/alEC 3^nrsJJA
dur r
pny
ras
nV'I
[qVty
p^'sptDpuDls
lnBaiil
'tE
ruoc'ncuelunoJcelolpuJ nol'/l^/vvv\
l?Lloissr]o-ld
'VdJIV)
roud At_tuvtc
u scuvcNVIS
sapuB-l E
sauofussns
yC
lpld
razlurl/1{ J,\
^\3]puv
ralselj E sallEq]
aa.rnQ c pr^Eo
u?rlof fqolBf
-uel asn
qBnoqr
Jlulsal
AVSI 3
:o3 dlu
-clets e
70+t1
-E3l aq
'.rf 'q8nug
A tsaurE
ad,(r
-sllx
sl
-uEl sn(
sqclr"iSeLccl
-Ilu3 l3l
uodar
ot uod
aJ
$uaru:lnb:r
aIEl
-Fad sr
saJuEls
-.uas s
!{3o1uu
-ruls
uaJq l
-,uas a
1q3rur
-uoJ j
s,lotrp
'sp.tDpu
)|DQ?Ll
uotlt3s
-lpnE J
'uoda
a^uq p
-nlruol aqt
ur pas
-qns l
puB sar
Suraq
llloqu
tu
'/
-e:cl ot
pue alr
slr ul :l
-lpnu
sa:tnb:
3ll\las
'(I
:ol1
s3lrrql
VdfIV
uu8atrrl
rroJ*
sr.l,rot\'l{ pl^ec
uetustaiz g ue8a4
radaruapa
1a3on ua,rat5 g
ro1de1 g rye1^tr
lr?llx3ts IN sEluoqf
suaqod J dpuBu
rarTs^aql a tr3qod
tur{nlg d u8ug
l l elraqs
qrlg
papusll
_lu,tll'traqnqrs u laltBc
(0r02-6002)
qlauua)
l3sn
'$rodar
:(lll)(r)e!)
rpql trodag
:o;,(1111q1su6615311
r",r.,r.;y:0, J:1:::""
uort)npolluI
SINf,INOJ
'(1I
guat1)
+queurelels
tcf
r{oul 0N[lnsf
s[ll 'I
lrli,
sp.tDpuDts lLluorssaJb.t4
tuaplsald
llsuuaq5
aql
v/lBrrarEI,{
aJroC
toN arv
B-tlsuonelnSad
puE sA\el qrr/q a:uerlduroS
? a^eq
uo tualx?tuts
sprBpuEts
srrl/LlrS
sp.rDpltDis $ailV pLrD ilpnv
lntuqnl
I^l qtlpnl
,ta8luDry
JJB]S
1o drqsrapeal aqt
uerustarz g
2y-lyTsuouelnEag
uosqld d ueug
aJJllrBU V sEruoqJ
uropo'd
IBllueuu
rallll{
NOU,CnOOUTNI
IV/slu?w)tlls lonuoutg {o ypny
uo ut suopoln9ay pun snnl J'o uollD,rlplsuo)
'697 Furtrpny uo plBpuEtS lEuortEuratul qllA
Jo uosurduro3 :V trql{xE
0v/uoltBluaIunroo
67y-gTyTacueqduroruoN
slEllB A seuroqf
uErul3l[BH slrq]
uErssasl3N auuEzns
uujuS qdssof
dacug traqoS
11.r:apt1 6 saruuf
ursn5 tw41 tf 'uuo] I uolle1
.(:urr:y 3
0tv-I
'Vdll\')
.lo^'sprrpuDl5
LtotlDtrewtno(f
luuorss;rpr6
Iprly'6et
uoltr3s
:)lr,uas
aql ot
aqf
-,mo11o; s,{cp
uo 3lU lu3ur38EBua
s:lnbar
-ault
uorlalduroS uolteluaunJoC'9
]rpne
puc 3u
lo]
sap
Sf,UUlSlr
Iro,\\
nv
asn
rrpnr l
sasn r
I
rru0lss
ttPllv
Lt
!.r0lrprr
-e:ed
srsvSlf u lvrJrrJo