OpptctAr RnLEAsES

SSAE NO. l6...CLARIFIED STATEMENT ON AUDITING STANDARDS

SSAE NO. 16

Statement on Standards for

Attestation Engagements-Reporting
on Controls at a Service Organization

b.

rvhen management of the servicc organization

is not responsible for the design of the system

(for example, when rhe system has

ment, the controls operated effecrively to pro-

vide reasonable assurance that

tl-re control

been

objectives stated in management's descnption

designed by the user entity or the design is stipa contract betrveen the user entrty and
the service organization). (Ref: par. A4)

of the sen.ice organization's system were

achieved throughout the specified period.
report on the matters in 6(a) in accordance with

ulatccl in
(Supersedes the guidance
fot' sewice auditors in
AU section 324, Service Organizations IAICPA,

3. In addition to performing an examinar,ion ol

Professional Standards, vol. 1J)

sen-ice organization's controls, a sen'ice auditor may

be engaged to (a) examine ancl report on a user entity's transactions or balances maintained by a serv-

DEFINITIONS

INTRODUCTION

ice organization, or (b) perform and report the

have the meanings attnbured in the subsequent rext:

results ofagreed upon procedures related to the controls of a service organization or to transactions or
balanccs of a user entitl' maintained by a senice

Carve-out method. Method ol addressing the

semces pronded by a subsen'ice organization rvhereby managementi description of
the sen'ice organization's systern identifies
the nature of the seruices performed by the
subservice organization and excludes from
the clescription and from the scope o[ the

Scope of this Statement on Standards for

Attestation Engagements

This Statement on Stanclarcls for AtLestation

nts (SSAE) acidrcsscs examinarior.r

engagements undertaken by' 2 5c6'i6g auditor to
report on controls at organizatltns that prot,idc sen.
Engageme

ices to user entities tvhcn thosc controls are lil<cly

to be relcvant to user entitics'internai control over
financial rcporting. lt complernents AU secrion 324,
.Scrlicc Or.ganiirrf iorrs (AlCPA, Professionctl Stantlards,

vol. 1), in that rellorts prepared in accordance lvith

this SSAE ma;'proviclc appropriatc et idence r:ncler
AU sectior-r 324. (Rcf: par. Al)
2. Thc focus ol rhis SSAE is on contro]s ar service
organizittions likcl1'to be rclct':rnt to uscr entitics'
internal conLroi over fin:rncial reportir.rg. The guiclancc hercin also may be hclpful Lo a pracririolte r pe rforming an cngageutcnt uncler AT'sectior.r

I0l , Aucsf

Errga.gcrrrcnts (AICPA, Pri;fcssionrri Stc-indartis,

r'ol. l),
to rcport cln controls at a service organization
d. other than those rl.rat are likely ro bc relo'ant to

organizatior.l. Horvever, these eng:rgements are not

addressecl

of the sen'ice organization (also refcrred to as managernent) rvill proviclc rhe service auditor rvith a
rvrilten .rssenrtrn tlt.rr is inclrtded jn or rltrchcd Lo
man:lgernent's clescription of the serr.ice organization's s1'5gc11. Paragraph 10 oI this SSAE aclclresses
thc circumstance in rvhich managctnent refuses to
provicle such a written assertion. AT section lOl

for periods cnding on or alterJune 1 5,

ir.nplenentation rs permittecl.

or controls that affect uscr entiLies' production

or quality controi). AT secLion 601, Compliutcc
Atrcstdtion (AICPA, Professional Stnndarzls, vol.

OBJECTIVES

'

rr

ing (,n

requircrlents or on its controls over compliance

re quirenenls. (Rcf: par. A2-A3)

Coplright @ 2010 by Antcrican InstituLc oJ Ccrtifietl

Ptltlic Accotutcnts, /rrc., Nov )brir, NY 10036-8775.
All riqhrs rcscr.r,cd. For informutitn about thc ltrocedtue
Jin' rcqcstittgpctrlissio,l to nttrl:c coltics of any ptu-t o.f
this ruorlr, pleasc visit rvtvrucopyrighL.cottt
8+

or

cc

rtai Ii In

r nct t

ional

i.

ii.

Accoutllatlts (IFAC) copyrighL nrtttt'icrl, ustd with thc

82

Journal ofAccountancy August 2010

rclated controls. Managemenfs descnption

oI the sen'ice organization's system and the
scope ol the senice auditor's engagement
incluclc c,'ntrols al thc scrvice organizrtlon
that n.tonitor rhe effectiveness of controls at

objectrves statccl in management's description of the service organization's system, are

iclentified as such in that description.

Control objectives. The aim or purpose of

tem that tvas designed and inrplemented

throughout the specifiecl period (or in Lhe
case ola tlpe I reporr, as ofa specified date).
the controls related to the conrrol objecrives
statcd ln management's description of the

implemented, and clocumentecl by rhe sen-

management's description oI the service

organization's system lairly presents the sys-

ilied

iii.

Controls that management of the service

organization assumes, in the design of rhe
sen ruc providcrl by r he senice orgrnizJl ion,
rvill bc implementecl by user enriries, and
rvhjch, if necessary to achievc the control

specilrcd (onlrols :ll the scrvi(e organizatlon. Control objectives address the risks
that controls are intended to mitigare.
Controls at a service organization. The policics and prot cdurcs at I scnice organization
likely to be relevant to user entiries'intern,rl control orcr linrncirl rcporrrng. Thc>c

service olganizatiol.l's system were suttably

clesigned throughout the specified periocl
(or in the case ofa type I report, as ofa spec-

r ation oJ

permissiott o.l IFAC.

1. Earlier

6. The objectives of the sen'ice auditor are to

obtain reasonable assulance about rvhether, in
all material respects, bascd on suirablc crireria,

call (978)

F e dc

2O 1

a.

0. fhi.s St.rtcnien t o,1 St tut tl ards.l tn Att csLation

Engaecnerr t.s l.ses

service auditor's engagement, the subsemce

organizaLion s televant control objectives and

Complementary user entity controls.

5. This SSAE is effective for senice aLlditors' reports

rcp(

7. For purposes of this SSAE, the following terms

sen,icc auditor is required to rcport directly on the

subjcct matter.

entilics' conrpliancc rvith speci[icd requirements

of larvs, rcgulations, rulcs, contracts, or grants,

pra61111st.tc.1 1r

the senice auditor's findings.

the subservice organization, rvhich n.ray

includc management of the service organization's re\.icw of a serwice auditor's report
on controls at thc sultsen ic( orglnization.

Effective Date

b.

inditrlus thrt wlrcn l)crft'nning Jn :lltcsrati()n

engagentcltt, a practitioncr may rellort directly on
(\t
thc
'ulrjcrt nlJltcr on miltage mcnt s JSS(flion.
For cngagements conducted under this SSAE, the

rvrrh specified

SSAE.

user entities' internal control over finrncial

an entity's orvn compliance rvith spccified

75 0

in this

4. The requircmer-rts and application matenal in rhis

SSAE are based on thc premise thar managentenr

reporting (for cxantple, controls thaL affcct user

I ). r5 rpplic,rhJc i[

claLe).

rvhen inciuded in the scope o[ Lhe engage,

policies and procedures are designed,

ice organization to pror.ide reasonable assur-

ance about the achievement of the control

objectives relevant to the sewices covered
by the sen'ice auditor's report. (Ref: par A5)

Controls at a subservice organization. The

www.jou rna lofaccountancy.com

rww

eg dJuElunorJvJolEurnof

0I0Z lsn8nv

1,ra

-? alqlBaqtu3rearqtrr:qlqsuaqlSulljllurPl
^

slo:luoJ Jo ss:ualtt:aLJa Sutletado 3lil alEn

aqr ur p3trts s3^ltJalqo lorluor aql Jo luatu

sa,ttt:a[qo

or pau8rsap arnparo.rd y 'slolluor Jo lsaf

'Sutl"ioda: lltruEuU

ale lEql satltlua .rasn

ot iupl3l3l aq ot
^lalllaql aruos ru'iolracl
ot papr,to:d saJulas
;o
ot uolezturS:o a:truas raqlouu Lq pasn uol1

oqr ur 3ur,(3uuapl '(dpoq luuorss:1o:d e

ro clnor8 rasn e 'aldruexa ro;) dtrrd .raqlouc
.ro 'uottuln8ar ,tr1 dq paitr:acls are salu
-ralqo iortuo: arlt Jl 'puc 'uta]s{s s,uotlBztu
uortdt:rs:p stll ut Luaql
-r8ro all :s aqt

.l3ro loJluoJ ll?uralut ,sauuu3 lasn asoql

aqt 3urd3r:ads dlred aqr uondrlcsap

lortuor

.1o

-czrueS:o

alulas V'uo1lez1ue8ro all^rasqns

(lIV

red :Jau) slortuor pall?l3r aql

sJ^ulJlqo lo.tluol Jql'(sJlt:lJl uollduJsJp

3qr qrlll,tr ol 311?p aql 'troda: 1 adll u jo
lo) satrlar uorldursap ar{l qllq,a

'uouasse
lo;
slseq aiquuoslleJ r 3utlr11 tr
str
(gIV red :J3ll) uourassE Puu

pue'1:tu:ua8ruuut lq parl:ads tou jl) sa^I]

-rafqo 1o:tuor aqt Surd3nads,(lred ?q1 {urd
aprstno uE ro tuaua8euuru dc1 pailr:ads

Suuets puu pasn aq ol rualr.n aql

,gurtets

's:,tt:a[qo lo]tuoJ aql 8ur,{1rcad5 ,u

'uoll]3sst aql uI

i11y

uortdu:sap

Lu3i{1

Sutll3las tll
"rud

:.1a111

ar{t Jo uoltEtuas3rd 1o poqlaru

pue 'l:e.rn::e 'ssaual:1druo: atP

8ur

-pnlJur 'uottlassu sll puE ruals^s s,uollezlu

dtrlrqlsuodsa:
,(c1 luaru

:3ur.tro11o1 atp .ro1

8ui'reclar4 I

-e8ro arluas aqt.1o uoudursap sll

sri Suttda::r pue Bur8palmou4re

-a8uSuo

aqtlo suuat aql ol saar8e luaLua8euvur

:;

'slotlpnE llaql
puu s3urtu3 r3sn or 1n1asn

:c1

aspJ aqt ur

{aqt teqt patnuq os aq lou llr,lr uials,{s s,uou

-ezrue8ro all\las alp Jo uotldurs:p s,luaul

sasn teql dttlua

uy

ro;

's1o.uuot

sau

Jo u8rsaP otll Jo [t1

Jo sseuontpa[c Suno'rado

u?sap atp {o [1111q11ns t41 pun walsfs

:.t^Jas n {o uotldutsap s,1uawa8o
Ltouiuu3p aqr lo (q) utd

1"Loda'4 1o

ur ot p?rJalal slallElu ?q] lnoqB uouJasse

'uoruasse quorlezlue8ro arlua5

ualrll\ y
q

luarua8uue141

'uolllzl
rasn

'Suttrodar lrtluEug l3^o loll

-uoJ lEUlalul .s3lll1u3 lssn 3soril ol luE^3l3'l
Jq ot A1a{ll 3,tl? qllq,t^ 'sallllua lasn ol s3JI
-mas sapuord teql uouezlur8ro ull Jo lu31u
-Fas:o uoueztue8ro uy 'uorluzrueBro arpr:a5
'uortrztuc8ro 3ltll3s E lB sloJtuo:)
uo strodar oq,tr:auotttlruld y 'rolrPnE aollraS
'Joar3ql slinssl aq1 pull slolluoi)
r sapnlllll ll
Jo stsat aqt Jo uottdu:sap
(rllXq)-(D(q) ul

sl3Ipur ?qt uo uorurdo ue sassardxa t

teqt troda: s.lollpne 3J1^-13s Y
'sa^uJalqo

lolluol

urog'^cu elu noccelol

eu J n ol'/vt/11/v1

uo paspq pue 'sttadsal lgll3leur llu ul

raqt3q^\ tnoqB uottBztue8lo alul3s oql

jo uondu:s:p s,tuaruaBeuell

uJlln,tr V
3o tuaura8eueru,(c1 uoutassu
'tu:ts{s s,uotleztueS:o al
-^las aqr

:3ur,tro11o1

uJoc'A3uell

3ql

'uorlPzl

(gV rrd lru

pal3^ol saJL

loltuol

:ql s:sucl

aql

-lnsse ?lqu0

luas aql '(q

'pau8rsap

as:q1 Surtrr
-lalul,sJllllr
uorlezuBS:o

-llod 3qI'ul
'aleFtt

$islr aql

ss

-ezrueBro a

'uottdr
ale 'ruats.{s

loltuoJ aql

puB

saunu

'uoneztue8rr

aqt 1o u8rs
3Jr^l3S aqi

'slorluoJ

uratsls s,uortrzztue8ro arn-ras

aqt .;o uottducsap s,luaura8eueru

t ed&

.1o asod:nd

01

-ezrurS:o aJr^Jas 3qt Jo uortdu:saP

s.tuarua8putru ut patets sa^tllaLqo
loJluoJ aril ol palBlal slo,tluoJ aql ll
'atep par.3rcads e;o su paluaualchut
uials{s

pue pau8rsap ser'l teqt

s,uouezruuS:o aflr\,loS 3Lil sluasr.td

,(1.rre1

'uoneztueB

'EIl3llrJ alqEllns

uo p3seq pue 'st:aclsar lEIJalBut lle ul

'laLpaqa tnoq[ uotteztueS:o a:n,lras :ql
q
1o tuarua8uueur dq uott:asst uallll,tr V
'urals,{s s,uouuzturBro alt
-^Jas 3qt.1o ttortdu:sap s.luarua8eurll u
:3ur,lr.o11o1 aqt sasuduror leql t.roda: y
ol parral3r)
'1l,todt.t

y se EVSS slqt ur

slorluoJ 3o u8rsap arll Jo dlllrqzrrns

aqt pue rua1s.,{s quol}ezrueSro alt,r:as
e 1o uorldursap qluaua8eueur uo lrodaU
(0lV red :l3U)
'slolpnu luuraiur lq pau:oyad asoLp o1
rBllrxls s3rtl^lllE [uo1:ad oqm'luautlrudap
,ro aruetldruol B Jo sracpuau 'a1cl
>1srr

-1XX3 rOJ'Slsqlo pull

sloltllnu leul?lul s.uoll

-ezruc8ro alu:s aql 'uorlJunJ lrpnE IeuraluI

16y-1y rrd
:JoU)

sloluoJ patrlar pue saltl:a[c1o lol]uoJ

11:.tr se

trodar s,tot
-ruu3:o atu

,{Etrl qJlqN
tP slo-i]uol

uouBztueBr
tuauraBeBu;

aqr pur rua

uoudursap

pur salu:aI
3frl"iSsQOS:

aqr 1o ado:
ulo.u sJpnl
aqr dq p3
saurluapi
3o uotldt'tl
-ezrueS'to

aqt Surssar
:lxal luanb
srutat 8ui,

sB

uonuzrueS:o alt,l.lasqns aql ,(q Papt,l.

latl)

alulJs aql qctq,t

tsute8u

qlr.A\ sJuet

ala,{ ual
uoudursap

lo.ltuoJ a
-orcl ol,(1ar

"Ilalu]

LLt3lsAs

3sJqI uoltczluxSro art,r:as 3q1 Jo sallllu3

.iesn 1o Surtrodar 1?lJueuu ,l3Ao lo-lluol lru
-Jalul o1 :lue^?lal 3ct 61 ,(1:lll uotlrzturSro

s,uonezrueS:o 3fIAJ.ls 3ql $uasa:d

dl.rrrj urats{s s,uortrzrue8:o aluas

aqt 1o uottdtrrsap s,luauia8uueu

uottdu:sap s,luatua8euttr

olJ s::rrurs :r-1t 1o Jrn lru Jq I Jo uot lclu.rs:p

ut:ls{s s.uoilzzrucBro aJhras 3r{1

u sapnlcur

1o uoudursap s tuaruaBeueru ,{qa:ati.tl uotl

-rzrue8lo a:urrasqns u,{q p:prnord sal,uas
aqr Surssa,ippe Jo poqtalN 'poqtaru allsnllul
:alleur tcalqns aql

(9V rEd

satniE^a Jottprlrl

ot pouacl

pue pau8rsap sE^\ ltqt

iueleiar s,uouuztueS-io al,uasqns 3lll

.

esor{l a^alqlE

ot por:ad p:r.;nads aqt tnoq8norql

{1a,ttra1;a pateraclo utatsds s,uotl
-uzrur8ro aJL\l3s aqt Jo uottdurs:P
s.tuaura8eurzur ut patets saltl:alqct
io,uuoJ 3ql o1 pslPlal slolluoJ aql lll
sa,ru:alqo loltuoJ ssoql 3,\alqlE
p:r..1r:ads aqt tnoq8norql

puu rcrtr:ru tralclns :qt luasa:cl puu 3lnseJlu

ot ll3sn $llEruqlu3q lo slllupuEls aql

pau8rsap dlqurrns 313,{ Lu3lsAs s,uoll

s,tuarua8rueur uI palels sa^uJalqo

lo.lluoJ aril ol p3lEisJ SlolluoJ 3l.il ll
.pouad po11!

alquuosr3r apu.o:d ot uotlrztue8lo aln

-:asqns e lq parualunJop llLlE 'palu:rualclut
'pau8rsap are s:rnpa:ord pue sar:r1od

-rads aqt tnoq8norql paluaualdurr

d1r1ua

-uro: reqr trocla,r V (uod?,t 7 ad'(l e se 1y55

siqt ur ot pall3j3J) slolluolJo ssaua^rlJaJJa

sa,tnralqo lortuol asorll 3A3tt1l

ot por:ad Jqi 'paJa^ol salrllas aql

cl,{t u

ptn

s,uo11Dz1u03.to

3lll

3q1
(EIV-'IV

fteururtlard s,lollpne ?Jl^l3s

ol ruoq,t\ q1L{\ alnllnlls afu8u

:ql ut
3q1 sulLurelap plnoqs

asoql puB

't:odal s.:oltpne aJL\las 3r{l ,{c1 p:ralo:l

sJJr[ras ar{l ot tuul3[3,r arr lcq] s:,ttlral.qo
3lul?lnssE
loJlLtoJ Jo lu3uaA3lqJe 3Lp lnoqE

-uzrucS:o aJIAl3s 3ql lo uotldtr:sap

jo

Surlurado pue uSrsap aql 3o {lllqelrns

aqt pue ualsds quotluzrue8ro alrl-ras
u 3o uortduosap qluarua8uurur uo l:odaU
(r1)(q)-(r(q)
ur srailBur aql uo uoturdo ue sa
-ssa:dxa tuql trodar s.loltpne alr,\-r?s V l
':rcp porl:ads slll Jo sE
pau8rsap dlqetrns ar:,n uratsds s,uotl

-ltuapt tuatsds s,uotteztus8ro alrllss 3ql Jo

uorrdu:srp s.lu:ut:3eue61 trodal s"loItpnc
pata^oJ salL\las aql qll^a
3llras 3llt
^q
apl o:d ot uottuaueS-io a3u-l3s
aqt 1o tuauia8eueur ,{q 'paruautnJop pue
s3nilu3 resn

'patuarualdutt'pauSrsap sa:npa:o:d puu

sar:qod aq1 'uralsds quollzzruu8ro al.na5
'sp.nuot

ol dla4qun :rc

-llqDl1l1s ,q; pun tuats{.s \uoulzluD1to ::I^.os

t: t'o uotldtnstp ,iu?utz8DnDw tro i-roday ;o
uouruuap 3qr lo (q) t.Icd ui ol pallaJal sral
-tuur ?qt'r,rodar 1 addt u:o1'pue ilroda: 7

-a8zusru pur tuautaBe8u: aqt 1o aclo:s aql ttt

pue l{:essarau
tuatxa 3qt ot ?Juapt-\? aleudorcldu tuat:t1
-Jns ol ssaJlE 3^8q lll^\ Jolrpne a:)i^Jas 3r{l u
:srorpne llsql

-uotu no

puE sallllu3 Jasn papu3llll aql o1 alqElle^E

I
puE 3lqElInS ?q lll/\\ pasn 3q ol EIl3llJl
lrqi salztrrpur s3JuulstrtnJJrJ tuarua8e8ua aql
1o a8pal.uoul

':ed :;a5) tuarua8e8ua aqi rurol,iacl ol ::ualad

-urol pue sartlliqEder aqr seq loltpne all\las 3ql ,
(IV ld :1a5) jr ,(1uo uortuzl
-ue8:o a:n:as u tc slortuor uo uod:r ol luauto8e8u:
ue anultuor ro tda:ce plnoqs lollpnr slhlas Y 6
aJuunulluo) Puu ecuuldarrY

iTly red :l3U) paulsJuor srallBul aql

;o a8pap,roul pue ro3 salllltqlsuodsar a:luudo:dde
aqr a^q 1s;uosrad qrlq^\Jo uoller3plsuol spnlrul
slqf llElalul

plnoqs

-.ra.to8 :o luauta8suetu s,uoutzlue8ro a:t,uas

-qrla (s)uoslad ateuclorddr

rotipne altl-rJs aqt 'uorteztue8ro aJl^l3s aql Jo

llcl3lul asL,*-rJqlo lo 'qlL\\ 3leJlu
lu3ruaBpuEu qlL\\

-nuluroJ 'uro-rl suouEtuasa.rda: lsanb:: '3o artnbut

ot Jollpne 33L\laS 3Lp Sa:rnbal gy55 slql uaq1\ '8
a)uEuJ3AO9
qt1,n paSruq3

srNf uueulnoSu
-ue8ro allt-ras

dlgua rasn e 3o stuaut3lcls lellucuU aql uc)

T
suodal puv sttpnu oq^\ lol4lne uV olrpnu ras{l
'ruals(s s,uotleztuBBro
?Jr^i3s aqt

arhr?sqns e

'BLlalu:) 3lqBllns

ut patets santltafqo lorluor aql Sunalqre ur

tr

sa:np.t:ord pur: sairllod

s3sv313U lVlSlJJO

OFFICIAL RELEASES
description and designing, rmpler,renting,
and documenting controls that are suitabiy
designed

ar-rcl

operating effectively to proviclc

reasonable assurance that the control objcclives stated in the descnptior"r oI thc service
organizatior.r's systern

vi.

will

uate r.r'hethe r management's descriptron of the sen

sen'

ice organization s system is fairly presented, the

ice auclitor shoulcl detennine if the criteria inclucle,

at a mtnlmum,
whether management's description of Lhe

a.

control objectives stated

sen'

ice organization's system presents how the serv-

be achieved. (Rel:

par. A18)

ice organization's system was designed

Providing the scn'ice auditor u'ith

(1) access to all information, such as records
and documentation, including service
levcl agreements, of lvhich tnanagement
is alvare that is televant to the clescrip-

implementecl, inclucling the fbllowing in forn-ration about thc sen'ice organizatiol.l's systcm, if

i.
ii.

ol

Ihe proceclures, rvithin boLh autunatecl ancl

manttal s1'stems, by r,vhich services zue Provided, including, as appropriate, procedures
by u'hich transactions are initiated, authorizccl, recorded, processecl, correcLed

engagement;

(3) unrestricted access to personnei within

the setlicc organization from whom the
dcle

mlncc il

cssary',

a scope

iii.

is nccussrry

lirnitalion

iri

ancl

cngagemcnt, the service auclitor shouicl disclainl all

oplnlon.
Rd.prcst to Changc thc Scopc ty' the l-rrL.l.gcnicnl

12. [[ managcr-r.rent rccltlcsts

ur

changc in the scolrc

engagement, thc scn'ice :ruclitor should bc satisliecl,

belble agreeing to the changc, that a t'casonablejustificatron for Lhe changc cxists. (Rcf: par. A20-A2 l)

Assessing the Suitability of the Criteria (Rct:

par. A6 ancl A22-A23)
13. As required by paragraph .23 ol Af scction l0l ,
the service auclrtor sl.roulcl assess u'hetlrer manage mcnt hrs usccl suitable clitcria
a. in prcparing its descriptiol.l of thc sen'ice organization's s)'stem;
b. in evaluating whethcr controls n'crc srtitabl)'
designecl to achicve Lhe control olliectives slatecl il.r the dcscril.rtiou; ancl
c. in the case of ir typc 2 report, in evaluating
rvhethcr controls opcraLccl eff ectively' throughout the specified periocl to achieve the control
objectives statecl il.r the clcscripLion of thc scn'ice organization's systcll1.
14. ln assessing the suitabiliq'of thc criteria to eval-

84 JournalofAccountancy

August2010

ncc-

and transferred to the reports and

The related accounting records, rvhether

electronic or manual, and supporting information in\.olved in initiating, authorizing,
recording, processing, and reporting transactions; this inclucles the correction oIincor-

consequentll', lhe servicc auditor shottlcl rvithch arv

hom thc cngagelncr.rt. 1[larv or rcgulatiol.] clocs not
allou' the sen'icc attditor ro ri'ithclt:rq' frot.tt the

oI the cngagemcnt bcfore thc cot.upleLion of thc

as

other lnfbnnation ptepared for user cntilies.

to obtain evidence relevant tc.r thc sen'

ice auditor's engagelrent; antl
(4) r.vritten representations a[ the conclllsion o[ the cngaSeme]rt.
vii. Providing a u'ritten assertion that n'ill be
includccl in, ot'attached to managelnent's
de scription ol the sen'icc olganization's syslcrrr. and lrroviclerl to ttscr cnlitres.
10. lf managctnent lvilL not pronde thc scn'ice auclitor rvith a written .rssertion, thc sen'icc auclitor
should not circumvent the requiretnent to obtain
an asscrtion by perfbmrir-rg a senice auditor's
enllagement undcr AT section 101. (Ref: par. Al9)
II. \4anagement's subseclttcnt re[usa] to provicle a

written assertion replescnts

b.

Thc tlpes ofsen-ices providecl including, as

transactions
approl.xiate, the classes
proccssed.

and tl-re assertion;

(2) additional information that the sen'icc
auditor nay request from rnanagculcnt
for the ptirpose ol the cxaminatiott

lutlitor

ancl

applicable:

ion oI t hc sr'l \ ice orgtr l izrl lon s s) sl L rn

scrwiec

service auditor shoulcl detenlinc i{ the criteria

include , at a minimut.t.t, rvhether
a. the risks that threaten the achievetnent o{ the

b.

c.

rcct infoilnation and horv infonnation is

transfertcd to the reports and other in[orlll.liiLrn l)rcparc(l IOt ust t cttlittcs.

Ho$' the sen ice organization s systenr captures and aclclresses signi{icant events ancl
conrlitions r)thcr lhrn trxns.l( tions.
v Thc process used to prepate reports ancl
other information for user e nurtes.
vi. Thc specified control objectives and cot-tttols
dcsignecl to achieve thosc obectives,
incluclir-rg as applicable, colrlplementar)'
LISCr er-itity controis contctnplatecl in tl.re
cicsign of thc service organization's contlols.
vii. Other aspects of thc scrvice organization's
control environme nt, t isl< assesslrctlt
proccss, infort.nation and contmunicati.ott
systcms (inclucling the relatccl business
proccsses), control activities, and monitoring controls thal are relcvant to the scrviccs providccl. (Re[: par. Al7 and A24)
in the case ofa Lype 2 rcport, lvhethcr lllanagcment's cle scription ol the scn'ice organlzatiou's
systelr includcs rclcvant cletaiis of changes to
the servicc organization's system cluring the
pcriocl covered by tl.re description. (Re[: par.

in

me

20. Th

inquiri

nranagement's

dures r

clescription oI the sen'ice organization's system

have been iclcntifiecl by management.
the controls identiliccl in n.ranagemcnt's descrip-

been ir

tion oI Lhe service organization's s1'steil rvoulcl,

if operating as describcd, provide reasonable
assurancc lhat those risks rvould not prevent tlle
control objectives statcd in the clcscription fronr

service

being achievecl.

includt
other

are aptr

Obtain

Contn

16. ln assessing the suitability ofthe criteri:r to e\,alurrc rvlrctlrer ronlrols ol)er'.rlcd c[[cetircl1 lo pro'

2I.

vicle rcasonable assurance that the control ollectivcs

sary r0

in management's dcscnptror.r of thc service

agerner

statecl

organization's system were achieved, the servicc

auchtor should cletcnnine iI the criteria includc, at
a minimum, whethe r the controls were consistently applied as clcsigncd tl.uoughout the specifiecl peri-

Thr

the cor

system

we re su

a.

ocl, incluchng rvhether manual controls rvere appliecl

rder

mel

lr; intlir icltrlrls

rvho hrvc tlte appropriltc comltctencc ancl autholity.

mel
sysr

b.
Materiality

eva

inn

17. Wlrcn |1.rnning rncl

1r11[.rrp1111*

lhc .'ng]SC-

nizt

rncnt, the scn'icc auclitor should evalnate matcri-

ality with respect to the lair prcsentation of

maltagcnlcnt's clescription oI the scrvice organization's s)'stem, the suitability of thc clcsrgn oi controls to achig'c the lelatecl control objectives stated
in the clcscription ancl, in the case ol a type 2 report,
thc operaLing clfectiveness oI thc conLrcls to achieve
the relatecl control obicctivcs statecl in the clescription. (Re{: par. A25-A27)

Obtaining an Understanding

Obtain
Effectir

A40-A.

Assessi4

22. Wt
service
sel.,/ice

achieve

of the

Service
Organization's System (Rel: par. A2B-A30)
I8. Thc servicc auclitor should obtain an ttnclcr-

ment's

stancling ol the serl.icc organizirtjon's s)'stcm, il.tclucl-

engaSen

ing controls that arc

ir.rcluclccl

in the

sccryc

of

tl-re

engagemcnt.

tem and
rhrough
controls

tor a rec
ed rvith

od. (Ref

Obtaining Evidence Regarding Management's

Description of the Service Organization's
System (Rcf: par. A26 and A31-A35)
19. The sen'ice auditor shoulcl obLain anci rcacl
trrar.lagemcnt's clescription o{ the scn'ice organizartion's systcm ancl sl-roulcl evaluatc tvhether thosc

23. Wh

sen4ce a

service o

ed durir
changes

A++)

aspccts oI the clescription that arc rncluclccl in tl-rc

enttLles

rvhether ntanagement's clcscription of the sen-

scope oI the cngagcment arc presentecl fhir-ly includ-

should d

icc organization s systctl cloes trot omit or dis-

ing whethcr'
.r. thc control ollcctivcs statecl in lltanageneut's

nrzation'

tort

information relevant

to the servicc

organizatiou's s1'stcrn, whilc acknowle dging that

rnilnJgciltents dc'ctil]tion LrI lhc scrVit( (rlAil-

nization's syster.ll is preparecl to mect the colrmon ncecls of a broad rangc of user entitics ancl

b.

their user auditors, and may not, lherefore,

se n ice organiz:rtion's
systcm that each individual user entity ancl its
trscI iIrLIilor rn,t; consielcr lnl|orlant in ils own

llarticular environtnent.
15. ln asscssing the suitability ofthe ctiteria to o'aluatc rvhcther the controls are suitably clesigned, the

clcsclil.rtior.r of thc servicc organization's system

in

:ire rcasonablc in thc clrcumstances. (Ref: par.

A34)

describe

cor.rLrclsiclcntifieclinmanagcment'sclescriptiot-t
of thc sclr,ice organization s systern rvcre implerncr-rLccl. (Re f: par.

incluclc o'e ry aspect of the

c.
J.

ed in ma

435)

compleurcntary user cntity controls, il anl" 211e

aclequatcll' clescribccl. (Ref: par-. A32)
scniees |, r fo11llqql lrl ,l sttbscnicr ()rgdniz.llion.
if any, are adequately clescribecl, inclucling
li'hether thc inclusive method or thc carve-olit

wwwjou rnalof accou ntancy.com

the

and

dete

report.

li

achieven

descripti
test the

the sen''i,
relevant

stated in
dete

rmir

lwvwjo

98

df,uutunorrvJo leurnof 0T0Z rsn8nv

:suolsnlluol alq?uos

-l]3J aelp ol uonlunj lrpnu lEu.l3tur aql 3lqEu3

ot p3uretqo sp,tt aruapr,ra ateuclo:dde tuar:rgns

:paluarrnJop puu
'pa,^i\ar^3l 'pasm:dns

dl,redo,rd sul.r. Iroa aqt

,trrLrJ1 rqojd pur Sururul t p..

-ruqcal alenbape Sulreq uoucunj Ipnu IEu.l3tut
aql Jo sr3qruaru ,{q peur:oj:ad se,tr )[,lo,,lt. all] l,
Jaqlaqa atunlE^3
plnoqs rolpn[ afrl]3s 3llt 'sasodrnd srolpnu aJt
-aras aqt JoJ uouJun1 trpnu Iuuratur aqt dq p:ulo1

-rad >iloru.:rlcads3o ftenbape aqr

.i.T::1T,1

:":
-rpne albrJs 3llt ro1lrunbape slr auluxatap

01

IJOA

teqt uo salnpaJoJcl ru:oyad puv atunlu^a plnoqs

lol

-rpnE 3Jl^las aqt 'uoulunJ llpn llruJatui aqt Jo I.ro,a

:lglcads asn

ot rorpnp eJrlras 3qt lo3 laplo ul 'I

(B'V

:ed :1ag; uorlrung qpny lnu.rawl

atp Jb 21-rq1\ aql

&risn

suolSnlluot
JJrr\]Jc Jtll ol

Iro^\

tEqlJU JJUs.rrjruSrs

d1a>1q sr tr

{o

3Jr^-r3s 3Ll1
4.1o,11

atll

Jo

)ilo,r

red

dla^uJala Sunerado iou

qortuoc

3utuuo14

A eqr Sursn

u.roc'Acuelunoccelol eu,tno['/wvvv\
'troclaJ s,Jorpnu 3fr^,lJs JLp Llo tta1Ja allt autulatap

JI

s,uonezrue8lo aJrr\las 3ql Jo uorldu:sap s,luaruaBB

slorllroJ il3p3sl3dns tsat touuul :oilpnu aJr^r3s 3ql

santr:[qo lortuo:

:rp 'tu:rua8eSua Z addt e ur pur 'pau8rsap,{lqetrns

tou arl slo,uuoJ aqt'patuasa.rd l1:ru3 tou sr ruats.4s

plnoqs rotrpne a)r,uas aqt 'uortclursap aqt

ilgy

:JaU)

are

-uEur 1Eq] ISU aql ssasse pinoqs rollpnr? aJl\r3s aql

'lauuosrad uouezrue8ro arrn:as ,{c1 sl)e leuorluatul

uroq patlnsal

aAEr{ suouer^3ll p3uuu3p!

lue tuqt

3ru.\\c saruof3q lotlpne alrNas aqt '97 qde,r8errd

ur srrnp::o.rd .rqr 3u*u.rol.rrd.Jo

]l:::i ::-.]l

Lru'-'d('

..

aq] Jo tualua^arqJ aqt ot

Ln

patBts

tuul3l3l

aBuErlJ arlt alo]3q slo,ltuo3 papasradns aqt tsat

'alqrssod Jl 'plnoqs rollpnB 3lr^,13s 3qt 'uortdursap

JLp ur ll?tEts s3^ltratqo IoJtuol allt JO tuaur3^3lqlE

aqt ot tuu^alJJ 3rE slo,luol papasradns aqt31 ].roda:

-e8ro :ruuas aqt 1o uortdursap s,tuauraBeueur ur pa

-pn1:ur ale sa8ueql 3soqt raqtaq,{\ aulruratap plnoqs

rolpnP all^fas arp 'slolpnE li3qt puE

sr slorl

suolir,l^ae Jo 2st1D) puD

s.ro]lpnE aJhr3s aqt uo lJa{a ?r{t 3ulx.r3t3p puE

t:odar s,:otrpne 3rL\.13s 3qt ur sa'3uuqr aqt aqiJJSap

plnor{s Jotrpnr af,r^ras 3qt 'uorldu:sap aqt ur

p3pnllul lou alP saiuql qJnsJI ul3lsls s,tlouEZtu

Hdq'JJui

cqr rnoq8nolqt dlorqra3.Jo aturado tou prp lorl

-uoJ aqt leqt Srirpnl:uo: loJ slseq ater:do:ddu
un saprnold p:ruro3l:d ua:q srq trqt Suns)t Jql
'pouad
paryrads
aqt
lla.ticaga
tnoq8norqt
aru:as aql 1o

p3tr?r3do uralsls s.uorlezrueS:o

sauttua

-lllrlu 3lr,\las aqt

raqtar{.4

fuesslru

-tuatu:1dtur ala,tr lerll sloJluoJ s,uorlrzruu8ro

q

plnoqs pue 'p3iJuuspr suonenap .{uu 1o asnu: puu

a:ntuu aqt ate8rts3^ur plnoqs lotrpnB aJl\las ar{I '92

ltlu9N

'sqde:8r:ed
asoqt Suillropun saldDuud aqr Surpru8a: a:ruepin8
lplrorirppe apr.tord gE6 uolt)as nVJo 9t -g| puE
1-1 -16 sqde.r8cled sloluor Jo slsJt ut Surldurs
ss3rppe rllqa '0E uonras gy jo gy -lg sqder8
-pred ut stuarua:rnbar aqt ,{yddr: plnoqs rorrpne arr
-^r3s 3qt 'aleudordde sr Surldures teqt sauruuJtJp
JorpnE 3f,rl-r3s 3qt g1 saldrues trpne SunEnle,\a pus
'3urru:o1:ad'8uruue1d sassolppe (I Io^'sl2irpuDlS
luuorss:/iri4 'y.131y) 3u1ldruus 4pr1y '0Et uorl
-las ny uouerlap.;o a:ur pat:adxa aqt pue '(dlrp rad
saurt dueru flep {lqtuoru 'alduruxa roj) uorlmqdde
lorp 3o 6uanba4 aqt 'sloluoJ arlt Jo arntuu aql
Surpnpur 'patsat aq ot sloluor aqt 1o uonepdod
aql Jo srllsuatJPrELIJ ?rl:1 l3pisLl()i) plnoqs rotrpnP alr
-^las 3qt 'ater:dordde sr 8u11durus raqtaq.u puu slort
-uoJ Jo stsat .lo tuatxa aqi SuiururJJt?p u3rlAySZ
'arnp3J

-ord aqt 1o sa.ntralqo ar{t ]eJut ot pats3t 3q ot stua]t

aqt 8uu:a1as ro3 poqt3u a^ulaJJa ue auruuatap

'slo]luof, l3qto 3soLlt

JO ssauaanoajla Suue

u3qA\ '62

csSl ot

lBuortrppe

'pouad paq

raqtaql

:3uvrro1

ar11

-r::ds :q r rnoqFnor qt (1r.rrtrty1a paruado 1o.r

-uor arp tsqt Surpnlluol rol srseq ateudoldde
uc srprrortl prur.ro;.rad uJJq srLj lrql Sultsilt
3llt 'os JJ alqetda::r 3rB pull uoncrl?p Jo 3tul
palradxa aqt urqtr^\ ?rE suouEhap p3uuu3pr '1,
Jaqtaq.r 3ullrrl3t3p
r

.r

s.lLll

Jq1

J3qtar{lA r

anp qtlt\ tno paulpJ aq ot {ia>1q sr

lrpnE lr?ul3tur 3qtJo l.ro,{\ aqt

aq1 r

lro.{\ aqt laqtaqa auruJJtsp plnoqs lol

lDu.Le1u1

sE,\\

3qt ot tull^alar aq ot
sr uourlrn; trpne lcu
^lalrl ot rap:o ur parurojrad
-lalur 3qt l3ritaq,{\ auruuatap
sanr^nJu 3ril Jo puE uoltJurlJ IpnE lcuJatur allt Jo

Iro

rasn lq tuu:r;ru8rs paJaprsuoJ aq plno,nr sa8ueqr

.rql sJ^JrlJ(l lotrpnc afr^rJS rqt 11 t:orh: s.:,rl
lq paJa^ol pouad aqt 8ur:np pa

uoltdlr)sJp s.luJrrJSEupr.x ur pJlrls sanrt::fqtr

IoltuoJ 3qt ot p?tlar slolluoJ aqt

lnoqu uolsnlJuof E rl:reJr ot

-uoJ raqto Jo ro lo"rtuor aqr lo Surrs3t

suorsnlJuoJ ssoql
3o troddns ur pararpe8 atuaprna aqt Jo uooun
-ls^J Jqr ur pa^Jo^ul ,{trnrt::fqns.;o r;r.rFrp rq1

-lpn[

uorlJunJ tlpnE

luulatur 3qt lq 'paur:ograd aq ot ro 'pauuo;

-rad q:o,tr. ljr:ads go adors pur arnteu aqf D
plnorls,rcl
:3ur.tro11o1 3r{t atunlEAa

-rpne aJLuas aqt 'sa.rnpaco:d s.lolpnc alrr\.I3s ?ql

Jo tu;txa ro'8utun 'arntuu aqt uo uonrun] lpng
lEur3lur aql Jo {lo,r 3qt Jo tr3]Ja pauueld aqt 8ur
-urulatap ur'iuarua8e8ua aqt go sasodrnd aqt ro1
:tunbape aq ot li3lll sr uonrunJ lpne Ipuatur 3qt JO
IJO^\ aql lEqt sau[u]at?p lollpnr? 3rr r3s 3qtJI'0
uortrzrurS:o c:r uls aq r ,{q uor t

.JunJ lpne
lpulJlur rqt uo plcld srroLtJllsJl
:o sturrlsuo: due Jo tla3J3 aqt Jo uoltpJaprsuoJ
Surpnlcur 'rorpnr? eoul3s ?qt pue uol]
-JUnJ lrpnB lEuralur aql uaa,4Ataq rnlro lll.t\ uoll
-JrunruuloJ 3^rtJ3JJ3

tql

3-rEl lE
-uorssa3ord

uolrunJ

uonlunJ IpnE lEulslur 3qt Jo slaqrlraru

aqtJo aJuataduoc lurruqrat pue,{rr.Ntrolqo

1oJ ar{t Sunpnlr?^a dq tuaura8r8ua aqt Jo sasocfuncl

aql roj atBnbapu 3q ot lla{rl sr uoulunj trpng leu
-.l31ur 3qlJo

-rpn8 a3r^ras aqt'uortJun] Ipne lB[la]ui aqt

srll asn ol spualur rotrpnE

uowun:I tpnv

'tuaruaScSua

-,rado aqt Surtrocldns aJuapr^a uretqo ot,(ressarou

sr lr .r3llt3q,tt 'os Jl pue 'sloJtuoJ .raqto uo puaclap
p3ls3t 3cl ot slolluol ar{t Jaqtarl^\ aururJ3t3p q

sEA

sarlqrqrsuodsar aqt lo aJntcu aqt Jo SuipuEtslapun

Ioluol
IoIuoJ

aqt suearu tcq.u

ql^\

uloc'ncu

1110-3.\,tEJ

Surpnpur
'uotluzluEl

e.rr ',{uu

1r

-alctur a:
rioIch.i:s:
'.rud

:1a91

ur:Is,(s s.

s.lu:ui:3
-pnllur

ltl

3qt ur Pr
Jsorll,r3rl

pl]],r

Purl

qu

qluau

pa

lqr

1o :c

-pnlnr'r,r
-.rapun

(o
3JrAras

_1,.^.-.-

J,\f,lqfr o

'trocb:7:
-uol

s3,\

Jo u

-uzrurS:o

Jo

u0r]ul

-l.raluru

-a8u8u:

(9V rEd :;aX) puu'uats(s

turu

Jr^las

aqt Jo uor tdu.rsap

s.

-:cLuor

',

sa^u

paqddu a
-Lrrd pJUl
-]Ll3lStSUC

1u JllnlJr
JJI,\I35 J
3Jr,\-lJS 3

s:rrtrakl
-lE,\3 o1 E

rLlo{ uoll
3lll tu3.\?r

{q :o uroq,tr,,{g

iggy ,rrd :1a5; parlddr: a:e

sloJluot pue salcrado uratsls s.uoouziue8ro a:r,uas
3llt qIq^\ ur l3uuEur 3qt Jo uo|DtualunJop lsrlto
puc sp.rolar Jo uol:adsur puE uouBruasqo apnllur
plnoqs sarnparord:aqto qrn5 p:tuauraldul uaaq
seq urals{s s,uouezrue8ro alruas aql Jarllaql\ sarnp
-aco:d:aqto ql.{\ uoituurqrxol ur 3peru sauinbur
q8no:qt auturatap plnolls rolpne ?rL\las aqJ '02
'u3ql ol uollelal ur pasn uaacl sEq poqt3ur

ur

'parlddu

aqf

arit qJrLI,$. qtl.{\

'pa11dclu sem

-uzruu8ro

::lues

aql ur saSuBrlJ tnoqe :rrnbur plnoqs lollpnE aJr^las

3q1 'tuarua?e8ua 7 ad,{r c Sururojrad u3q,{\ 'Z
red :1a61 po

(ttV-0'V

-r:ad luarln: aqt Surrnp pauretqo JJuapr^3

-tuarualddns sr ir Jr ua^3 'Suusat ur uortlnpal c JoJ

tou saop spor:ad :oud ur sioltlro3

srseq e apr.lord

Jo uole:ado hot:e.;sues 3qt tnoqe s:tuarua8r8ua

rorrd ur pauretclo aJuapr^A por:ad:qt tnoq3nolqt
ssaua,rit:a3ja Surtrraclo :rlqt ssassu plnoqs pur? rual
-s(s s,uouuzrur8lo art,rlJs aqt Jo uoltduJsap s,trr3ut
-a8euuru ur patets s:rr.rt:alqo lo]tuol aqt a^arqJu
ol ,t.lussaJau arE pJurlu,l3t3p sr?q rolrpnB all^ias
3l.ll lsql slolluoJ asoql lsal plnor{s lollpnE 3rr^_r3s
aqrtu:ura8r3tra 7 :d,(t r Sururro;r:cJ u)qM 'ZZ
ryn.[{1 Suur:.Ladg Siiiss:rssy
sseua

pJl[ls

(Erv-0tv
pue 9ZV rpd :Jr1) slolluo3 Jo ssrrra,4.rlJaJJE
Surlzradg aql Surprp8ag aJuaprAE Sururetqg

'slsu )soql qlr^\ u.r.rls (s s.unUazlu

-Eiro J)L -rJs.rqlJu uortdu:s:p s.lu:ur:3rut:ru ur
pruuu3pr slortuo: aqt;o a8elurl aqt SunEnlE^3 q
s.uor lezr ueBio

-a8uueur ur palu1s sa,Lrlcafq6 19119s3 aqt lo tuJur

-anarlllE aqt u3lE3]L1] tEqt s{su aqt 3ur,{Jnuapr

^q ara.tr
-:alqo lo.uuor aqt a^alqJE ot pru8rsap dlqetrns
slo,lluol 3soqt laqtaqa ssasss plnoqs pue ur:tsds
s,uonrzrueS:o allr?s 3lrll Jo uoudu:sap s,luarua8p
-ueur Lri pJ:tr?ls sa,rrtra[Qo lo.nuor aqt aaarq:e ot &es
-s3Jau 3-iE uo0ezrue8ro 3llt.ras aqt lE sloltuoJ aql
'Iz
JO qJlq,!\ 3u[u,r3t3p pllrorls lo]rpnE all'^las aql
(6y-9y pue 9ZV rrd lad) sloluo)
Surpre8aU aJuaprla Sururetqg

;o uBrsaq oql

'pa11ddc

uu urElqo plnoqs lotrpnP alli\.las aqt 'uoltrunj

rpne leulatur u seq uorlrzrue8ro alL -ras aqt.JI '82
(L+V-g+y rEd :l3U) iloi]:rilrjC
1lpnv lDu.tatul ?Lll {o 7ulpuDlst?pun uD SwwDtqO
uoltJunJ lrpnv leuratul aqr Jo

rr

^ruJtsrsuol
?rit 1\\ol{ !

loluor

:8ur,to11o3 3qt tnoqE a)uaptla uretclo ot ,{lnbur

qtt,tr uoupurquor ur sarnpa:ord raqto rurolracl u

plnoqs JotrprlE 3Jr^_l3s Jql 'slolt

-uoJ Jo stsat Surru:o1"i.rd pue Sulu8rs3p u3q,t\ 'tZ
(Erv puB (J)ztv .r8d :Jau)

alqEu0sE:

'pln0.{\

r,

-duosap

Ltlals,(s s.

s,tuaruaB
aLll Jo lu

El,l3lt.tJ

se5ve13u'tvrf,tJlo

d.

e.

conclusions teached are appropriaLe in the circumstances and any reports preparecl by the
internal audit lunction are consistent with the
resuits oI the worl< performed; and
exceptions relevant to the engagenent or
unusual matters disclosed by the intcrnal auclit
function are properly resolved.

Eft'ecL

on

the Servicc Auditorls

llepori

33. lf the rvork of the internal audit function has

been used, the service auclitor shoulcl not make reference to tirat work in thc servicc auditor's opinion. Notrvithstanding its degrec o[ autonomy and
objectivitl', thc internal audit function is not inde-

pendent of the service organization. Thc scrvice

auditor l-ras sole responsiltility for Lhe opinior.r
expressed in the seruce auditor's report and, accotdingll', that responsibility rs not recluced by the service auditor's usc of the work of tl-re intcrnal audit
function. (Ref: par. A49)
34. ln the casc of a type 2 report, if the work of Lhe
internal audit functiot-t has been used iu perfotming tests o[ controls, thai part of the service auditor's report that describes the sen'ice auditor's tests
of controls and results thereof should includc a
clescription of the intcrnal auditor's rvork and of the
seruice auditor's procedurcs with respect to that
rvork. (Ref: par. A5O)

OFFICIAL RETEASES
v

Any e\ients subsequent to the perioal covcred by managernenl's description of the

service organization's system up to tllc clate

of the service auditor's report that could

hrvc .t signtlicrnt cffcct on m:lllxgemcnt
assertion.
37. lfa sennce organization uses

subsen'ice otgan-

ization and managernent's description oI the servinclusive

ice organization's system uses the

r.nethod, the servicc attditor also should obtain the

written reprcsentations identified in paragraph 36
from management oI thc subsewice organization.

38. Thc rvrittcn reprcscntatior-rs shoulcl be in

Lhe

form of a representation lettcl adclrcsscd to the sen'

ice auditor and shoulcl bc as oI thc s:rr.ne dale as thc
date of tl-re scrvice audltot's rcport.
39. l[ management cloes nol provicle onc or tnoLe
ofthe wdtten rcpresentations requested by the sen'
rce auditor, the service attdttor siroulcl do the 1bl-

krving:

cr. Discuss the mattcr with managelrlent

b. Evaluate the effect of such refisal on the sen'
ice auditor's assessrnent of the integrity of management and evaluate the effect that this may
havc on the reliability of tnanagement's rcpre-

c.

sentaLiolts ancl eviclence in general

Take appropriate actions, which may includc
disclaiming an opimon or withclrawrng lior.n thc
engagel-neIlt

Dirrcf Assi.sl.lllcc
35. When the service auditor uses members of thc
service olganization's internal audit fllnction to pro-

vide direct assistance, the scn'ice auditor should

adapt and apply the requirements in paragr aph 27
of AU section 322,T!'Le Auclitor's Consideration

Internal Audit Futlction

o.f

thc

in an Audit o.f Fitancial

Stctcnlcnts (AICPA, Profesionai Standartls, vol. 1).

Written Representations (Ref: par. A51-A55)

36. The serr.rcc auditor shoulcl rcquest managclrent
to provide written representations that
reaffir m its asse rtion inciuded in or attache d to

a.
b.

c.

the description of the senice organization's syste m;

it has provided the setvice auditor with all relevant information and access agteed to; atlcll
it has disclosed to thc service auclitor any ol the
follolving of u4rich it is arvarc:
i. Instances ofnoncompliance rvith larvs and
regulations or uncorrected errors attributable to the service organization that may
affect one or more user entlties.
ii. Knowledge of any actual, suspectecl, or
alleged intenttonal acts by lnanagement or
rhe service organization's employees, that

could adversely aflect the fairness of the

ptesentatiou of management's description of
the sen'lce organlzation's system

ol

the

con-

pleteness or achievement of the control

objectives stated in the descnption
Design cleficrencres iu controls.
ir.'. Instances when controls have not operated

iii.

lf managetnent reluscs to provide the representations in paragraphs 36(a) and 36(b) of this SSAE'
the service auditor should disclair.r-L an opinion or
rvithdraw from the engagentcnt.

Other Information (Ref: par. A56-A57)

40. The sen ice auditor should tead other information, if an11 include cl in a docutnent containing managetrent's dcscr\ttion of the service organization's
s)'stem and the sen'ice auditor's rcport to identily
material inconsisLencics, i[ any, lvith that dcscription. While reading rhe other infonnation for thc
purpose of iclcntifying material inconsistencies, the
service auditor tnay become aware of an apparent
nrisstatement oI lact in the other inlormation
41. ll the service auclitor becomes aware of a matcrial inconsistency or aI) apparcnt misstatement ol
fact in the other infolmation, the service auditor
sl.rould discuss the matter with management. ll tlle
service auditor concludes that there is a material
inconsistency or

misstatemenL oI fact in lhc other

infomation that n.tanagement refuses to correct' Lhe

sen'ice auclitot should take further apprcpriate
action.'l

Subsequent Events
42. The service auditor should inquire whether
management is arvare of anl' events subsequent to
the period coveted by managemcnt's description oi
the sewice organization's systcm up to the date oI
the service aucliLor's report that coulcl have a sig-

nificant effect on management's assertion. lf the

service auclitor becomes aware, through inquiry or

as described.

. Scc

86

2. Scc pamgrrphs .91-.94 of;\f scction

(i\lCPA, Pk)tf ssiordl Slardards. lrl

paragraph 9(c)( i)(1)

l0l,

AIifsl Fnld,gcrl.nls

otherwisc, ofsuch an evcnt, or any other cvent that

is o[ such a nature and significance that its ciisclosure is nccessary to prevenL users ofa type i or type
2 rcport from being rnislcd, and information about

that event is not dtsclosecl by management in its

description, dte serr.icc aucliLor should disclose such
event in the service auditor's rePort.
43. The sen'rcc auditor has no tcsl.ronsibiliLy to kcep
infonnccl of cvents suitsequcnt to thc datc of the
service auditor's report; horvcver, after thc release
of the sen'ice auditor's rcport, thc sen'ice auclitor
nray becor.t.tc arvarc oI conclitittns tl.rat existcd at thc
leport clate that might hal'c a{lectecl nallagelrcnt's
asscltion ancl Lhe senice auclitor's rcport had thc
service auditor bccn au,at c oI thcm. The o'aluation
of sucl-r subscqucnt infortratiot"t is sin.ular to the
evaluation of information discovetecl subsccluent to
thc date of the reyrort on an audit o[ lrnancial staternents, as clescubed in AU section 561, Subscqucnt
Discovcty oJ Fttcts Exisf il1.q dt thc Datc 0f thc Auditor's
Report (AICPA, ProJcssional Stanclards, vol l), ar"rcl
therefore, the service auclitor shoulcl adapt ancl
apply the guiclance in AU section 56i.

comple
the final

than 60
release

50. Afte
has beer

delete o
Its reten

51.

lfr

ity existi
docume
engagen

auditor
itication

a.
b.

The

Wh
revit

Prepari
Content

)l'.

A se

the foll

4.
b.

Documentation (Ref: par. A58)

44. Thc servicc auditor should preparc clocurnentation that is sufficicr.rt to enable an experiencecl
scrryice auclitor, haring t.to previous connection with
thc engagement, to undcrstand the following:
a. The nature, timing, and cxtcnt oI thc proceclures
performcd to cornpl;'rvith this SSAE and rvith
applicable legal ancl rcgulatory requircments

b.
c.

c.

A trt

An
Iden

i.r
tLz

The results of the procedures l.rcrformed ancl tl.re

evidence obtained
Significant finclings or issues ar islng during the
conclusiotrs reached thereon,

iii.

ancl signi{icant professior.ral judgnlents made in

reaching those conclusions

engagement,

tl-Le

irt
va

45. ln documenting the nature, titning, ancl extent

of proccdures performccl, the scn'ice auclitor shoulcl

rccord thc {bllowing:

a.

ldentifying charactct-istics of the specific iterns

or matters being tcstccl

b. Who perlbrmed the tvork ancl the clate sucl.l
rvork rvas conrplcted
c. Who rcvielvecl thc rvot k perlomlcd and the date
ancl extent of such reviclv
46. lf thc service auditor uscs specilic ri'ork of the
internal audit funclion, thc servicc auditor should

i
(

document the conclusions reached rcgarding tl.re

evaluatiot.r of the aclequacy of the wor k of the inter-

nal auclit fut.rction and the proccclures pcr{bnned

by the service auditot on that work.
47. The servicc audrtor should clocument discussions oI significant {lndings or issues with managemenL and others, including the naturc o[ the
srgnificant findings ot-issues, when the discussions
took place, and u'ith u'hom.
48. tI the service auditor has iclcntified inlbln.ratron
that is inconsistcnt r'vith the service auclilor's linal
conclusion rcgardrng a srgnificant {inding or issue,
the serr'jcc auditor should documcnt hou'the serv-

d.

lfma
niza

abilit

mcnt clocumentation in an engagement filc and

the

ice auditor aclclressecl the inconsistenclt

49. The senice auditor shoulcl assemb)e the er-rgage-

ment
s

wwwjo

www.jou rnalof accou nta ncy.com

Journal of Accountancy August 20i0

OFFICIAL RELEASES
number of items tested), and the number
and nature of the deviations noted (even if,

p.

on the basis of tests performed, the serrncc

auditor concludes that the related control
objective was achieved). (Ref: par. 465)
A statement restricting the use of the service
auditor's report to management of the seruice
organization, user entities of the service organization's system during some or all of the period covered by the service auditor's report, and
the independent auditors of such user entities.

-^-;^^

q. Thc date of thc scrvicc auditors report.

r: The name of Lhe service auditor and the city and

organization

hl

the men

rgerncnt. rnd thc function pcrfonncd by thc

system.

ii.

rny parts o[ manrgemcnt's dc,criplion o[

t he seruice or grnizal ion s syslc n l I hrt arc nol
covered by thc scrwicc rudrtors rcpon. (Rcl:

'
iii.

iv
n

par. A56)
any information included in a document
containing the service ruditor repofl thr( is
nol covercd by thc senrcc atrditor's rcport.
(Ref: par. A56)
the criteria.

organization s system and assertion, includ-

examination provides a reasonable basis for his

or her opinion.
A statement about the inherent lirnitatior-rs of

controls, including the risk of projecring to

future periods any evaluation of the {airness of

ion

description of the sen'ice organization's sys-

the presentation of management's description of

app

tem,

the sen4ce organization's systeln or conclusions

ced

specifying the control objectrves, unless tl.re

Lt.

ulation, or another party, and stating them

about the suitability oI Lhe design of the controls to achieve the r-elatccl controi objectives.
The sewice auditor's opinion on whether, in all

in tho decerirrtinn

orglnlzil-

material respects, baseci on the citerja described

iv

identifying the risks that threaten the

in management's assertion,
i. management's clescription ol the service
organization's system fairly presents the

selectrng the criteria; and

qer!ire ororni-rlion's ,vstcln that

vi.

designing, implementing, and documenting

designed

tron;

ii.
iii.

providing thc serviccs covered hy the

cont rol ohjcct ivcs :rrc spcci ficrl by larv, r'egn[ the scrulce

tion's system,
achievement of the control objectives,

ified

controls that are suitably designed and oper-

ii.

ating effectively to achieve the related contro) ohjcctivcs strlc(l in thc dcscription o[
rlrc cnnriec nrornizqtinn'c... sysl(m
A statement that the seruice auditor's responsibility is to express an opinion on the fairness of
the presentation ofmanagement s description of
the service organization's system and on thc
suitability ofthc design of the controls to achieve
the related control objectives stated in the

56.

wa5

rnrl implcrrr. ntcd rs oI tlrc spcc

clate.

the controls relatcd

Lo the control objectn'es

stated in managemcnt's clcscription of thc
scr\.ice organization's systenl were suitably
designed to provicle reasonable assur-ancc
Lhat those colrtrol objcctivcs would bc
achio'ccl i{ thc controls operaLccl c{lcctivc-

l" r< nl thn <,rn,

iii. if

'lrn,l

rlet,'

the

his,
57.
ion,

desc

ination.

related control objectivcs stated in managempnt'< dc<crintinn nf. thc

... c,3I\1Ce OtgJniZa-

A statement that the examination was conduct-

tion s:vslcrn a rL'[cn n( c l() thls (on(lrtron.

mlgl

ed in accordance with attestation standards

established by the American Institute of

A statemcnt restricting the use of the service

ization and whether the carve-out method or

the inclusive method was used in relation to

Certified Public Accountants, and that those

thern. Depending on which mclhod is used.

standards requrre the service auditor to plan and

org,rniz,rlion. rrscr cntilic. oI thc scn icc orp,a

nization's system:rs ofthc end ofthe period covered by thc servicc auditor's rcport, and thc
independcnt auditors oI such user entities. (Re[:

any services performed by a subservice organ-

(1)

the carve-out method was used, a

statement that management's descrip-

ed controls at relevant
uLSdL"zaLru,,J,

-'.r

dL'u

subservice

that
r
the seruicc audi-

tor's procedures do not extend to the

<r

(2)

lf

th<ewtcc orrani'al ion.

the inclusive method was used,

statement that management's description of the service organization's system

includes the subservice organization's
specified control objectives and related
controls, and that the service auditor's
proccdures includcd procedures related
to the subservice organization.
lf management's descnption of the semce organization's system relers to the need for complementary user entity controls, a statement that
the service auditor has not evaluated the suitability of the design or operating effectiveness
oIcomplementary user entity controls, and that
the control objectives stated in the description
can be achieved only if complementary user
entity controls are suitably designed and operating effectively, along with the controls at the

Journal ofAccountancy August 2010

description, based on the sen/ice auditor's exam-

auclitor's report to rnanagement o[ the sen'ice

perfbnr-r the examination to obtain reasonable

If

tion o{ the sewice organization's system

excludes the control objectives and relar

88

A statement that the sewice auclitor believes the

the application oI compler.nentrry user

entity contrcls is ncccssary to achievc thc

the following should be included:

d.

the control objectives statecl in the description.

of the seruice

preparing the description

of presentation of the description and asser-

I report should include

system prepared

tl.re

servlce organization's system and suiLability of

ing the completeness, accuracy, and method

oflice that has responsibility for the engagement.

the following elements:

a. A title that includes the word independent.
ir. An addressee.
c. Identification of
i mrnaqemenr's de.crintion of the sen icc

presentation of management's description of

(Ref: par. 460)

i.

state where the service auditor maintains the

53. A service auditors t)?e

to management's assertion and a

statement that management is responsible lor

A'6I-464)

(Ref: par.

this type also includes evaluating the overall

^,^^-i-^ri^-

reference

assllrance about whethe

manage ment's

clescription of the sewice organization's system

par.

46l-464)

cedt

engi

Oth

58. l

oInr

oru

OI OI

clear

efiec

related control objectives.

The date ol the servicc auclitor's rcport.

The name oI thc service auditor and the city and
state rvhere the scrvicc auditor nraintains tlrc

A statement that the sennce auclitor has not per-

office that has r-esponsibility fbr the cngagcmcnt.

achit

is lairly presented and the controls are suitably

designed as of the specified datc to achieve the

entit

tion

ice a

formed any procedures regarding the operating

effectiveness of controls and, therefore, express-

Report Ddte

I0r

no opinion thereon.
A statement that an examination of management's description of a semce organization's
system and the suitability of the design of the
service organization's controls to achieve the
related control objectives stated in the description involves performing procedures to obtain
evidence about the fairness of the presentation

54. The service auditor sl-rould date thc seruice auditor's report no earlier than the date on lvl.rich the

been

service auditor has obtained sufficier"rt appropriate

nrcat

es

of the description and the suilability of

the

design o[ those controls to achieve the related

control objectives stated in the description.

A statement that the examination included
assessing the risks that management's description of the service organization's system is not
fairly presented and that the controls were not
suitably designed to achieve the related control
objectives.
A statement that an examination engagement of

evidence to support the sen'ice audjtor's opinion.

sl

entrtr

tion i
take

Modified Opinions (Rcf: par 466)

55. The scrvice auditor's opinion should be modified and the ser.,'ice auditor's report should contain
a clear description of all the reasons lbr the n.rodification, il the servicc auditor concludes that
d. management's dcscription of the seruice organization's system is not fairly presented, in all
material respects;
b. the controls are not suitably designed to pror'rde reasonable assurance that the control objective s stated in management's description of tl.re
service organization's system would be achieved
if the controls operated as described;

wwwjou rnalofaccountancy.com

APT
EXF

Scop

AT. I
Itas0
objec

inu

comI

Conf

and c

entit)

Wwv

6g

uoc'ncuelunocceloleurno['/v\r

/v\

{f,uEtunorrvJo lErrrnof 0102 lsn?nv

'slorluoJ
f4 Elratul alqellns lnoqB uouEru'loJul

:t1t

,o ,.rrr.r,'r4ta Surtelado
'.,.a.
u, pr".u'lt'tt:qt1o

r.rt

qlns

trodr'r 7 ld'(t e

1o

uorttlr'rrs;tp aqt ut
slolluoJ.Jo

ort"tr rrn,trrfqo lo]luoJ ssJlnPE lllql

';;'r:i' ..'.1 ; J" { 1q, rtn' rq t' urrts(s s'uot reztueiro
uorlel
..^ri, .qilo uottdtr:sap s l'aure8eueur Io a:r
-,rrs"r.l ,roj aql lnoqB uolll3ssll s'uouezrus8ro

uru,t

Io

*oitlutlrp

(urtu
aqt ;o

ut
1y55 slql Jo / qdcr8errd
ssrullrudorddr Pur :JuEralrl

ur 'rauueu aql puE

aql asn ol pualul daqr qcrq'tr

trod:r rqt

lo slasn

r1 I

-^l3s eql ,,o; t,tn,1

tqt puElsr3pun

ot ,roripn" rl3qt pul,

sa11uu3

or

usql

3lq8ua

lasn ol alqullc^E

3JuBplolJE Ul
,o o] pr"., llslul 'avss slql qllnA

pr*lo3l.a

roJ '9V
sluaura8e8ua 1o sasodrnd 3q1
pu I red :1a1; rrtetrt3

(9I-tI

'slualu3lBls IEIJUEUU

U'IAO S'UOII

3ql o1 pslelal
-uzrur8ro 3Jl,uas arll 1o uotlereda:d
s'uorlezrue8ro acr
slortuor 'a1.1-"ta ro1 lualsls

ul p3lllls salll
-,urs aqt;o ,,ou.1t rsap s,luauraBeueu
aql o] p31ul3-l lou
-cafqo p:tuoo aql Jo luaura^alqrz

slolluoJ apnllul

,rn ,Lqr ,ton"t,uc8ro alruos s lE

q:n5 papr'lorcl s:rt
'13^a,\\oq'lou ssop uollluu3p
pu
-^,r"r rq, o, alelar traql u3q'tt sallrlrlle lolluol
s'uotlezrue8ro all
'Sultotruotu' luauruonlu? 1o'r luol
.:lt^'ns
1,rl", ,alt lo ,tra.lsc apnl:ut duru u orlDzuDSlo

, l,

,lo-,t,io, lo uollluu3p aql 'aldurexa

roc uoullzl

sluauodutol

-uu8to alruas E lE lolluoJ luulalul Jo

slradse apnlcul osle dvur
raqto aql Jo aloru lo auo 1o

t,"].tjl|i

pu, uo,trrtunSro 'trL'!rrs rql tO n"tt''It

s lr:dsc lpnlrut 1 qocra
uor lDuuo1u t .sJl llluJ I Jsn Jo
uolllugap
-"rocI.,t ,,otluzn,,'7'to atlt-ns ttltt s1o'Lliiol Jo
sJlJllod lql 'EV
ur ol pJrlJlJl s.l"rnpr'totd Puc
JUr
'

12 .'n.t

1lx) r,orrn:run3'9

rl^iJS P lU Sl0lltlo]

suoulu{a(
((q)Z rEd l3d) I01
ssaua'rura31a 8ur
uoulas IV rapun slolluol aqt 1o
-r"rr.lo ,,tt lo uollt;ulu]cx'l ut; -lo'( I lo\'si)lpl)unlS

ol uotttsod

Jo

tuaur8esua luln:ttrcd lq

pu'
uottc:t1tturp1'

ro1 slscq 3ql

'ran,rralqo lortuo:atrtldorddulo
1o

ssaur^lll{1: Surter:do aqt

palEloossu asoqi urorl

dpuerl

Irt

rapun luarr

ot trodar e ltulad
:o'Sutlrodal lellueui1

ac1

.]rrirn

'la.{a,^
B tE

oq'tou

uaq^\'tV

uotlrlurslld s.llt lu'r i tsn

ol

urns

Burr.rodar lelf,ueur1

l3lo lolluol pu:alur

s'Alrlua

'*i"r.:.,

1Y55 slqr;o adoc5

uoure aleudordde
119y red :J3U)

o>1ur

uotl

'OS Op 01 Suqlltun
plnoqs rollpnE alluss aql
'palullu
-rr,r-,n:ro 311^las alll lo luaru:Serittu PUB
os u3aq lou sEq

st

uoueulo]ul 3ql ll salllrus

p?lcolunluurol ua3q

-nurulol

lasn p3lJa.l;e ot (lateudo"rdde

3ulrur3l3p plnoqs
sq uouElUlo]ul siql raqlsq'e

u.ro?'Acuelun(

:paqu:

pa^3llpE aq plnr
3rl1 Jo

ns

3Ll1

113

-old ol

PJuBls:

lBql sapr

-lpm 3Jl\las:

'tu:ur;8cBua

aql sulBlulrl
puc (tn aqt
'1rocl:

:J3U) s3llllu

aql puB 'll

-,ror pouad
-eBro a:r,u:

all,\l3s aql

afluas

3ql

'uolllpuoJ'
-zztueBro

-a8rueut u

Jql a^3lql
:asn drelu
-arrtlraJJa

.q

plnor

afulllnssB
,(lqeltns a
aql Jo uo
Sa,rtl::[qO

-:ads aqt
sur,r te{

pal3ltpr

3ql

slu3

SflAl3S :

paqurs3
'l3
liB ut
's3^llJa

ut 'po]u:sard
?ql

-uol 3i
suolsnlJ
1o

]snc)Jq uol

:qt Jo
luJr)rllns ul[lqo ol '(lr1lqeul
JJt IJS
-uttlo'ue ulrel.rstp olsttcld lollpnll

ru Jr Jr

;,"o'le'tt'BBro art''as Sutssarord,llor

3ur-(1dde ut

{las

uollduls

-lafqo lo.uuoJ

ll ut'p3lu3sJl
-e8lo aJl\.ras

-rpou aql loj

ulvluol plnoq
-poul 3q plno

'uorurdo s,ro
ateudo:dde l

?ql qllqlA

lol

a:t
ronr rr,n.,r, aqr dlleuourppy llodar s'roitpnu

,,rlr*a,rt,

i;

aql

isl:adsal l[IJaleur

luc \f,

c uor'1

: rrt::ds-r:d '{rotrln8ar

s,tuaruaSeuBur

3lul?rnssE alqeuoscar aputolcl

1o-l,I'ro. aq, lEql
slolluol ulell3J 'q
or pau8,rrp ,(lqetrns lou alartr

(1 :ed :3:6) slu3lualEls

lunof)E purj suollJllsuulJo

,q

-,a.,

J-rnsolJslp pur

raqlo

'laullllllslp :qt mopeqsra'ro lqErur

oql ur luatuaBe8ua
os op ot lt:ocla: s,rollpne aJr^'ras

aql Furqtl]sap
,,rot,pn" af,r^r3s e Jo sfllsualJslEtll
paurojlad ala't lvql s3lnp3J
"pt't1.,'t:ou
allrlas 3Lp 'uol
-o:cl aqt dlltuapl tou plnoqs lolrpnB
-urcIo ur o,,uF ,p or suuld:otlPne.alt'rrasr::ij:

lollpne 3Jtnl3s aql

ur s8urpurl asaql,{1}lu3pl plnoqs
'utals'{s s,uotlrzrur?:o anttas
ut p31E1s s3^11
aqt 1o uou<lu:rsap s,lu:rua8uuetu
ot pouad p:tj!
-rr1qo 1or,rln, p.llll3r aqt 3^?lqlu
lou plp
.',r.lr rurtnoq8no'q' {1lntt:r11r rtuado
Jql ul
7 ad{l c 1o JSEJ

,lnr,ro, ,,"ur,'lrod::

ol pspualul

ll
:psqulsap se paterado slolluol
a:ttuas :qt;o
aq plno^ tualsds s,uot.lBzrueBro
uI pal'ls s3^ur3lqo

a:ur:as
sr 7 qde:8u're4 uorlezruu8ro
o1 I0l uolllas IV rapun uo

slolluoJ uo lrodar

tJ,iitr.rrp

aqt teqr sru:ru

uodar pou orropad Izru:auotlttrerd
qde:?e:e4 '7y
-a8e3ui :aqto oi sla13r lvss srql Jo 7

ul 3q 1f'\l uoll

Ipl)LIPUll sll ul saJuPlDq

^13{uun
lou st

aql 'to; alqrsuoclsar

Jo uSrsap

-orcl parrurrl aqt

d11lu3-lasn

e'(pellulls

'

-;;;.1";":

alul3s

1et:

:ruuqduto: pue

-,'.rJn otlrrrn.1r., aq '{eur sa'ntralqo

r ol p31zl3l slo]luol
suonsraclo s.uorleztuc8ro alt^las
pue s^ael alqullclde qir-"l arunllcluor

pun ss3ua^IlraJla '8ur

i.,n:*nu"tta" lo {ru3nu1e
:troar, 1n,.,.,n.rr1 1,.l ,{t111qeqar aqt ot palela: sa'nloalqo
JJuunss[ Jlqf uosrJI
ro turut.t.t..,qrn aqt Surprciu

rplrold ot pau8rsrp ss::oLd r sl iolltlo) ll)rirJ'ul-'IV

pue

lvlu3rvt'u AuolvN\ndxa
uSllro oNv Noll\Dllddv

drtltqBllns ?ql pue tualsds s'uorlezru

ol

s.uotlcztueS:o rJlN Jc e uo lroda'r

^'.nif-rf*t"otqlr,^r
orci.,.-"hn3.,.

sJulplnB aql asn ol spuelur lol

fv

aqr Jo lu3ura^alqlB
-.uJs aqt pue 's3^rrrafqo 1olluor
uoll
,qt '*rtrda s,uorleztucBro 3)llras oql Jo
qJns Jo lJaJ'13
-du:sap s,tuarua?ueru uo sluaptlul
arf 's3lltlua
,u, arr,-trraP plnoqs lollpnE aIAl3S
(eru lcql pue lcl^ul
r.'r.,-r r.o-.,o'a.ro tca;p
^lical:)
afr'\'l;s laqlo
'ro
tou ale lBql lauuos:ad uoueztue8ro
slolle palJellolun lo
tuarua8suelu ol alqelnqllllE
:pnrr1 'ruono1.,8rl pull s'{\Bl q1!4\ acuctldruo:uou 3o
'8E
saluolsq rollpne alluas aql l1

ar.,rptrni;o
'
"rn^E

sa.rllrqts.rodsauuolleJrunuurof

l3sn
1n,-nnq la^o lolluol lEulalul 's3lll1u3

uddll

1[7uott]as

1o

stql rapun
.,ortdrn.ap 3lll ul ?pnlrul o1 aVSS
ur iarl
p.nr.l ,,.,o.I.i tlrurad ol 2 qder8e'red
lr{, lrolluzlurS.,o ,r1,t1?s pu! uollDzlurr3-10 2rlat2s
:prlord
3ql Jo uoller?lle aqt ro1
Jo suollluuap

uB

1eq] ll3ssll

Nql
-ezrue8ro allr\Jas aql lo luaura8eucur
tl 'tuals,{s 3ql

.,oqraunBro a.,-as aq1.]o luaua8euEu

3q ol slu3ruala

'tollpnE

alulss
drlut lou 3lll urals{s s,uotlpztup8ro
tr
s.tuauta8eueurlo sll:dse urrual
'1o uortal,lrrrp
s:rnpar
leql p3pnpuo) seq'paurroyad
uopaseq'put'aruapua alrudorddc

or.,rpuuo, '{eut
lLll r3^o
.uo,'rnruart luaullsl\ul jo '{trlLqrtda::c

((E)Z iEd :J3U) uodar uotlEul

aq '{;lluaPl

papnllul

uorlras lV Jo /B-t8 srldfl8

3u,.rlppa Sttrpnlrur 'lroJ:: s't:uotltl

u)q^\ 'l0l

qlul

'3utlodar

pJluJlul 3ql Jo uollEJUlluJlrl

aql Jo
lo s3luEtsurnJlll aql ul s3^lllafqo lo]luoJ

'rr.,.rrror.ror"r, aql Suuunls^a

slotluo) Jql
u8isap aql

s,luaura8euutu ;o
-eB.ro'al,r:as atp 1o uortclursap
ro1 'I0I
uourruasard lo ss3ulJ aql Suuunlela
--',.tt
ur paqu:sard
rv ro +g -gT iqde:3ered
uouEllllluapl
sE'su3luJ elqEllpr\E pu alqllns Jo

'aldurexa rog Surirodar lellulluq

luD^J{3i aq

l:AO lo.lluoJ [EUl)lul .satlllua lasn

o,

loltpne
-ttuFts.t:11tp leql sJnssl lJlunoJua "(eut
teqt Surturo3::d pue Suruur:1d

';;'r;tr'Jrr.br8ua

ul aVSS slql ul
aql puB'Suurodar lzllueull lalo loll
-rpnn
"at-"t
aq ol '{laIll
-.,o. 1r,rr",,.r, ,s3lluua lasn ol luEAsl3J
3]r lJs B lE
slo.uuoJ asoql uBql J?q]o uorluzrurS:o
.ior,.,o,, uo trodar o1 I0I uollJas

B uaq^A'V
((s)Z red :ia1) Surlrodar

-.303.,,,rn sllnpuoJ ]ollPnu sluras

'r?sn
lrJueuu la^o lolluol lEulalul 's3rlrlua uo
slolluos
ol tu^alal aq ot ,{1a1q lou ale llllp
qlr'r'r'8utl:odar

ioi"oto"t to ,.punBuurodar

slolluol s'uollEz
or r.ro,rr1a, ,q ot dla{ll alE ]eq]
Burt:odar
-rrr,:3.o ar.nris e uo avSS srqt rapun
saulquol leql panssl

r3sn ol 1uAa
l3AO
lEulalul ,salliluJ
lorluoJ
pull s?^11
{al aq ol d1a1q lou (slorluol p3lelal
:laql
-ra[qolorlr,or lue.lalarSurpnpul) saJl^las
aql 1o
rualsds s,uotleztue8ro a:luas

prr,rr.p,r"oa3,1y) s/u 'rrt t8n8rrl s rllll)') '0ld

'pr,zyl
rv lapun ruaura8u8ua sarnpa:

slsal rilloJ
-ord uodn-paar8e uE J3qll3 ul slolluol Jo
uE sV slorluoJ
-:ad deu :auoutl:urd aqt 'antleutallB
uo Ftrrurdo utoll ldl
lo ssJuJ.\rlJJllJ Sutlc:ldo rqt
1,nnr r.^r,l.l'.pn1:ard {1''>1t1 11rm

u31s:p1o At111qe
atruasqr aql

Jo
-,,n, aap ot ,trd,,l qlll\ uolllssse
tloltuoc;o u8rsap
'rra.,anr,.aI, C"r,nrado '"tql pttt

)iull JlqellllxJul Jtll

aut to ,{ttltqrtrns Jql uJJ'alJq
:pru8',tp {lqrttrt' r-rr (rt1lss:1tttt (prtt
st
lrrlJ"
'J;;t;rrrr.do,ouur) slolluoJ pau8rs:p {lqettns

*ru,{, ,q,
sl

-ruEx3 uE Ul

,1or,roa r,tor,rrr,re?lo aruuas

luql sapluu3d puB
aqt ro1 dilllqlll E ur llnsar plno^\
alul asne:aq '(tuua
tsaralur .rn:ur plnol saluElllluar
s:tluoqtne lu3ruru?^o8
Jasn E ot ,unn,i"l
'q '{uur
trlarutt aqt ol pa
ot suoulnp3p llol,{zd 1o a:utlluuar

"rrd
ol a8enBuel aqt Surdolalap
-rr.d aqt r,, pasn
"q
'tuauraBe8ua'relnrtlrcd aql Jo saluelslunfilJ
a.1, ut dtrtnrra,ro,

uorlerqddu
lo ldatuot aqt 1o
flu

'Sutlrodar lBlJuEuq l3^o lorluoJ

-r3lul ol luc^alal a:uuptn8

Surtrpne
-ded e 'aldruexa rog sarnpacord
aJuapl\a ol
.arn:lo ,"wnl",ra lollpnE rasn aql lEql
suollJsuzll Jo s3ssell
ureuad deu ro 'salnsopstp lo
a:nso1:slp pue uoll
's?JuElBq lunoJfe ol Sutlelar
deut slorluoc
-o,rarard tnoqr suoluassu ol utel.tad

(suollJ3s nV)
aqt apr,rord ol papualul arB lq]
uourclldde
sprepuuts Suurpn ol s3lualsJal Jo
alrlar (1eryreds
lolluol lEuralul ol

-ueuq r?^o

J1.11

Il

3lll'uodll

7 rd'{l

rscJ

1o

aql Jo

ul

rql

SSaur

3ql sa^i

'uoud
lltttt

3o

ol pouad

p,p .1ortuo.

uoudl

JO

ot 8un:
jo suol

9E

siq roj

::ii"'':1i: t

u r'rqo o'''u""';':'":l ;:J

ro :u:ts(s s uotlcztur3lo art
uolldulsap s,luatuaSeuElu ul pallls

Jo

a'ratqrc
sa,nt:alqo lor]uol p?]lll3l aqt
rnoqStto'rqr'{l'r^rllqlr rlcr:tlo lou

oli,rrai.qr

11813^

sa5Va13U lVltlJJO

OFFICIAL RELEASES
is provided in paragraphs .23-.34 ol AT section
101. Paragraphs l4-16 of this SSAE discr.tss the
criteria for evaluating the fairness of the presenLation of management's description of the service
organization's system and the suitability of Lhe
design and operatlng effectiveness ol the controls.

Management and Those Charged

Governance (Ref: par. 8)

Al2.

with

evaluations, or a combination of thc tlvo. Ongoing

monitoring activlties arc olien built into the normal

Managernent and govemance structures vary

by entitli reflecting influences such as size and orvnershrp characteristics. Such diversity means that it

Inclusive MeLlncl (Ref: par.7)

not possible for this SSAE to specify fbr all engagements the person(s) with whom the service auclitor is to interact regarding particular matters. For

A7. As indicated in the definition ofinchrsive methorl

in paragraph 7, a service organization that uses a

example, the sen'ice organization may be a segment

of an organization and not a separate legal entity.

.ubsenrcc ()rginizrlion l)rcscnts manigcmcnls

dcsr|ipUon oI thc.crticc or8anrzxtr()ns s)slem IL)

ln such c:rsts. rdcntify ing thc rppropl'iJlc m:tnagument personnel or those charged with govcrnance
lr,rrrr rvhorn lo requcsl wlillcn rcpr(scntltions mry
rcquirc thc cxerci'u erI prolcssionel judgment.

is

include a descnption of the sen,ices provided by the

subsenicc organization as lvell as the subsenicc
organization's relevant control objectiyes and related controls. When the inclusive nlethocl is used, thc
requirements ol this SSAE also apply to thc ser\iic, < nrnvi,lnrl lrv rlro
<rrh<nr
..- .--.vlcc org;tnlzailon,
including the requirement to obtain management's
acknorvledgement and acceptance of responsibility for the mattcrs in paragraph 9(c)(i)-(rii) as they
relate to the subservice organization.
A8. Performing procedures at the subservice organization entails coordination and communication
betrveen the sen'ice organization, Lhe subservice
organization, and the service auclitor. Thc inclusive
me thod generally is feasible if, for example, the seruice ofgrnizxlion rnd thu subse rMcr ()rgsniz;.llion xre

Acceptancc and Continuance

or more o[ the conditions in paraglaph
9 are not met and the service auditor is ncveltheless required by law or regulation to accept or continlle an engagement to ]eport on controls at a
service organization, the sen'ice auditor is requtred,
in accordance rvith the requirernents in paragraphs
55-56, Lo determine the effect on the service auclitor's report of one or more of such conditions not
being n-ret. (Ref: par. 9)

reiated, or il the contract between the service organ-

Al4.

ization and the subseruice organization provides fbr

form the engagement include matters such

issuance ol a service auditor's report. If the sewice

audiLor is unabie to obtain an assertior.l from the

following:
. Knowledge ofthe relevant industry
. An understanding of information technology
and systems
. Experience in evaluating nsl<s as they relate to
the suitable clesign of controls
. Experience in the design and execution oftests
of controls and the evaluation of the resu'lts
Al5. ln performing a service auditor's engageuent,
the seruice auditor need not be independent of each

subserwice organization regarding nranagement's

description of the sen ice organization's system provided, including the relevant controi objectives ancl
related controls at the subservice organization, the
sen ice auditor is unable to use the inclusrve method

but may instead use the carve-out method.

A.9. There may be instances when the sen ice organization's controls, strch as monitoring controls, permit the service organization to include in ils

AI3. If onc

Capdbilitics ancl Cotnpetence

to

Pe

r.fornt the

Engagorrcirt (Rel: par. 9a)

Relevant capabilities and competence to per-

,rcpr nntirrr 1I?, f nrr

as the

Or)

recurring activitics of an entity and include regular

management and supervisory activities. lnternal
auditors or personne I performrng similar flnctions
may contributc to the monitoring of a service organization's activities. Monitoring activities may also
include using information communicated by
externai parties, such as customer complaints and
regulator cor.nments, rvhich may indicate problcms
or highlighL areas in need of rn-rprovement. The
greater the degree and effectjveness ol ongoing monitoring. the lcss ncccl for scprrate er:rlualions.
Usullll: >omc comhinrtion of ongoing mon itor ing
and separate evaluations will enstrre that internal
control maintains its effectiveness over time . The
service audilor's report on controls is not a substituLe for the service organization's olvn processes to
providc r rcasonablc h:srs [or its;rsserlion.

opn
Jair,

oJm
desc

servl
otSa

syst(

cnd
rep0

Idcntificatioll o/Risks (Ref: par. 9(c)(v))

Al8. Conrrol

objectives relate to risl<s that controls

seek to mitigate. For exampie, the risk that a trans-

action is recorded aL the wrong amount or in the

rvrong penod can be expressed as a control objectivc that transactions are recorded at thc corlcct
amount and in the correct penod. Management is
responsible for identifying the risks that threaten
achievement oI the control objectives stated in management's description of the service organization's
system. Manage ment may have a formal or infbrmal process for identifying relevanL risks. A lormal
process may include estimating the srgnificance ol'

Opin

suitdr

desig
oper6
elJect

(type

identified risks, assessing the likelihood of their

occurrence, and decicling about actions Lo acldress
them. However, because control objectives relate to
risks that controls seek to mitigate, thoughtful iclentilication by management of control objectives when
designing, implementing, ancl documenting the
sen'ice organization's syslem r.nay itselI compnse an
informal process [or idcntilying relcvrnt risks.

assertion the lelcvant aspects of the subsen ice orga-

nization's system, including the relevant control

objectives and related controis of thc subservice
organization. ln such instanccs, the service auditor
is basing his or her opinion solely on the controis
at the service organization, and hence, the inclusive
method is not applicable.
Intcrndl Audit Function (Ref: par. 7)
Al0. The "others" refernced in the definition of
internal atLditJtotcti0ii may be individuals who perform activities similar to those performed by internal rudirors cnJ include seniec orgrnization
pcrsonnel (in addirion to internal auditors), and
third parties lvorking under the direction oI management or those charged with governance.

Managementi Responsibiiity

t'or

Doctnnenting the

Set'vice Organizcttion3 System (Ref: par.

9(c)(i))
AI6. Managcmcnt o[ the seruice orgrnizstion rs
responsible for documenring the service organization's system. No one particular fbrm of docurnentation is prescdbed ancl the extent oldocur.nentation
may vary depending on the size and complexity of
r hc serviLc organizrt ion and rts moniloring rcl iYir ics.
Reasonablc BasisJor Managentent\ Assertion (Ref: par.

7, definition of

assertion. However, other members ol management

may be in a position Lo, and

will

agree to, sign the

assertion so that the sen'ice auditor can meet the

requirement of paragraph 9(cXvii). (Ref: par. 10)
Reqaest to Chcutge the Scope oJ the Errgagerrreirt (Ref:

Al7.

par. 12)
A20. A request to change the scope of the engagement may not have a reasonable justification if, for
example, the request is made
. to exclude certain control objectives at the seryice organization from the scope of the engagement because of the likelihood thaL the sen'ice
auditor's opinion rvould be modifiecl rvith
l'espcet ro thosc control objcctrvcs.
. to prevent the disclosure of deviations identified at a subsen-ice organization by requesting

Marragcrnrnt s monrtoring acrivit ies rrrry pro-

vide evidence of the design and operating effecti\.e-

ness

of controls in support of

as5c rl

ion.

Mnr rilr rlirrs olcont ri,ls is

management's

r proccss

o assL ss

Al I. The policies and procedures referrecl to in the

over time. lt involves assessing the elfectiveness of

controls on a timely basis, identifying and reportrng deficiencies Lo appropriate individuals within
the service organization, and taking necessary corrective actions. Management accomplishes monitoring of cont rols through ongoinS rcl ivir ics, scparJte

Journal of Accountancy August 2010

situations that may cause management to be unrulling to provide the service audrtor rvrth a written

.ser.',ice org{Ltlizotion's systern; par.

the effecLiveness of internal control performance

90

agement or the apporntment of the service auditor

by a party othcr than management are examples of

9(cXii) and 14(aXvri))

Setvicc Organizationt System (Ref: par. 7)

definition oI so.r,icc oiganizafron's syste m refer to the

guidelines and actruties for providing transaction
processing and other services to user entities and
includc the infrastructure, software, peoplc, and
drtr that supporl ll)c poliuius end pr()ccdltrcs.

Mtuldge|i.cn|s ReJusctl to Provide a W-itte n Asscrtion

scrlicc organization man-

A I 9. A rccent chenge in

wwwjou rnalofaccou ntancy.com

wwwJo

J6

/buElunorrv Jo lEurnol 0l 0Z FnSnV

urog'nsuelunocceloleuJno J'rwrl/l^

.{

luos'A3u

Suus:nba.
'pa,r.arq:e Suraq urorl uortdu:sap aqi ur patcls

'slolluoJ aql
jo ssauattJala Sutterado

-nuapl

sar.rtralqo lo]tuoJ aqt tua^arcl tou plno,^^

$Isu asoqt teqt aruuJnsse alqeuosear apuord
'paquJsap sP SuuErado Jr 'p1no,,n ureisls
Jrwras Jql Jo uortdu:s:p
s,tuaura8zueur ur par1luapl sloltuol aqt .l

3rlt tnoqE p3urEtqo

usaq sr{ aJUapha ou

r?uatrJJ aql Jo :tJEd

ra11lp

ar{l Jo

uoldu3sap flr ur patets salrtra{qo

IOJ]UOJ aqt JO tuaua^alqlB aqt u?tE?,il]1

teqt slsu aqt pauuuapr seq luaura8uueulr

3ll^las

qr4\

3r{t

Iq

'nlnnr

'(suoda.t

lolluol

Jl uI3ls,{s

sloluol 3rll

patEts sa^ulalqo

aql Jo

su

-,uas aqt

pJ,r3^ol

1atIftS u8sap

a{1 aA3[l:tB ot &essa::u

s.uorlrzrue8ro JJr.\las Jql Jo u()nduJsJp

a^anpu ot pau8rsap dlqetrns aru

patj

3Jl^r3S a
-aBu8ua
r',r.1r' c

saJulos aqt ot lue^alar

puB uatsls s,uotleztue8ro

?n^las 3Lll Jo uoldursap

^.,,-..--q-,.-,,,,., ur
)LlLrdLLL!'0uuEu

slo.uuor aqt 1o uSrsap

lo]tuol rql

s,tuaueSeueul ut p3tets sa,utra[4o

aql

lo {tt1lqotlns
uo uorurdo

roJ

Jl uol

-a8p8ua

:Jau) lueu.

ig1 rrd
3qt l33ru
3q1 uBIs '

juautaBB
B

llhun

ac

1o saldu-rr

loIpnB

-uEiII UO!

se paqdde

u01l_lrssv

'pa^arqJE
's)isrJ

Suraq uro4 uouducs:p 3llt ur paluls

ue asudru

salrtra[c1o loJ]uol aqt tua^ard tou plno,tr

slsu asoqt tEqi aruernssu alqruosrar apltorcl

.pouad
psr]rJads aqt tnoqSno:qt
pa^arqJe aJa,r

alqeuosEar papnord

aqt lr{t aJuernssu

sa^uJ3tqo loltuor p3tEl3,r

^-. - .^,._---,,.I^
^^^,-.
dql
>uuLuLu(, d>dLll

aq-L

s uonpzrueFro

'ualsds s,uollEzrurS:o a:t,uas

3SnBJaq pa^3u118 313.{\

uats,{s s,uonezrue8ro
arl^las aqt Jo uoudursap
^ -,.^.,,^a-.,-,,,
>.luJuJouuL:u
ur p?lEts salrtralqo

loluoJ arlt tEql

lue aprnord

arueJnssE

'Jl3strJo tolr s3op

Eustul Jsaql Sunaanl

JOJ

ruo{

rualsls s,uorlBZruu8lo
alt,\lJs 3r{l Jo uorldu:sap
s,luarua8euBru ul patEls

uoltdulsap

lo; Blratlll aqt 3o uud

are uratsls s,uotlezrue8ro
3)^l3s

santlalqo lortuol

^llllqllllns

uallul\

'slolluof

dtuoqtnu pue aJuataduol ater:do:ddu

aql a^Bq oq,t slenpr.upur dq pallddu

aql Jo ssau3^uJ3lJs
Surturado puu u8rsap aqt

aJaa qoltuol lenueul Jaqlaqa s3pnltrur srql

'pouad paqrc:ds aqt tnoq8no.rqr pau8rsap
dpuatssuo: arJ,^ sloluoJ aqt 'l

uo uorurdo ue Suruuo3
se alqetrns 3q tou plno,4A
santca[qo lor]uor asoqt
uaqt 'patuasa,rd dprrj tou
ere uoudr:rsap aqt ur
patets saNtraIqo [o:tuo:
aql leql sapnlJuol
lolrpnE 3fr^.i3s
oqr.;1 ruaura8e8ua or

iuarua8e8ua

llla uolldursap aqt ur

p:trts sa,,rrtr:[qo
loluor

aAEq llL{\ slortuo:)

allt Jo

s,tuauraScusru ur patEts

'laur aru uorurdo srrp

lo]

Er_t3]utr arp

uaq^\

aqr

aqt

Suuu

uaq^\ sslr

'prqursrp sc 3ur tu:clo 1r'p1no n uars,{s

s,uortrzrue8ro Jlr^ras eqt Jo uouclulsap
s,tueura8euuru ur paunuapl sloltuoJ

-uapr lnJl
allal s
o1

ssarppE 0

'"'rrclc c,,,r'rp'',,p9,,. ..-J JrrNJc Jr{r

Jo
uortdu:sap s,tuatua8rueur ur patets sJ^uJafqo
loltuoJ srlt Jo tualua^arqlB aql ualEarql
teqt $lsp aqt paUltu3p! sgq luaur:Seueulu
., .,.^-^1^ ^,.^,---,,.-4.,
JI TXJISAS S.UOllrzlUCirO aJhrJS Jr{l

JO

uortdu:sap s,luarua8euutu ur patuts santralqo

lolruoJ arll a^arqlB ot {lamtrala SuuB:ado
pue pau8rsap dlqutrns are slo.ltuol 3q,L

r3qt Jo
Jo aJue)u

uralstrs s,uorlezrueS:o
art.t.las aq] Jo uottdu:sap
^-,.^,,.^a-.,-,,,,,, uL
>.turudouuEuL

'(sttodat

Z ?d{1)

Suqopdo

ar{t a^alqle ot hessa:au

ssauanpa$a

patets sanlrafqo 1611u91

3lE tr?qt sloltuotr
3rp Jo sssua^ntrajja

Surtrrado puc u8rsap aq1

puo u8sap

lo

tr!1tc1orns

uo uorutdg

'lualuuoJnua
reln:rlred
u,{\o slr ur lurlrodurr
ltrtua rasn lenpl^rpur
.r3prsuoJ .{uur

qJca lBql ualsds s,uotleztue8ro

lBuuoj

-rojur l0
s,uorlezru
-uEur ul p
u3tE3,iqt
sr tuJua

tf,arloJ a
-:alqo lor
aqt ul Jo
-suu,rl

a:lu:s :qt

l
l

sloltuoJ

Jo tl3dsr? ha,la apnpur 'sloJJlaqt 'tou ,{ru

puB s3rluua rasn 1o a8uur peolq E Jo spaau

uoulrroJ aql taslx ot

'u

pJrEClaJd sr Luals,{s

s.uoitaue8Jo alhras aqt.Jo uortduls3p

s,tuarua8EuPru teqt 3ul3p3i,r\ouIJE

O] SSSSJ]C

3lrl^\

-rlsqns

aql

'uralsls s.uorlezrue8ro a:ruas aqt ol lue^alel

uollcrxJo]ur uolsrp Jo llluo lou s3op .l
'uoudulsrp aqt dq p:ra,lor
pouad aqt Suunp uiats,{s s,uor.tczrue8ro
aJr^res aql ot saSueqJ

lo sllet3p

BIJA}ITJ

luauuro)

Ir.lr p:tu:sard lprq sr ruars.{s s,uonuzrup.Sro

rl^lJs JLll Jo uollduJSJP s.lu.rurSrucnl

'taur aJIl euatur asaqt raqtaqn Suruluuat3p

,.^
uo ^^,.-^-.^a
arurprnir rrqiln.i .r{lo tf Y-Ttv puE 0z -67
sqder8ere4 tr1 qcleiSered ur p:pr.nord a:e ruats.{s
s.uortrzruu8ro 3Jl,ues aqt Jo uonclursap s,tuarua8euuur
Suuunluaa JoJ Buatu3 dpoq leuorss;1ord u ro 'sdnor8
rasn 'uorte1n8:r .trc1 'alduuxa :o1 ,{c1 paqsrtqetsa
EuatrJJ qtl{\ tuatsrsuo) aq ot paroll 3q ot p33u,{.Bul
uorurdo srqt loJ puatur 3qt Jo Sulplo^\ rUlrrds aqJ_

luB^3lar sapnlJur 'uodar z addt e Jo ase:

aqt ur'puc (E)'I rldErSe.iEd ur paurtu3pl

slalrur 3q]':tuuclordde se'Surpnpur

patualualdur puu pau8rsap sem rualsds
s,uouEZluPSJo alnJas

3ql,uoq stuosald

'patuasald

s.loliprle

'suoltrnlr

'6ltoda't

puz'uodar

::t.as aqt,{q

aur

lEul3tur I
3ur:olruo

dpre.1 sr uondr.rrsap aqt

raqlaqa lnoqu uoluossr

s,tuaruaFcuPru

p3r3^oJ sr pur 8ul:ocla:

lErJUrurj Ja^o IoJluol
lDuJalur ,saorlua l3sn

Z ?d& put)
?df,D l'/r.a${s

-uour Sur

3rl-L tus
pue stuie

s,ttollDzruDSto

srualqo.rd

?)!L]ds

uoqnluasotd

alr,,rlas 3qt Jo uoudurs:p

s,luewaSouotu {o

ot tuE^3l3l aq ot
sl
^l3lll
tEllt Luats{s s,uonEzrullSlo
s,tuaut:3ruuy,1

?qi

lo uoltdl.tis?p

^ll

nol

uo uoruldo

os1u,{uru

-r8ro aln
suoulunJ
lEUratul
.rrlnBar a

lEuuou 3
SuroEu6

rallul tralqns

sasvSlau lvtf,lJlo

OFFICIAL RELEASES
a change from thc inclusive mcthod to the
carve-out method.
A21. A request to change the scope ol the engagen-rent may have a rcasonable justification whcn, for
example, thc request is madc to cxcludc from the
cngagement a subservice organization because the
sen-ice organization cannol arrange for access by thc
service auclitor, and the nrethod usccl for addressrng thc services provided by that subsen'ice otganization rs changcd frorn the inclusive method [o the

carve-out method.
Assessing the Suitability of the Criteria (Ref:
par. 13-I6)
A22. Af section l0l rcquircs;r pr,leliliollcr. JlnunS
othcr things, to dctemine wl-tether thc subicct matter is capable of evaluation againsL clitcria lhat are
suitable and availablc to uscrs. As indrcated in patagraph .27 of AT section 1Ol, regardless of rvho
establishes or develops the criteda, management is
responsible for selecting the critena and {br deterrnining whether the criterja are appropriate. The
subject matter is the underlying conclition of interest to intended usets 0f an attestaLion report. The
table on page XX identifics the subjcct matter and

ated eflecLively throughout the specified period in

all material respects to achieve the control objectives
stated in the description. The concept of material-

ity takes into account that the sewice auditor's

report pror.idcs infomation about the seruice organization's system to mect the common information
necds of a broad range of user cntities and their
auditors who havc an undetstanding of the manner in whicl.r Lhe system is being used by a particulil'uscr cnlily [()t finerrcir] r'cporting.
426. Materiality with respect to the lair prescntation o[ managemenfs descnptron o[ the sen'ice

of clc-

rnents that are included in management's dcscrip-

tion of the service organization's systcn

as

appropriate. These elcments may not be appropdate iI the system being described is not a systcm that
processes transactions; for exalnple, if the system
rclates to general controls over the hosting of an IT
application but not tl-re controls embedded in thc
application itself. (Ref: par. 14)
A24. The requrrement to include in mal.lagemcnt's
clescription ol the semce organization's systcm
"other aspccts oI thc scrvicc organization's control
environment, r isk assessmenL process, information
and comrnunication systcms (including the related business proccsscs), control acLivities, ancl monitoring contro)s, that al'e relevant to the scn'ices
provicled" is also applicable to the internal conLrol
components ofsubserwice otganizations used by the
seruice organization when the inclusive method is
used. See AU section 314, Undcrstdndingth. Elltiql
andltsEnvironrncnt an.l A.sscssing thc Rishs oJMcre rial
Misstdtdmcnt (AlCPA, ProJcssitlnal Srrindclds, r'ol. 1),
for a discussion of thcsc components. (Rcf: par. 14

(aXvii))

Materiality

(Ref: par.

l7)

A25. In an engagement to rellort on controls at a

sewice organization, the concept of materiality
infomlation bcing reponed on, not the
financial statcmcnLs of user entities. The scwice
auditor plans and performs procedures to dctermine
whether managcment's descr\rtion of Lhe scn'ice
organization's system is fairly presentcd, in all rnate-

achieve the control objectives stated in tl.rc

description, ancl in the case of a type 2 report,
wlrrtheI controls x( thc sefviie orgrttizltion opet-

to

92

Journal ofAccountancy Augusr2010

tor (R
432.(
the ser
MCNL

tem is

.Do

stated ln the description. Lrkewise, deficiencics in

these controls may havc an effect on the service

col

qualiLative factors; Ior example, whether

au(

aspects of the processing of significant transac-

auditor's assessment oIrvhether tl.re conlrols, taken

as a rvholc, were suitably dcsigned ol operatillS
effectively to achicvc the specified control objecrives.
See AU section 314 for a discussion of these com-

tiolls.

poncnts of intcrnai control.

brc

management's descr\ttion of the service organization's system omits or distorts relevant infbr-

A,30. Tl-re service auditor's proceclurcs to obtain Lhe

understanding referred to in paragraph A2B may

nal

mation.

includc the foilowing:

Thr

management's description of the servicc organrzalion

.
.

systctn inclutlus the -ignificrnt

rhe controis have the abiiity, as designed, to pro-

nde reasonable assurance that thc connol objectives statcd in tnanagement's description of the

service organization's system would be

Materiality with respect [o the operating effectivcness of conLrols includes the constderation ol
both quantitativc and qualitattve factors; fbr example, the tolerable rate and observed rate o[ deviation (a quantitative ruatteD and the naLure and cause
oI any observed deviations (a quahtative matter).
A27. The concept ofmateriality is not applied rvhen
disclosing, in the description of the tests o{ controls,
the results of those tests when deviations have been

identificcl. This is bccause, in the particular circumstances of a spccific usel entiLy ot- user auditor', a
deviation may have signilicance bcyond whether or
not, in thc opinion of the sewice auditor, it prevents
a control from operating effectit'el)r For example,

thc control to which the devration relates may be

l)rrticuhrly signi[i.ant in prcvcnting a ucrtain type
of error that may be rnaterial in the particular crrcumstances of a user entity's financial statements.

Obtaining an Understanding of the Sewice

Organization's System (Ref: par. 18)
A28. Obtaining an understanding of the servicc
organization's system, including related controls,
assists the service auditor in the following:
. ldentiffing the boundaries of the system and

horv it interfaces wrth other systerns

Assessing whe ther managemenCs description of
the servi.ce organization's systetn fairly prcsenLs
the sen4ce organization's systcm tllat has been

relate s to the

rial respects, whether conLrols at the service organization are suitably designed in all n-taterial respects

ance,

organization's system ancl with respect to thc design

oI controls primarily includes the consideration of

achieved.
t'tut.r.tber

trol ob
ot ltse

ma

reports.

A23. Paragraph 14(a) identifies a

CTIOIS

of contr ol ol.rjectivcs, thcy may nevertheless 1le necessary to achieve the specificd control objectives

minimum critcria for each of the opinions in type

2 and type

A29. Management's descnption of thc servlce organization's system inclucles "aspects ol Lhe service
organization's control environtnent, risk assessment
process, information and communication systems
(inclucling relcvant business proccsses), control
acti\lties and monitoring activities that are relevant
to the scrvices provided." Although aspects oI the
sen'ice organization's control environment, risk
rs>us5mcrll proccss. rncl moniiot ing rt tir ili(5 ma)'
not be prescnted in the description in thc context

designed and rmplemented

Detennining which controis are necessary to

achieve the control objectives stated in management's description oI the sennce organization's
system, whe ther controls were suitably designed

to achieve those control objectives, and, in the

case of a type 2 report, whether controls were
operating effectively rhroughout the period to
aehicvc thosc controi objcctivcs

.
.

inc

the

tie:

Ist

tha
inft

lnquirir.rg of n.ranagement and others within rhe

oft

service organization lvho, in the scn'ice auditor's juclgment, nay have re levant information

sen

ber

Observing operations and inspecting documents, reports, and pdnted and electronjc

AI

records of transacliot'l processin g

lnspccting a selection of agrecmenLs between
thc service organization ancl user entities to

trol

Ist

doe

afler

identify their common terrrls

toIs

Reperformtng the apPlication of a control

One or more of the preceding procedures may
be accomplished through the perfomance of a
walkthrough.

any

rega

tor i

Doe
char

Obtaining Evidence Regarding Management's

Description of the Service Organization's
Systern (Ref: par. 19-20)

the

Hav

'

Arer

A3l. In a sen.ice auclitor's cxamination engagemenL,

the service auditor plans ancl perfonns the engagement to obtain rcasonablc assurance of detectlng

ing

actu

adec

errors or omissions in managemcnt's description of

the seNicc organization's system and instances in

woI(

which controi objectives were not

trol

achieved.

achit

Absolute assurancc is not attainable becausc of Iactors such as the need fbrjudgment, the use ofsampling, and the inherent limitations of conttols at the

alonr

service organization that affect whether the

achie

descnption is fairly presented and the controls arc

sultably dcsigned and opcrating ellcctively to
achievc the control objectives, and because much
of the evidence available to the service auditor is
persuasive rather than conclusive in nature. Also,

beca

auth

proceclurcs that are effective for detecting uninten-

coml

tional crrors or omissions in the description, and

instances in which control objectives wele not
achievcd, may be inelfecrrvc fbr detecting intentron-

alonl
cann

al crrors or omissions in rhe descrtptton

alone

and

instances in which thc control objectives were not

achieved that are concealed through collusion
between service organization personnel and a third
party or among management or employees ol the

trols

objer

conf
This
c0nti

descr

lfthe
descr

sen ir
r.ice

seruice organization. Thcreforc, the subscquent dis-

used.

covery of the existence o[ materia] omissions or

that

www.iou rnalofaccountancy.com

wwwJo

g6

df,uEtunorlvJo luurnof 0IOZ tsn8nv

'gtry
lortuo: u 'rorrpnu rasn eJo rurod.alar.l aqt ruo:g
(LZ-ZZ'red :jad) slolluol Jo ssaua^rlraJjE
Surluradg aqr Surpre8ag aluaprAA Sururetq6

loluoJ

aqt ot patlar

sloluor teql

,{1a>111

"ras

a:e slo.ttuor asoqt

qlqa

ot suon

-sls s.uortezruB8ro 3lll3s aqt Jo arnteu ar{t Jo

Surpur ts.rapun s.rolrpne JJr,\r Js Jqt slue[r] Jlels

-,n'rog Sursn raprsuoJ ,{eur.totrpne aJl,\.ras v '8v

'pJ^JrqJE :rr ur:ls,{s s.uoilezrur8ro ::rruas

Suraq saLuas aqt pue 's1o:tuo: SurpnlJur 'urJt

-llllr;

'rolpnu r3sn u go turod,trar,t aqt ruor{ '/V

((B)IZ red :JaU) saNroafqo lo]tuor

dELu

Joilpnc arr^Jas aqt tuqt sarnpal

sr

rlJqt ot tuelalar arr

rrlnIlred

tl

3qt s3ss3lppE

srotrpnr lasn

lo

s3rl

aqt ruorl atald

lo]tuol laqtaqrr auruuatap

pue stuaruatBts

lErluBuu

[uoe'^3r

lo

-ezruu8lo aJrNasqns aqt lq paru-rograd are teqt

suoncunl aqt {11tuapr uoldrr:sap aqt saop'p3sn
sr poqtaru tno-aNBJ aqt Jl auoltPzlue8:o arr.t

11m d1

.sallt:lua lasn lEnp1 tpul ul palpoqul3 suotu3ssB

aqt ot atular l1p:r3nads uouuaueB:o aJrlras E tE

aI

,s3rtrtua lasn ur p3rpoqura Lluoururol suorl

-lassu uo uorlEZrueBro a:ltras aqt lE sloliuoJ Jo
tl3l3 aqt ssasse ot {ro,ra1uejj P rltr.\\ srolpnB
:asn 3o a8uer puorq r apr,rord ue: sal. tcafqo
loltuoJ Jo tas ataldruor e q8noqly iataldruor
uonezrueS:o alhlas aql lq paqrcads puE uoll
-d!r:sap aql ur palets sa,ntralqo 1or]uoJ aql aJV
'are1a: or

-rasse Jo sad,{t aqt ,(1ltuap1 ot pasn sr papr.tord

lErJuEuu .s3r1r1ua rasn lBnphrpur

aqr 3o uoudr::sap ar{t ur patets (s)aru1ra[q6 1o1gu61

jo
B

aql '9V

ar{t Jo aJuuuo1:ada: se 11am

ur

p3r

-ezrue8ro all\las e le sloluol .lAoq auruJal3p

ol 31qE aq lou lllr\\
]oltpnE 3ll
^luBulp,lo
aqt ot ssa)Je paal
-,rr3s 3qt q8noqtlv i(tuats,{s
-oqtneun tlaiap lo lua,ta:d teqt sloJtuoJ ssaJ)E
dq patra11e a:c teqt lccrnccp pup aJualslxa
tnoqe suol:uassu 'a1du-ruxa ro;) atelar oq pal:adxa
aq dlqeuosea,r plnotr uouezruu8ro alruas
aql lE sloJluoJ qllq,\\ ol sluatllslels ll?tJuPutl
,s3rlrtu3 r3sn 3o a8uer peoJq eqt ur parpoqua
lluoutuo: suoruasse .1o saddt aqt ot atelaJ
uonezrur8:o arulas aql lq partrcads puE uorl
-dr:rsap aqt ur patets sa,ut:alqo lo]tuol 3rlt oO
isJ3

-qto ro ,(poq luuorssalord e 'dno:8 rasn u 'saur

-:oqtne fuotuln8a: se qrns 'sartred aprstno lq lo
uortezrue8ro o:r,uas aqt dq pargrcads uaaq uou
-dursap aqt ur patets santcaleo 1or]uol aqt a^eH
:uorlEnlBA? srql ur,rollpnB 3lL.r3s

aql tsrsse luur suorgsanb 8ur.,ro11o.1 aqt Suuaprsuo3

'saJuelsurntrJrJ aql ur alquuoseal a:e ruals{s s,uon
-uzrueS:o aJr^ras ar{t Jo uortdr:rsap s,tuaura8cuuru

aqt tB slortuor d3ltuapr llateredas uortdursap

aql saop 'p3sr1 uaaq sEq poqtau 3^rsnpur 3qt JI
((r)6I rBd .JaU) auolB
uouezruu8ro aJrl.r3s 3qt

lq

pa.narqre aq touueJ
aqt qrr,$ 3uo1e

llrads

l:sn

luol

laqt

asnzJaq

Surssaco:d Surp:e8a.r

-uol raqto:o dtunras asnuordurol ot rapeal

ur patr:ts samtcalqo IoJ]uor aqt Jaqtaq,4\ atcnlE^a ol

pur.{l1od s,uouuzrue8ro

acr.uas aqt Sumar,tag

suotsst

aqt Jo sel
E pu

uorsnll0J

lou

al3,tA

puE

uou

tou

teql sarura[Qo 1o:]uo:r

sa"rrnba.t tuarua,rarqJu

1r

i3,lE,r\B sr -rol

qlq,tlo

rolpne aJruas aqt salnbar (8)6T qdr8ured tV

u:ts(s s.rrortuauc8ro a:luas aqt
q8no:qt suortresuel3o sq8norqtlle,r\3unuro3ra4

JO

-uollu3lur
puE 'uoll

sloltuoJ 3sor.lt sarlrtuapr,{laturedas uortdr:rsap

'slo.l
{luu.r
{rrtu:ru:1duro:
Jq

apnpur saop uouch:csap aqt uaqlA dtr:oqrne

&oteln8ar e lq par;rcads are santcalqo lo:tuor
aqt 'oldurexa lo; 'u3q,r 3sel aql aq deru srql
'sJlnua lasn lq patuau.raldul 3q ot sloltuol

relnlued

auolu uouezruuSlo 3Jri\l3s aqt lq pa,tarqrr

aq touueJ uoEducsap aqt ur petuts sa,ut:afqo
'13^3,{\oq 'saser auos ul auole

loltuol aqt

uorlezrue8ro 3l^las 3qt lq patuarualdul s1o:t

-uor3o uolu:ado a^ula1;a aqt q8norqt p3l3llllrl
Suraq 1o alqeclcr arc ,(aqt reqt os p3plo,r
are uoldursap aqt ur patcts sa.a.rtralqo 1ol
-uor 3qt 's3setr tsoul nl ip3qlllsap dlatenbapr
's1o:tuor trtnua rasn ,{rutuauialchuor ary
{ue

ipatuauralchur uaacl llpntre

uoudr:rsap aqt ur pJr1luapr sloluoJ 3qt 3^eH
a..urt Jo por.rlcl n srl.ro.r uondu:saP :tll
uaq,u uortdursap aqt lq pararoc por:ad aqt 8ur
-rnp ruatsls s,uouuzrue8ro a:ulas aql ot sa8ueq)
apnl:ur uortduls3p 3q1 saoO

ara,r

-ualurun

'oslY 3ln
sr lollpnE

rlJnur asn

ol,tl3^tl
3,r8

SIoIU(

aqt
3q1

raqtz

lc sloll

-ruPsJ0 Js
-JEJ JO asn

'pa^3lr]JE

ul

ssJuElsl

1o uortdur

Surt:atap.l
-a8eBua a

'tu:ua8uSr
quo
qluauaE

Jo slrElap tue^313r

-rpnp aJL\las aqt

sarlernJJEUr .ro suorssnuo 1ue:11ru3rs lur

urHuol uonducsap aqt saop 'aldrurxa:o3 lsrot
-rpnu rasn.;o a8uel puolq EJo suolsrlap aqt tlaJJB
tq8lur ttrp uouEuuoJur uotslp,ro tluto tou saop
teqt Jauucru c ur pa:eda:d uortdu:sap aqt s1
'uoriczrueB:o alr^ras Jqt tE slo,ll
alqrua lllurtuatod plno,tr t! tqt poletap os aq
tou paau pue sallltua Jasn ot papu.ord sa:l,u:s
aqt ro Surssa:ord s,uouczrucS:o all^ras ar{t Jo
t:adse {ra,ra ssJlppu tou paau uortdurs.rp aq1

S3AIl

puB splo:ar 1o uottoadsut

se

-lquroJ ur asn

'ot lelrurs aq duur patuaualdrur uaaq suq uonezr

.spaau

ltlllqlsuodsar aqt

lrnpl lpur.lo turod,nall

a:e sa,utrafqo

'aroJalaqt 'touuEJ

uoc'^cuelunocceloleui nol'/vvvvv\

prqt

-lasqns 3r-lt tE slolluoJ pue uoueaueS:o acrn:as

aqt 'stualuatBts lBDuEuu

sloluoJ ,roq auru:rratap ot alqlr aq tou

-lBurpro JolrpnB

':nrt::lqo loltuoJ Jrlr J^JrqJe or pau8rsrp llqr:

-trns arc a.tlrafqo

apnlJuoJ ot JotlpnB alr-,rr3s 3ql,ro11e deur sarlr.r.rlru

rJqro Jo Jrualsrxa lqt 'arrt;rfqo 1o"luo: reln:rl:rd

a lll33l3ul Sutaq se satlllltle ut?traJ
e Sur.tarqcu ut

s3tEnlul3 ,rotrpne arr^l3s ar{l Jl .{ltuanbasuo3 sant

-:a[qo 1o:tuor snouelJo tualualarq]B arlt tE patr3lp
sloltuo] '6v
saur^ulB Jo laqrunu E Jo tsrsuof
^Eur
'slolluol aqi;o u8rsap :qr Surpuers:apun
arur
ot salqet uoISIlep Jo 'saJruuuortsanb 's]:uqr

-poqrua suouJasse aqt ot atela: dlelyoads uorl

aqt lBqt JluErnsse ?lqeuose3r apltord ,{yrot:e1sr

-tgs qtlr\\ p:qduror uaq,,\\'plno^\ lr 'sloluoJ Jaqto
qtr^{ uolcurquor ur "ro lllunpmpur 3r pau,3rsap

llqetrns sr loJtuoJ B lo]tpne aJuas r 3o turod,ra.alt

aqt irlo{ 'aroJalaqJ saltrlu3 r3sn asoql ot lEuatEur sr
druarcr;ap IoltuoJ p uor; Surtlnsar tu3ru3tetssrur c
lou Jo laqlaq/t IJaJJE plno/1 lEql sallllua lasn lenpl^
-rpur lE saJuglsrunl.lll aql Jo arP,{\E lou st '-r3^3,\\or{
'lotrpr"rs 3Jr^ras v patJarJoJ pue palJalap Jo 'pa
-luala:d aru sluauralBlsstu luolBtu lEql 3fuulnsse
alqeuoseal apr.lord (pot:elsuus qtr,lr paqdruo:
u3q,,!\'plno^\ tl 'sloltuotr laqto qtra uoltEurqrxoJ
ur ro lllenpulpul JI ruats{s s,uonezrueS:o aouras
uoudr.rrsap s,tuarua8eueru ur palels salu

aqt

-ra[Qo 1o:tuor aqt a,tatqre ol pau8ts:p dlqetrns sr lort

-uof

aqt Jo ru3ur3^?rqJE 3qt ualEarqt tErll stJE lEuouual

-urun pue lcuonuatur ssectuolua (B)IZ qdplSEled
ur parJnuapl sa^nlaLqo IoltuoJ puB $lsu

117 red:;a6) slorluoJ

;o u8rsaq aqr Surpre8an af,uapl^A Sururetq6

(02 puu (q)6I :ed :1a11; 'parldde a.re slorr

-uor pue ualsds:qt qSnolql pass:rord aru suou:e
-suull qJlqA\ ur rauuuu

'uoutuaunlop raqto

-Euuu pue suerp,nog 'aldrucxa:o.1 iruats{s aqt

uonetuaunJop Jaqto puu slsnuru arnparo:d

'uorlell3sqo 3pnl:ur leuuosr:d uorluzruu8ro :rhras

laqto pue tuatua8uueru 3o hrnbur r{tt,tl uousu
-ord "raqtg uratsls teqt 3o SulpuBtslrpun ue ull?tqo
ot sarnpacord 'qtr,tl uorlcunluoc ur paurograd puu
-uu8:o armas aqt lq paqursap rualsls aq1:aqtaq.a,r
auluuat3p ot s3lnpa:o:d s.rotrpne alt,l.l3s aql 'SV
((c)6I rud
:JaU) ssaualqeuoseal pur ssauataldruor larp
rq alqrsuodsa: sr dged aprslno aql 'uortu1n3:r
ro ,nz1 lq p:r3reads sa,ut:alqo loluo: 8ur
-pn1:ur ftrrd 3prstno uE lq par;r:ads als salrt
-:ak1o loluor aqt Jl
tuqt sa,lural4o lortuoc

uoudr:rsap s,uoueaueS:o arrlras aqt laqtar{a

lo sallrlua -rasn lBnpL\lpul
ssasse ol sJollpne Jasn

Jo

-nuJ lJSn

-uor

itI

uonJas nv qtr.^\ aruEprorrE ul loltuotr lEu

SurpuetsJapun ue uretqo ot uorlurxlo3ur

-:alur

1o

tu3rJq1rls

qtl^ srolpne

Jo JJUll

,{uur sa:np:

i0Iuo

ot saulu3
uaa.rtaq s]

lruollJ?la

-nrop

3uu

uorlEtxloJu
-rpnf, 3Jrru:
3q1

urqlrrr

Ieu

g7y

3qt ulutqo

rasn .1o a8uu: pco:q

u apl,rold o1 p:lradxa aq llqeuoseal plnor tuql

lauuosrad uorlrzrur8lo
a:l,uas dq paru:oFad sarnparord 3uu:esq6
llstap Jo 13^31 B tB paredard uoqdu:sap aqt s1
suorteBrtqo lentrert
aslualuatEts lBDuuu .sarl
-uo:s.uorluzrue8roa:luasaql;oBurpuetsrJpun -ituJ.lasnJo strpnr ll3rll Suruur:1d ur sfollpnc
ue urr8 ot saunua lasn qtr.^\ stJuluoJ SurpEaU r
rJSn .1o a8uer prolq n Jo sp33u uoruurol 3ql
sanua8r ot tuB^alar aq ot patraclxa ac1,{lqeuosea: plnor
tuaruura,r.o8 dq pateln8ar alu s3ltuua l3sn 3llt
leqt tuaura8e8ua aqt 3o adoos aqt ul papnlJur
lJqt3q,. pue's3urluarasngos:dllluuuruopard puc papr,tord afLuJS arlt .1o st:adsc :ofeur
aqt'aldruexa:o;luraqttra;eot,{lal1laleuonea aqt ssarppr? uortdu:sap s.tuaura8eurur saoq
-ue8:o arn:as aqt dq paprlo:d sarl^ras aqt,\\oq
:stradsar lellatu llp ur 'patuasard lpre3 sr rxJl
pue sanuuJ rasn aqt Jo alntru rqt Suurprsuo3 .
-sls s,uorteaur8ro arruas aqtjo uoldr::sap s,tuaur
:3urmo11o1 -a8uuuur:aqtsq.tr Sururulatap ur rollpne aJL ras aql
aqt apnlcur leur ruatsds s,uortraueS:o alLuas aqlJo tsrsse,{cur suolsanb 3urmo11o.1 aqt Suuaprsuo3 '7gy
uortducsap s.tuaura8rueu .Jo uorleruas:rd Iu3 :qt
(12 l?d :Jau) rot
atcnlzla ot sarnparo:d s,lotrpne alr^Jas ar{f 'V -lpnr? al^ras aqr jo trud aqt uo tu:u8pnf ro 'arue
'uoneaucS:oalu:asqnsaqttrslouuol.roFurssJJ -urrolrcd '8uruue1d atenbapeur aJuaprla 'J[3sl
Jo
pu, ur'tou saop pa^arqJ tou ara,r sanrtralqo 1ol
-uoJ qfrq,r ul s3Juetsul,ro uortdulsap aqt ur s:o::a

-o:d pa|utap aqt aqursap tou p3au uotldursap

3qt 'p3sn sr porll3lu tno-?^lpJ 3qt u3qAA iuorl

-ulot

asaql
'sa,utlalqo

Surturado :

uaIEl'SIollr
Jll^,l3s 3ql
ur s3DuarJU
sa,rrt:afqo

-Jau 3q ssJl:

txatuoJ aql

LEu saul\u:

)isu 'tusuru
aqt 1o st:ads

lullr\3lal 3,i9;
uOU

sUals,{s

(sa

lo]]uoJ

lu3LussassE

aJr^l3s aql

alluas

-e8ro

sf sv313u lvtJtJlo

OFFICIAI RELEASES
ifindividually or in con.rbination with other controls, it pror,rdes reasonable assurance that material misstatemens whether due to fraud
is operating eflectively

or error are prevented, or detected and corrected. A

service auditor, however, is noL aware of the circnmstances at individual user entities that

would

affect

whether or not a misstatement resulting from a con-

trol deviation is material to those user

entities.
Therefore, from the viewpoint ofa service auditor, a
control is operating elfectively if individually or in
combination wlth other controls, it provides reason-

selice auditor to express that opinion [or the cur-

Usingthc WorhoJ thc Internal Audit Funclion (Ref: par

rent period. Knowledge ol deviations observed in

prior engagements may, however, lead the service
auditor to increase the extent of testing during the
current period. (Ref: par. 22)
A44. Determintng the effect of changes in the
service organization's controls that were unplemented during tl-re period covered by the service

requir

3t-32)

4J4.1

auditor's report involves gathering information

,i)

in

A45. Certain controls may not leave evidence of

a position to determine whether any obsewed control deviation would result in a matedal misstatement
from the viewpoint ofan individual user entity (Ref:

A4l.

Obtaining an understanding of controls sufficient to opine on the suitability of their design is

not sufficient evidence regarding rheir operating

trols at various times throughout the reporting

period. (Ref. par.22)

effectiveness unless some automation prondes for

the consistent operation ofthe controls as they were
designed and implemented. For example, obtain-

Using the Work of an lnternal Audit Function

ing information about the implen.rentation of

Functiotl (Ref: par. 2B)

Obtaining an Untlerstandhg oJ Lhe Internal AudiL

manual control at a point in time does nor provide

evidence about operation of the control at other
times. However, because oI the inherent consistency of lT processing, performing procedures to derera

446. An internal audit funcrion may be responsible for providing analyses, evaluations, assurances, recommendations, and other information

to management and those charged with governance. An internal audit function at a seNice

mine the design of an auton-rated control and

whether it has been implemented may serve

of that control's operaring

as

evi-

effectiveness,

depending on the service audltor's assessment and

organization may perform activities relared to the

service organization's internal control or activities

testing of controls such as those over program

related to the services and systems, inciuding controls that the service organization provides to user

changes. (Ref: par. 22)

entities.

442. Atype2 report that covers a penod that

is less

than six months is unlikely to be useful to user entities and their auditors. 1f management's description

447. The scope and objectives of an intemal audit

function vary widely and depend on the size and

of the service organization's system covers a peri-

structure ofthe service organization and the requirements of management and those charged with gov-

od that is Iess than six months, the descriprion n.ray

describe the reasons for the shorter period and the

ernance. lnternal audit function activities may

include one or more of the following:

sewice auditor's reporr may include that information as well. Circumstances that may result in a
report covering a period of less rhan six months
include the following:
. The service auditor was engaged close to the
date by which the report on controls is to be
issued, and controls cannot be tested for operating effecriveness [or a six month period.
. The service organization or a particular system
or application has been in operation for less than
six months.
. Signilicant changes have been made to the controls, and it is not practicable either to wait six
months before issuing a repori or to issue a

Monitoring the service organizations internal

conlrol or thc appliearion processing systcms.

This may include controls relevant to the services provided to user entiries. The intemal audit
function may be assigned specific responsibil-

ity for reviewing conrrols, monitonng their

operation, and recommending improvements

controls in prior periods does not provide evidence

of the operating effectiveness ofcontrols during the

current period. The sewice auditor expresses an

opinion on the effectiveness of controls throughout
each penod; therefore, sufficient appropriate evi-

Examination of financial and operating informa,

and reports financial and operating information,

to make inquiries about specific rnatters, and to

description of the service organization's system and

the suitability of the design and operaring effecriveness of controls rests solely with the service auditor and cannot be shared with the tnternal audit
lunction. Therefore, the judgments about the significance of deviations in the design or operating
elfectiveness ofcontrols, the sufficiency oftests performed, the evaluation of identified deficiencies, and
other matters allecting the service auditor's report
are those of the semce auditor. In making judgments about the exrent of the effect of the work of
the internal audit function on the seruice auditor's
procedures, the service auditor may determine,
based on risk assoctated with the controls and the
significance of the judgments relating ro them, rhat
the service auditor will perlorm the work relaring
t o some or all of the controls rather than using the
work performed by the inLernal audit funcrion.
A50. In the case of a type 2 report, when the work
of the internal audit function has been used in performing tests of controls, the seruice auditor's
description of that work and of the sen'ice auditor's
procedures with respect to thar work n.ray be presented in a number oI ways, for example, (Ref: par.
34 and 52(o)(i))

. by

including introducrory matenal

to

the

resentt

Other
A56.

'

Inll
tior

auc

Infi

lo

con
infc
org,

52('

A57. tf
contain
ice orga

report

cannot

auditor
remove(

Documt
A58.

Par

Standari
(AICPA,
requires
dures thz

\ls10n re

The reqr
rvork

per

accordan
acldressir

a need [o
evidence

means do
(Ref: par

attributron ofindividual tesrs to internal audit.

Preparinl

Written Representations (Ref: par. 36-39)

A5l. Written representations reaffirming

the service organization's assertion about the effective oper-

rer.iewed

Content q

5Z-53)

459. Exar

perform other procedures including detailed

testing of transactions, balances, and proce-

ation of controls may be based on ongoing

monitoring acti\rities, separate evaluations, or a
combination of the rwo. (Ref: par. AI2)

by manag

dures.

452. In certain circumstances,

460.

Evaluation o[the economy, efficiency, and effectiveness of operating activlties includir-rg non-

obtain written representations liom parties in add!

tion to nranagemcnt of thc servicc organizalion,

ice organi;

financial acliviries of rhc seMce organizalion.

Evaluation of compliance with laws, regulations,
and othcr external requirements and with man-

service auditor may

sented in

presented

53(o))

A6l.

throughout the current period is required for the

requircments.

description of the service organization's system

wwwjou rnalofaccou nta ncy.com

The

descriptio

agement policies, direcLives, and other internal

sented in

such as those charged with lovernance.

dence about the operaring elfecriveness ofcontrols

Journal ofAccountancy Auzust 2010

requin
consid

description oI tests of controls indicating that

certain work of the internal audit function was
used in performing tests of controls.

A53. The written represenrations required by para,

graph 36 are separate from and in addition to the
assertion included in or attachecl to management's

96

tion w

bul co
455.

be

assigned to review the means by which the service organization idenrifies, measures, classifies,

on the Service AudiLor\ Repor6 (Ref: par 33-34)

A49. The responsibility to report on management's
EJJect

thereto.

tion. The internal audir function may

report covering the systern both before and after

the changes. (Re[ par. 23)

A43. Evidence about the satisfacrory operarion oI

lowing:
. Examination of items ahcady exan.rined by the
internal auditors
. Examination of other similar items
. Observation of procedures performed by the
internal auditors

their operation that can be tesred at a later date and,

accordingly, the service auditor may find it appropriate to test the operatlng effectiveness ofsuch con-

par.22)

Iives
organt

and the evaluation ol the specific work of the internal auditors. Such procedures rnay include the fol-

entities'financial sratemenrs. (Ref: par. l4(b) and

system are achieved. Similarly, a serwice audiror is not

ten rel

servicc auditor's conclusions (for example, the significance o[ the risks thaL the controls rend to mitigate), the evaluation of thc internal auclir function,

about the nature and extent ofsuch changes, l-row

thcy alfecr processing rr lhc scrvice organizarion.
and how they might affect asserrions in rhe user

able assurance that the conrrol objecrives stared in

management's descnption of the service organization's

dence

A48. The narure, timing, and extent of the service

auditor's proccdures on specilic work of tl-re internal auditors will depend on the service auditor's
assessment of the significance o[ thar work to the

Use

oJ the 5

Paral

wvvwJou

Z6 druptunorrvJo lBurnof 0I0Z rsn8nv

al^l3s ZIX uoitduJsap aqt ur patsts sa,tu:alqo
lo]luoJ patEl3r 3q1 3^arqlc ol slolluo3 3ql Jo ssau
-a^ulajla 3urrurado pue u8rsap :qr 3o .{trlqettns
pue uortdursap aqt Jo uouEtuas3.rd aqt 1o ssaulr.y
aqt tnoqE uoruasse ur papt.o:d seq uotleziueSrg
'uorrclu:sap aqt Jo XX a8ed ug

3trr^ras

Zlx

notltqtsuo ds a.L 1u otloztunSlo

.:rtr

tnoq uouruuo3ur sapnlJur lrodar s,:ottpnr al

-il3s 3qt Jr slapeal stsrsse tt 'uodar Z ad{t e :oJ slorl

'uortdu:sap aqt ur
patets sa,lrcafqo loJluol palBl3l aql a^alqJe o1 slo-ll
-uolJo ssaua^nJalla Surre:odo pue u8rsap aqr.;o {rr

llE

ol

:of

3lqEJ

Jo

t"::,.^"1::

'/9V

suonrv

r,uoc'/[cuElunogceloleu/no['/v\

teqt sarnbar

A/v1

IOI uortrrs fVJo 61 qde,r8ere6 '19y

atu,.ng at1l lo asn

a:luas aqt Surqursap ul EgV

((ll)(o)ZE :ed :3ag;fra.iaq1 stinsrd ?qt

-uoJ Jo slsat s,Jotrpnr

lo

)\l

lJaJlpur qrns.;o 8ur

troda: lcoueurl r3^o loJtuoJ leruatur ot tuulalal ale

uouezruu8ro altllas aqt tE sloluol Jl pet:llts3l sr
uoda: s,:otrpne a3hras aqt JC) asn uroll,t\ ot dno:8
aql ul papnllul aq,{eru dlrtua lasn [I3]lsutop Jo
t:a.upur up,{puanbasuo3 uoueztueS:o aJl\lasqns
oqt.;o {rnua Jasn rueallsu,{\op lo lJaJlpul uB sE ol
palla]al st llllua rasn aql '3sBJ qrns u1 d1tlu: rasn

llqErlns 3q1 puB (uortdursapl Ia]Dpl or I2]rpl pouad

aqr tnoq8norqr ltuets[s aqt [q patutoJtad uorttm{ atp
lo uoonttjluapt,to] suouJesurlt ,s3ltuua :asn Surssa:
-ord roj urats,{s fo auotu.to ed,{71 str 1o uouduosap
s.uonuaueS:g 3JrAr3S Zx{ paurluex3 3^Eq al1

ZI{

Jo ssaua^ItJaJJE 3ur1u:ad6

1u3"

E lprlt

pue (d)7E red

:.Ja111

l,rodag

nltpny

r!o3'^3

urats(s

s,tuaruaBr

3qt

01

u0

-erud,{q

ruas

aQ1

Jo uoudursap s,luauraSeueru ut paluasa'ld

aq deur uoq:asse s,uortrzrueSlo

a)tllas

v tlqrqxs
-a:d are uolezrue8ro a:r,nas aqt
suonrasse a^ueJlsnlll puB

aqf

6gV

'uonrau
-rppe ur s

,,(ru:olrp

ur paluas

1o tuarua8eurur

dq

J-Y salpuadde ui paluas

P lo'su(
SuroBuo

(6

1u:t1tto2

-^las arlt

-a:d are stiodar,slolpnE alhlas lo s:ldruexE '6gy

(t9-29

':ed :;ag; yLoda1 l.uwpny :r:l'-Its e4t lo

trodan qrolrpny aJr^raS aql Suuudar4

-:ado al

'trpnE

lr?

suouezrueS:o

dtqua rasn u palaprsuol osle sr ltuua Jasn V'tgv

'drotrpne rasn Jlaqt pu
'uod:: s..rotrpne J)LrrJS aql lq p.luo; por.r:d
aqt Jo lle ro auros 8ur:np uratsds s.uooeztueSro
JJLTJs Jqt Jo salItue llsn 'uoilcztur3lo .:r:t
-das aqt uerlt roqto sau.ied ot uottnqutslp JoJ pa
-pu3tur tou sr t:odar 7 adlt s,rotrpne aJL{lJS V
'sJollpnB l3sn llsqt
purrrodar s.lolrpne:Jhras Jqt,{q pa::nor po
-r.r:d lqt 1o puJ Jq I Jo se uals.(s s uotlrztue8lo
Jll^rJs JL{l Jo sJltnua :lsn uonrztue8lo c:L
-^r3s 3llt uellt raqto sau.rd ot uortnq1:rslp ro3 pa
-pu3tur tou sr uodar 1 addt s,rotrpne aJl\ras V
:3ur,no11o1 aqt 3o uotteziueSro aotllas aqt tuloJur
deur rolrpne alt,\-ras B 'uoda: s,"rolrpnu aJrl-ras B Jo
uounqutsrp s.uouezrueS:o arl,uas e Suqlortuoc :o3
alqrsuodsar tou sr rotrpnE a:r,uas e q8noqtly 'g9y
'pootslapun ro u,r\ou>l a:e paru,ro;rad sarnpaco:d
3q1

uouuzruB8ro 3rrr\las aql Jo aluEu,r3

:soqt qtrm Sutte:tunuuto3

pa8,rer1:

alrpe

{rru:orpnE aJi^l3s

salrlllqlsuodsag uolteclunururoJ raqlo

((o)es

((a)tE puB (a)79 .led :3a1) uorldu:sap

{o uollduJsz1

puD s1o-Uuo3 {o slszl-ttollpn.fl nltv)S

aqt ot paqr?ile aq deut ro uaisds s,uortuzrueSlo aJr

dtuua :asn ruear]stl/'rop

aqt Jo Suruodal lBrJuEuU JaAo lor]uoJ leuJatul ol

lurlal3-r aJE suonezrue8ro alL\lasqns rE slolluor J!
al,u:sqns s,uotteauu8ro alr.tlas ar{t Jo

;tdotg

uottezrue8rg aJr^las

sloluol

pue u8rsaq arll Jo dtllrqprrns 3ql puu

uralsd5 quorluzruu8r6 arura5 e;o uorldursaq
qrotrpnv au,r:a5 tuapuadapul
u uo yodaS

trodan qrotrpny aJr res Z ad,(1:1 alduruxE

'suollBnlrs

-qclcle:o a.trtsnuqxa aq ot papuatur tou are pue tr1uo

acurprn8 :o1 a:r st.toda.r alrteltsnll 8ur,tro1o3 aq1

siuodou

s/oilpnv of,!ruos o^llerlsnlll :v xrpuaddv

'89V
ruaura8r8ua aqt ruor3 Sur,trerpqtrll
os op ot pa.rrnbrr uaq,u':oteln8a: r
'aldruuxa :crj 'sarped p,rrtp

tpltr Sunelunuruo3
qdu8

-encl srsutldua ue Surppu:o 'uoturdo s.rottpne

aJL\l3s 3lit 3ur(lrpour 'uotutdo ue Sutuuulcstq

-lo8 qtqtr

uollfB Jo sasrnoJ tualaj]lp

saruanbasuoo aqr lnoqe

",:
apnlJui (os op ot 8uq1,,nun st uoueztue8ro altllas
JLit puE's3nuua Jasn p3lr3ljE ol uolleuuoJul silll
pstEf,runruuor llatflrclo.rdde tou seq uorleztueSro
aJhrSs 3qt qflq,^\ ur saluelsut ol uollElaplsuo:)
leuourppr Suur8 :argr) riortrzrueSro aJLu3s arll tE
'pne{ 'suoueln8ar puu s,t\r?l
a:uerlduro:uou Jo are,\\E s3urolaq aqs ro ar{
sroJJa patf,anolun Jo

qtlr

uaq.n :1et

1gg rrd
:Jad)

'g rrpu..cldr ur p:tu:s:ld .:rlr suod:r c.Jolrnne

arl^-l3s pl1rporx Jo stuatu3l3.;o salduruxg '9gy
(1E-EE rucl :3a;) suorurr/g p2$Poy\
.sJol

-lEJ qJns paunuapl sEq lolrpnB 3ilA]as aql lualx3

Jqt ot 'suonBl^sp p3ullu3pl JoJ slollB] a^llEsnlls

qilq,{\ ol lualx3 stll puB 'prsn aq o1 pspu3lul

sE,r\ I r{Jrq,|^ ur txstuol 3qt Jo lno ua{Bl uaq,\\

pootslapunsrur aq ot uocla: aqt ro3 leuuatod aqt
Surpnpur 's3ruutsrunurJ Jo .laqurnu p uro{ tlnsal
lrru trodar B Jo asn aqt uo uoufutsar roJ paau aql
tuqt sateJrpur IOI uoltl3s IVJo 6l qdr:8eru.1 '7gy
i trodar s.rottpne art
-A-r3s e Jo 3sn aLIt Suuruts3r qclr.r8e:ed e :o3 a8rnB
-uel attJtsnll V xtpuadde ut st"ioda: s,lolpne ?JI^ras
a^rlEltsnlll 3q.L) srorpnB rasn rlaqt puE'(t"rocla-r 1
adlt e roj ,.t:ocla: aqt lq para,to: pouad aqt Jo atep
Surpua aqt Jo se,, pue 'lrodar 7 adlr e :o3 ,.troda,r
:qt .{q pa:anoc polrad aqr Jo llr ro aluos 3uunp,,)
uonezrue8ro 3lll,ras aqt Jo sarirlua l3sn 'uollezr

-ue8ro a:l,uas aqt 1o tuarua8eueru (q asn :o1

lluo p:

-puatur aJc slo,rtuol Jo stsat .1o uondu:sap 3qt pue

t:odar aqt teqt satuts uodar s,rotlpnu arr.uas aqt .{1
-Surpro::e'puc salluua lasn,{q Surt:oda: 1er:ueuq
Sutpuutsr:pun uu
ro1 pasn sr ruatsds ?qr
^\otl 1o
J^Eq or{a asoqt ot 's1o:tuor 8uipn1:ut'utats(s s,uotl
-czrue8ro 3l^ras aqt tnoqe uolttulo1ut Sutptlold
1o asodrnd aqt ro1 lluo tuelal3l 3rE uortezrue8ro
33rllas E lr? sloJluor uo rrodal or sluarua8e8uo,to1
pasn Bllatul 3LIJ- urraiuc aqt 1o Surpuetslapun atenb
-apu uB J^Erl ot parunsard 3q uEJ lo tuaruqsllqets3
rrarp ur patedort,ird laqtra oqn san:ed;o raqutnu
palnurl E ro; lluo arer:dordde ro satued parpads
ot lluo alqelele a:e:a]]ru tralqns aq] arnsearil lo
atznlEla ot p3sn eLr3tuf atp uaqm sattrud par;reads
E Jo asn aql

lyp rud

:3a5)

'pa.aal^aI SB,i^ ll uaq,t\ pull ')lo.'\\ qlns pa.ual^al

oq,tr'pa,r\3l- ar sp,nl >l:o,tl leqll SuuuaurnJop sueaui
'l3l3,troq 'tuarua:rnba.r 3qI .t\Jl^ar Jo aJuapha
apnlrur ot raded 8uryoru.:rycads qcea lol pa3u E

lldrur tou saop 'saurTrqlsuodsa.r nanar Surss:.rppe

sarnpacord puu sarrllod s,uur1 aqt qtLtr JJuuproJre
Jo tuatx3 atlt puu paruJo3rad 1,to,tt
ur

',tt.3t,l.ar aqt

SB,^A

UOI]:

reqr Sun

aqt ot
'red

:.;a6)

s,Jo'lrpne

s,Jottpne

'uoillt

-radns 'erunu:o3iad tuaura8e8ua ssalppe 1qt sarnp

-:ad ur p

aqt paaat,ral oll,1 tuaunlop o1 lu:utartnb:r aq1

aallar pu's:uqtqtsuoclsa.r uotsn
'saprlrqrsuodsa:

-a:o:d pue sar:riod qsgqetsa ot uny aqt soltnbar

'(OI

ras

fb 'Z lo^'sli\puDls
lo ur1sf5

1o.tluo3 [l11onS

1o:tuo3

iDuoissrprd'Vdltv)

'1

s,iu.irg V

dlqenf uo ruauarErs

oN sprepue]S

'ggy
uollPluaIunloc

Jo LE qde:8e"ru4

IJO^\ aql

aqt Sursn

Sulular
lDrll'uraq
aql pue
'3utuil3l2
s,rollpne

i1tr rud :1a5) Pashsr ro p3u\out3]

aq uonelulolur ar{t ter{t tsanbar .{eu rottpne
alr^las aqt 'p3tenuetsqns dlqeuosu:r aq touueJ
teql uonelxlo3ul palu3t,to-3lntn.1 sutu:tuol trod:r
s.lolrpnE al^Jas aL[] puu uats.{s s,uotleztue8ro o:t

{las

3qt 1o uortcltr:sap s,ruarua8eueur Sututetuor

tuaunlop E ur papnllur uouErurojur raqto ll '/EV

((lt0-(lD(r)s puE'(ur)-(rD(r)ZE
'gg Lrd :1:1; lrrrd r:qtoue,(q:o uottrzrur3lo
alrllas 3qt ,{c1 paprlo.id aq duut uonuru:o1ur
l3qto

$rlf

t:odar s,roirpnu aJ{^las aql sutPluol

:8ur.tro1o3 aqt aq

leur

1.p

Jo

lro,r.

-8pn[ 8ur

uodar

s,:

puE'saDL

-rad stsal

Surta:dc
lrpne lB
-lpne 3J
-a^l]JaJJz
puE luats,

terlt tuaunJop E ur papnpur t:oda: 7 ad{t ro 1

ad{t s,:otrpne 3lt-tras aqt aprstno uorteruJo1ul
ro 't:oda: Z adlt ro 1 ad{r s,:otrpnr
all^r3s 3qt Jo uolllas e ur pspnlJur puP uoll

s,tu:ura8t

(te- r

-ezrueS:o aJL^-l?s 3qt dq paprno:d uouEtrrlo1ul

aqr

lq

puu 6g sqdrr8

-prBd ur ot paJralal,,uorteurJo1ur Jaqto,,

aqf '9SV
raqto

uorlBruroJul

'suollEluasar

-dal ual]r.tr* :aqlo lsanbar ot fuessalau r iaprsuo:)

duur -rotrpne a3h,r3s 3Lp '96 qdc.l8elrd lq partnba:

p:

aqr {q

-loj aqt

-Jatur aql

'LrolllunJ

3Jhlas a

-:a[Qo lortuo: lue,taia: Sutp:e8ar suot]etuasarda't ual

-latur aql

suouBtuasa-rdar ualua aqt ot uottrppe uI 'EEV

'poqlaru lno-3.\]sJ aql asn plnol lnq
poqlalu a^lsnllur aql asn o:l alqBun aq plno^\ uon
-ezrue8ro 3lrlras aql Jo luaur:Seueur 'uotleztue8ro
3Jurasqns aqt ]E slolluo) palelal puE s3^ll
-tu,/\\ urptqo ot slqEun sl rolrpnB 3Jr^l3s aqt JI

(q^Xr)6 qdur8e:ud

ot patrutsar aq trodar s,:auortrtlerd

lq

-Iru

ot p

-8rs aqt'a
3q1 or

Il

s,rolrpnP

'tsv

pa:rnba-r

:rd

:.1a1t;

s:rsvfl!tu lvrf,lJlo

OFFICIAL RELEASES
Organization

is

responsible

dcscription and for

tl-Le

for preparing

the

assertion, including the corn-

pleteness, accuracy, and mcthod of presentation of

to achieve the related control objectives is subject

lo thc risl( lhxl controlsa{ asirvice orgrniz.rlroll mxy
become inadequate or fail.

the descriptron ancl the assertion, providing the

sen'ices covcred by the description, specifying the

Opinion

control objectives and statrng them in the description, identifying the risks that threaten the achievement ol the control objectivcs, selecting the criteria,
and designing, implementing, and documenring
controls to achicve the related control objectives
ctrtprl rn rh,, de<crint ion

ln our opinion, in all rnatenal respects, based on the

criteria ciescribed in XYZ Service Organization's
rqcprrinn nrr nror ia,rl

a.
b.

San ice atLditor s rrsporrsibilitrcs

Our responsibility is to express an opinion on the

fairness of the presentation of the description and
on the suitability of the clesign and operating effectiveness of the controls to achieve the related control ol.rjectives stated in the description, basecl on
our examination. We conducted our examination
in accordance with aftestation standards established
by the American lnstitute of Certified Public
Accountants. Those standards require that we plan
and perfonn our examination to obtain reasonable
assurance about whether, in all material respects,
the description is fairly presented ancl the controls
were suitably clesigned ancl operating eflectively to
achicve the related control objectives stated in the
clescription throughout the period ldatel to ldatcl.

the description fairlypresents the ftype or name

ofl system that was designed and irnplemented
throughotrt the period ldatel ro Idate).
the controls related to the control clbjectives stated in the description rvere suitably designed to
provicle reasonable assurance that the control
objectives would be achicved if the controls
operated effectively throughout the period [date]

ro

c.

[date]

the controls tested, rvhich rvere those necessary

to provide reasonable assurance that the control objectives stated in the description rvere
achieved, operated effectively throughout the
period idriteJ to [datc].
Description oJ tests oJ conLrols
The specific controls tested and the nature, tirning,
end rcsults o[ thosc tcsts ere listcd on p.rgcs [yy-211.
Re.stricled usc

This report, including the description of tests of con-

Semice Organizatiotr\ controls are suitably

designed and operating elJectiv ely, along with
related controls at the senice organization. We
have not evaluated the suitability oJ the design
or operating efJectiveness of such complementary user entity controls.
Following is a modification of the applicable subparagraphs of the opinion paragraph of a type 2
service auditor's report if the application of cornplementary user entity controls is necessary to achieve
the related control objectives stated in the description oI the ser\.ice organization's system (Nelv language is shown in boldface italics):
b. The controls related to the control objectives
stated in the clesciption were slritably designed
to provide reasonable assurance that those control objectives would be achieved if the controls
operated effectively throughout the period Idatel
to ldate) and user entities applied the complementdry user entity controls contemplated in
the design of XYZ Sewice Organization\ controls throughout the period [date] to [clate].
c. The controls tested, which together with the
complementary user entit), controls referred to
in the scope paragraph of this report, if opet
ating effectfuely, were those necessary to provide reasonable assurance that the control
objcctives strred in thc desenption wcrc
achieved, operated effectively throughout the

Scope

We hav

descripL

oJ the [tn

and the
achieve
J^-^-i-,

Scrvice o

i)rr

nns

lairness

suitabilil
Lhc relatr

tlon. XY
prepann

includin

oIpreser
providin

specifyir

in the de
en the ac

docuner
trol objer

So-vice ar

Our resp

An examination of a descnption of a service organization's system and the suilability of the design

trols and rcsults thcrcof on pagcs lyy-221. rs intcnded solely for thc information and use of XYZ Serwice

and operatir-rg effectiveness of the service organiza-

Organization, user entities

tion's controls to achieve the related control objec-

Organization's ltype or nrune

system during some

Following is a modification of the paragraph that

descriptir

tives stated in the description involves per{brming

prccedures to obtain evidence about the fairness oI

or all of the period [datc] to ldate], and the inde-

describes the responsibilities of management of the

ducted o

pendent auditors oI such user entities, who have a

sufficient understanding to consider it, along with
other information including infonnation about controls implemented by user entities themselves, when

service organization for use in a type 2 sen'ice auditor's report when the control objcctives have been

tation

the presentation ofthe description and the suitabil-

ity of the design and operating elfectiveness of those

controls to achieve the related control objectrves
statecl in the description. Our procedures included assessing the risks that the description is not fairly prescnted and that the controls were not suitably
designed or operating effectrvely to achieve the relar
ed control objectives stated

oJ)

ol XYZ

Service

Organization has provided an assertion about

the fairness of the presentation of the clescnption and suitability of the design and operating
cffectivcness of the controls to achieve the related control objectives stated in the description.
XYZ Servicc Organizalion is rcsporrsiblr [or
prepanng the description and for its assertion],
including the completeness, accuracl', and
nethod oI presentation of the description and
assertion, providing the services covered by the
description, selecting the criteria, and designing, in'rplernenting, and documenting controls
to achieve the related control objectrves stated
in the descnption . The control objectives hqve
been specijiedby [name oJ party spec{ying the
eontrol objectivesl and dre stdted onpage [aa]
of the description.

designed

controi objectives stated in the description were

the description and the suitability of the control

objectives stated therein, and the suitabrlity of the
criteria specified by the sewice organization and

Folkrwing is a modification of the scope parap;raph

in a type 2 seruice auditor's report if the description refers to the need for cornplementary user entity controls. (New language is shou.n in boldface
italics):

described at page laai. We believe that the evidence

we obtained is sufficient and appropriate to provide

We have e xamined XYZ Sen ice Organization's

description of its lrype or name ofl system for

nrocecsino r rscr enl it ieq' t r,tnsartions lor ic/Orti-

Because of their nature, controls at a seruice organ-

Jication oJ the Junctioll perJormed by the systeml

throughout the period Idatcj to Idate] (descrip-

ization may not prevent, or detect and correct, all

errors or omissions in processing or reporting transactions lor iderltfication of the function perJormed by
thesystem). Also, the projection to the future ofany
evaluation of the fairness of the presentation oI the
description, or conclusions about the suitability of
the desigr-L or operating effectiveness of the controls

tion) and the suitability of the design and operating elfectiveness of controls to achieve the
related control objectives stated in the descrlprion . The desciption indicates thot certqin control objectives specified in the description can
be achieved only iJ complementary user entity controls contemplated in the design of XYZ

98

Journal ofAccountanry August 2010

material

intended to be and should not be used by anyone

olher lhxn thcse spccificd parties.

lDate oJ thc scr.'ice auditor's reportl

lSenice auditor\ city and statel

Inherent lifi1itdtions

standard:
examinal

fairly

IScrvicc audilor]s signclurel

e rcasonrblc basis for our opinion.

specificd by an outside part;r (Ncw language is

shown in boldface italics):

st

lnstitute

On prgc XX of the dcscription. XYZ SeMce

procedures also included testing the operating effec-

of

sr

entities' financial statements. This report is not

tiveness of those controls that we consider nccessary to provide reasonable assurance that the related

also includes evaluating thc ovcrall presentation

fairness

on the

achieve t

assessing the nsks of material misstatements of user

in the descriprion. Our

achieved. An examir-r:rtion engagement of this type

period [date] to ldatel.

pre

stated in

An exami
nizations
of the sen

related co

invoh'es p
about the

tion of thr
o[

Lhe

con

lives slat(
included

not lairiy

suitably

objectives
engageme

overall prr

Example 2: Type

Service Auditor's Report

ability of

the suitab

Independent Service Auditor's Report on a

Description of a Service Organization's System
and the Suitability of the Design of Controls

lce organl

We did n,

oilerating
To: XYZ Service Organization

wwwjourna lofaccountancy.com

descriptrc

wvvw.lol

66

dJuptunorrvJo Ipuinof 6197 rsnSny

.t
stradsag Irratul4tr IIV ur
paluasard dFreg tog sr uralsd5 quorlezrueS:6
af,r^laS arlt Jo uorlducsaq aq1-trodag
ro3 uorurd6 pagllenf :1 aldurexl

7tdf,1u

nsn
wfllDJ jDUl salD)tpu uotj
'(nluatualdwn
-dutsap a4l uorrdu:s:p aqt ur patcts sa,tn:a[qo
3^alLIlB ot slolluoc 10 uSrsap

lolluoJ pallal aql

:qi

1o

(rrlrqrrrns Jql prrr '[3lEp]

Jo sD lurJts,(s
Ltollrlluuapl

aql dq paur.iol.iad uonJun1 aqt Jo

Jo] suonJESuElt

'y xrpuadclu
ur stroci.rr a,rne:tsnlll aqt uo p3sr?q arr

laql

suoue

-nls Ip 01 alqurqclde:o 3^ltsncqxa aq 01 prpu3tut

tou a,lu puc lluo arurprn8 roj arr st:oda: s,.rot
-rplre rl.^.lrs p3Urporu jo salclurcx3

3ur.tro11o1

aq1

silodeu s.rollpnv
of,!ruos peltlpol l a^llerFnlll :8 xlpueddv

'69V

laqt

lo sauuua rasn ot
tu.rts,{s

Io

)Luru

Sutssaro:cl

urats{s aqt

ro JLI{l] slr .;o rrondu:.,.p

ZI{

paururexa a^Br{ 3

sJqu)srp

jo

s:,ru:alqo 1o:l
sr s1o.rt1o...(t

)rll J^JrLilr ot (rrss:r:u

ur ssardx:

uoc'Acuelu noccEloleuJ nol'/wvvv\

'1.'rpfl

etatagl

a^cq oq,r\'s3rtt]u3 lJsn qtns

Jo sc ,{1e,ttt-::;1r pJlr.rrdo

slo'tluor aql Jl pa,rar!:e ?q plnoa sa.tttralqo

lolluol aql lelll

sJuernssE alqeuosea: apr,rord

loluor

puE '[]7Dpl lo

sE

'Ltotu3ssE

zx{

'slo.tt

t)Jlrl:n

llt;'t]J.l.lol pur

ur paqursap Euatul
11e

ur 'uoturclo :no u1

|w1l

2.1

t qu

srqt jo tuarua8e8ua
aqt ur palpts sa^nJalqo

or pau8rsap dlqcirns

ltlllqetlns aqt pue urarsls s,uonezru

E

Jo uollduJsap

Jo uolteulluexa uV

nr^-tls

slor
B

[Db] ?

'qt3u

?^DUs"

patBls

slollu0
-uoL5df
aqr dq

puc u

r'"
'[uou]:
roJ ai
'uorldl
{Elal

-durs:
tnoqE

alrAla

sr a8r
uaaq J
-rpne

3qt Jo t

rEqr q

arll tnc

alal\
lolluoJ
-ord ol
-ndo l

olpau
2q1

l1

[2\D

-uoJ E

wPaN
-ayhuo:

Ir/rPl p

sloIu0:
-uoJ

as

pau8rsa

sa,\nJa
-ur?l ,r3

-dursal
3^alqle

srtlipqrsuods:r.r

'uorldr-r:sap

sL | 0 11t )

-ro1

apnord ot atruclordde puu tuar:

sr p3urEtqo 3,r atuapr^s Jrlt tEqt 3^allaq a A

uo

puE uottducsap aqt .Jo uortetuosatd 11e:a,ro

a:mas

sarTrlrqrsriodsa-t s,-toirpnD

'uortdursap aqt ur pJlzts salu:alqo

lorl
-uol paluleJ aqt 3^3lrlrE ot sloluol Surtuaun:op
pue'Suquauraldrur'Suru8rsap pue'euatur aqt 3ur
-tcalas 'sa.r.ur:fqo loltlior arlt Jo tuaua^3rqlB aqt ua
-tEarLlt:tEr{t $lsr.r aq Surl3rtuapr 'uouduJsap 3llt ur
ru:qr Suttets puB sa^nJalclo lo]ruor aqt Furdlrads
'uoldr::sap atp dq pa:aror saJrl,ras 3qt Surpr-ro"rd
'uonJassc JLlt pLrE uoudursap aqt 1o uoitutuasard 1o
poqt3ru pur? i{re.m::r 'ssauatoldruor eqt SutpniJul
'uourassc sI ro.1 puz uoudursap aqt Suuud3rd
ro3 :iqrsuods:l sr uonezruu8l6 3Jl^l3S ZI{ uon
-clu:sap arp ur patuts sJ^ulalqo slo,nuoJ pJtE[3] 3ql
3,\3rLpE ot sloltuoo eqt 1o u8rsap atp 3o ,{tqrqetrns
puc uortclu:sap aqt Jo uoltnuasJrcl :rp 1o ssau:rc1
3qt tnoq uol,r3ssr uu paplro:cl suq uouezrur8rg

-aldruo:

uoi:/lr:iu1r3.ro rlln-lJS

arl^las ZX{ 'uorrdu:s:p rqt Jo XX a8ucl u6

slolluol 'atueu lraqt Jo 3snlllcg

'uorurclo .rno

-IIns

adlt

uv uondrrrsap

p3tEl3,r aqt a^arqre

tou ara,a sloluol 3rlt terlt pur patuasa:d ,{1.irr; tou

sr uorldursap 3qt t8llt slslr aqt SulssassE p3pnllul
salnpa:ord :n6 uoitclu:sap 3qt ul patuts sJ^ll
-r:fqo lortuo: patelal aqt a^arqoz o] slortuot aqt Jo
u8rsap aqt 1o lrrtrqurrns aqt puu ruatsls arp Jo uon
-du:sap aqt 1o uoletuasa:d :qtgo ssar.LlreJ aqt tnoqE
3ruapl^a urrlqo ot sarnparo:cl Suru:oyad sa,r.1o,lur
uouduJsap eqt ur patEts sa^uJalqo lo]]uor p3tElar
3qt a^3rLlJE ot sloJtuoJ s,uouezrue8ro alruas aqt 1o
u8rsap aqr Jo
-83.to

Surlura

'I?jDpl
Jo se uortdursap aqt ur pilEts
sa,rlrafqo loltuoJ patelal JLit a,\3rLlJE 01 pau8rsap
llqrtrns a.ra,,n slo,ulrol aqt pue patuasard lprel
sr uortdu:sap arlt Jaqtall^\ tnoqr 's]:aclsa: leuateru
ll8 ul'3JuElnssB alqeuoseal ulEtqo ol uorleulrucxa
:no uuol:acl puu uulcl c-ar teqt a:rnbar sprrpugts
asoqJ stuetunorrv suqnd paijltral Jo 3tntltslrl
uB3uaLuV aqt ,4q prllsllqtsa splepupts uoltBl
-s3l1E qll4\ aruprolJc ur uortEulurBxa lno palJnp
-uoJ a1yuourlurln?xa Jno uo pasuq 'uorldursap
aqt ur patets sa.nt:a[qo lo]tuor patelal aqt a^3rqJe

ot sloluor arp 1o u8rsap aqt 1o lrrtrqrtrns aqt uo

puB uolldlrlsap aqt Jo uortEtuasard aqt 1o ss:u.rie3
ue ssarclxa o1 sr ltrlrqrsuodsar rng

lqt uo uorurclo

ot p:u8rsrp {lqrlrns .tranl uonclrrr.:rp Jql ut n.l

-r?ls s3^ul3fqo loltuoJ arlt ot pJtBIJl sloltuol aqt .l

puuaurllcftrr puu p:u8rs.rp se,r tnp ruats(s 1,tr

adfil aqt stuasa:d ,{1.urj uorldu:sap aqt u

outott

s.uoltEzruB8lo alr^Jas

aql uo p3strq 'sttacisar lcuatuu

uo1u1(lO

'l!eJ .ro a^nr3j

-1aur auro:aq dcru uotlpzruB8ro a:luas n lE sloluoJ
tqt )isu :rp ot t:afqns sr sJ^lJJlqo io.ono] pa

-tEl3l aqt a^atlJE ot slo,ltllor 3qt lo uFrsap aqt go drr

-llqBlllls 3ql lnoqll suolsnpuor.,(ue ro 'uouch:csap
ar{t .Jo uonutuJsarcl aqt jo ssJu,lru3 aqt Jo uoltrn
-p,ra,{ue3o a,rntnl 3qt ot uortlalbrd aqf lu/r7strs rq1

tE

-ue8:o alr,u:s r

3Lp ut patll:ts sa.tnc:fqo lo,l]uol patclal aqt 3^JtLllB

ot slo.uuor 1o u8rsa;r aqt Jo {lTrqetlns aqt puu
' Irtrpl Jo se [u.rr:7s,(s ,r11 ,k1ptw.ro{tttl uotpun{ n1l
Jb
uotlottlluapt ,Lo| suourr?suElt ,saitltua Jasn SutssJJ
-o:d roj uratsls lfo awou tt r.l{7] str Jo uortdursap
s,uonezrue8r6 JJhtaS ZIX p3LrmrEX3 ?^Eq aA\

'uoa:arp uorurdo

uroc,

1ou op (18urp.roJls 'pue uoeduosap

aqt ur patuls slo-ltuoJ aqt Jo ssauaanralo Suuerado

:qr Surpru8a"r sa:nparord lue uuol:acl tou prp ? A

ruatsd
'[DDl
]E paqrrJsJp pue uouezlue8ro a)l
"8ed
-^i?s aqt ,(q par3rcads Euatur alll Jo llqrqulrns aqt
patEts sr^uJalqo loluoJ 3r{t Jo.{lllqg

puu'uraraqt

-lns 3llt

aqr Suitr:nlena sapnl:ur osp

uouBunuExa

[?]Dls puD [1tt s,toltpnn

ll.todtt s,.rolrpno atrttcs tt11 {o 4nql

lt.Lnlnu'ts 1,Loltpn rll^-lrs]
'sal.rrcl p:r1:ads asarlt uuql.raqto auoluc dq pasn

'err

-atuJ aql Surtral:s 'uortduosap aqr ,{c1 p:::,ro:

^--J .--^..
sJrLLrf,s Jqt a-,---.
aulpl^olct-uolllfcsr
puI uoll

-puEtsiJplrn tu3lllilns

1o uonctuasa:d Jqt Jo ssaulcJ aql

)sn p)])uls)\d

e ur p3sn 3q ot sartlllqrsuocls3r s,uortBzruDBlO

.ua51; ura:ts,{s s.uolezrurSlo a:lr.ras aqt

ul p3llts

ro.1

3lqBlrE^r? JpEru (uonch.rJSJp)

s,uouEZruBSrO atrr^.rJs

(sJrTElr sJEjploq Lu u \oqs

sr a8cn8uul ,r3N) slo.uuor dtltua :asn ftptuaur
-aldtuor:o1 paau 3Lll ot sla1ar utais,(s s uolBzrue8ro
JJrrr:rc JqtJo uolt(lulsJp rqr.;r lodr.r I Jd.(t r ul
qdrr8ured ado:s aqt Jo uonErr1lpour e sr 3ur,uo11og

'uorldutsap ?U1
lo [DD] aSod uo pa1o6
p)iuD er\ Sutt{pads KtiDd

?tD puo [safttp?fqo

{o awDul {q pa{nads ua?q aMU sa,tlpatqo

loijun ?\I uortdursap aqt ut pale1s sa.r.r1ralqo
loluol p3tBlaJ Jqt a^an{Je ot sloluor Surtuaru
-nJop pur 'Surrururldrur 'SuruBrs.tp pur

aq tou plnoqs pue aq ot papulur tou sr lrodar srql

'8uu:oclar
lcrrueuu ot tur^alaJ sulJtsls uouBJrunul
-uroJ pur uoneuuo1ur s3iltu3 l3snJo Surpuuts:apun
ue Suiuretqo uaLl,r 'sa^lasuaqt s3lltu3 rcsn dq pa
-tuauraldrur sloluoJ tnoqE uoltcLuJoJur 3urpn1:ur
uoilcur.ro1ur r)L{to qll^\ Suole tr Jf,prcuoJ r)l 3ul

-rlu:sap rt1 I 1o uor lutu.rslrd 1o poq r:u prrr (.r

-Elnrrp'ssauataldruor aqr Surpnlrur'uoruassr
puu uorrLlr.r)sJp ;rqt Suucdcld lol :lqrsuodsr.r
sr uorlczrucSrg JJr.\.r15 Zi)( uonclu:s:p rqt ur
p3trts sa^ltlalqo lor]uoJ p3tBlal arlt a^arqJu ol
slorruo: aqt 1o u8rsap aqt jo ltrtrqetrns pu uorl
-chl:sap :qt

lo srolpne tuapurd3pur aqt pue'l3tDp] Jo sB ual

-sls fo atuou .to td,{i] s,uorlezrue?:O alluas ZAX Jo
s3rtrtLla Jasn 'uonezruu8r6 alt,rlaS ZII{ Jo asn puu
uouEullo1lu aqt :o1 d1a1os p3pu3tur sr uodat srllf

tnoqr uonrJSsE ur prplrolrl scq uortrzrurS:g

aJLias ZI{ 'uonch:os.p aqt lo tl( a8ed ug
:(sJrler arEJplocl ul
u,roqs sr a8en8uel
dued aprstno ue,{c1 perl
^\aN)
-r:ds u:aq .r.rrr-1 sa,utralqo 1o:tuo: aqt uaqn loclar I

adlt

J.rr.\rJS 7.^X Jo ru:ucicucru

tcqt qdr:8r:ccl rqt Jo uortrljlporu u sr 3ur".o11oq

'[app] {o sD slo.tiuor s,uo4nzryo8t1

atruag Tpq lo u8sap atll u paloldwaluot s1ot1
-u6 &llua tasn {,tDiu?Lu?ldutn ?Uj paqddo sarl
-ltrf, rJslr puD ptDpl 1o sc {1urrra11.t p.rrrlrtlo
slo,tluor aql Jr p3^3lq3E 3q plnoa saNtra[qo lort
-uoJ JSoql trqt JJurunscr Jlqruosrr.r lpr rold or
pau8rs:p llqetrns a:am uoitdrlrs:p aqt ul pcl?ts
saru1r3fqs lo,r]Lior aqt ot petr?i3l slortuol 3qf .l
:(slllctr aJ.Iploq ut LL\\oqs sr
e8e nBuey

uoltclr.rJSJp s,tuarua8eucru

Lrof pf,trlJ.r

-lua :asn.(rnuaurolduro:.1o uortr:r1ddr aqt3r uocla,r

1 acl(t e 1o t1der.Sr:rcl uoruido :qr ur qclc"r8c.rud
-qns alqe:qdcle rlp Jo uolltJulpour e sr 3uluo11og

{q pnuto[.nd uoutw{ atll {o u0r:]lll/itirrpl -rol suourE

-suelt Suilrodar lo.Surssaro,rcl ur suorsslulo lo sro.r.l3
tu:.rald lou .(rur uonczr

srsuq 3lqELtosuaJ ll

-uu tltiu? nsn f,nluawaylwot qtns [o ssau

-tn1taffa?wlondo n u8sap a1l lo ,Q111qo1tns
paiDnlD^a iou ?^Drl a,14'satqta[qo lotluot
"rli
pairrpl aql ?^atrpD 01 pau8rsap Klqnilns pata
-ptsuol aq o1 uotloztuo8to ?JtM?s a\l lD slotj
-un pailipl .to{ s?liltu? nsn 1o paluawaldtut
pun pau8sap [y1o1ns aq lsnut slotluot [1rn;

tdo:t5

-qns

3l

-uaru2l(

uSrap
?Al'uor:

lillrB
[1qo11nt

sSsvf 'I3u lvtctllo

OFFICIAL RELEASES
The lollowing is an illusrrative paragrapl.r dcscribing the basis for the qualiliccl opinion. Tl.rc para_
graph would be inserred before rhc rnoclifiecl
opinion paragraph. All other report pamgraphs are
unchanged.
Basis for qualiJicd

opitiort
Thc accompanying descriprion statcs on page Imn]
that XYZ Servicc Organization uscs operator iden_
tification numbcrs ancl passwords [o prevent unau_
thorizecl access to the systcln. Based on inquiries of
sta[f personncl rncl obscn a[ion olactivities, we have

determincd thar operator iclcnrillcarion numbers

and passrvords are employed in apphc:rLions A and
B but are not required to access the systcm in applications C ancl D.

Opitliotl
ln our opinion, exccpt lbr rhe matter dcscribcd in
the prececling paragraph, and basccl on thc cdteria
clescribecl in XYZ Serrrice Organization's asscl-tion
on page laai, in all rnaterial respecrs...
Example 2: Qualified Opinion-The Controls
are not Suitably Designed to provide
Reasonable Assurance that the Control
Objectives Stated in rhe Description of rhe
Service Organization's System Would be
Achieved if the Controls Operated Effectively
The following is an illusrrattve paragraph clescrib_
ing the basis for rhc qualifiecl opinion. The paragraph wouJd be inserred belore the modified
opinion paragraph. All orher report paragraphs are
unchangcd.

Description of the Service Organization,s

A70.

System

Appendix C: lllustrative Report

Paragraphs for Service Organizations
That Use a Subservice Organization

The lollowing is an illustrative paragraph describing the basis lbr Lhc qualified opinion. The para_
graph rvonlcl be insertecl befbre the modifiecl
opinion paragraph. All other report paragraphs arc
unchangcd.
Basis Jor qutrlified opnion
XYZ Sen'ice Organization states in its descriprion
that it has automated controls in place to reconcile
loan paymcnts received rvith the various olltput
reports. l-{orvever, as noted on page fmnl ol Lhc
description oI tests of controls and results thereo[,
this conrrol wirs not operating effecLiveiy through_
olrt the pcriod ldatal to ldatcl clue ro a prognmming
error. fhis resulted in thc nonachievement of rhc

control oblective, "Controis provicle rcasonable

assurance that loan payments receivccl arc proper_
ly recorcled" thrcughout the periodJanuary I, 20X1,
to

April 30, 20Xl . XYZ Scrr,,icc Organizarion implc_

r.nentecl a change to the program

performing the cal_

20X1, and our tesls inclicatc
that it was operaring cffectively throughout thc pefi_
ocl May 1, 20X1, to December 31, 20X1.
culation as of May

Opution

the preceding paragraph, and basecl on the criteria

described ir.r XYZ Service Organizarion,s assertion
on page Iaa], in all marerial respects....
Example 4: Qualified

Opinion-The Service

Auditor is Unable to Obtain Sufficient

Appropriate Evidence

for qual{ied opinion

As discussed on page [rrn] ol the accompanying
Basis

description, from time

ro

rime

, XyZ

Servicc

Organization makes changes in application pro_

grams to corrcct deficiencies or to enhancc capabilities. The proceclures follorvecl in detenlining

Ihe following is an illusrratit

changcs. There also are no specifiecl requirements

to test such changes or provide test results to an

authorized reviewer prior ro implernenting the
changcs. As a result the conrrols are r.rot suitably
desrgned to achievc the control ohjectivc, ,,Conrrols

provide reasonable assurance that changes ro existing applications are aurhorized, tested, approved,
properly implemcnrecl, and documentecl.',
Opinktn

In our opinion, except for the matrer described in

the preceding paragraph, and based on the criteria
describcd in XYZ Service Orginiz:rtion,s assertion
on page fanJ, in all material respecrs...
Example 3: Qualified Opinion for a'type 2
Report-The Controls Did Nor Operate
Ellectively Throughout the Specified period to
Achieve the Conrrol Objectives Stated in the

100 Journal

of Accountancy Aususr 2010

inch

ofp
pr0v
sPec

ln th

en rh

ing r

docu

Example 1: Carve-out method

trol

Scope

unchanged.
Basis Jor qualificd opinion

XYZ Service Organization states in its description

thirt it has automated controls in place to reconcile
loan payrnents receivecl with the output generated.
However, electronic records of the performance of
this reconciliaLion for the period from Idate) to klatc)
\ar're Jelcterl :rs ,t rcstrll of r computcr
ltrrrccssing
error and, therefore, we were unable to test the oper,
ation of this control fbr thar period. Consequently,
we were unable to determine whether the control

objective, "Controls provide reasonable assurance

that loan paynenLs received are ploperly recordecl',
rvas achieved rhroughour the peno d
ldatcl to lclatel.

Inher

We have examinecl XYZ Scn'icc Organization,s

Becar

clescription ol its system for processing user enti_

ties' transactions lor itlentiJicutktn oJ theJunction

or de

ltcr_
[dnte]

Jormedby thc sl,stcml throughout Lhc period

to [darcj (clcscription) and the suirability of tl.re
design and operating cflectiveness of controls to
achieve the relatecl conrrol objcctives statecl in rhe
description.

XYZ Semice Organizdtiotl

cessii

tion t

ol

the

clusic
aung
reiate

uscs

a computer pro-

cessing semice organiTation

Jor all of its comput_
eriTed applicatiotr processing. The tlesciption on
pages [bb-cc] inclucles only the controls andrelat_
ed control objectives oJ XyZ Sewice OrganiTation
and excludes tlrc control objectives and related con-

trols

rzatio

computer processing semice organiTation. Our examinaliotl dicl not extentl to controls
oJ the contputer processittg semice organizdtion.
oJ the

contr(
0rgan

Oltittir

ln our
cnten
ABC

kLal,

d.

th(

Or

AII other reporL paragraphs cu'c tnchtngetl.

AE

ofl

Example 2: Inclusive Method

whether to make changes, in designing the changes,

and in implernentjng them do not inclucle revierv

and approval by authorized individuals rvho are
indcpenclcnr from those involved in making tl.re

and

to)

e paragraph clcscrib_

ing the basis fbr rhc qualified opinion. The paragraph would be inserted befbre the modified
opinion paragraph. All other report paragraphs arc

sible

Follorving arc moclificatior.rs of the illustrative type

2 reporr in example 1 ol appendix A for usc in
engagements in whrch tl.re scrwicc organization uses
a subservice organization. (Ncu, language is shown
in boldface iralics; cleletecl language is shown by
striketirrough. )

l,

In our opinion, excepr for the matter described in

rhe

state

ide

Scopc

sef

Wc have exanrinecl XYZ Service Organization s anzl

ABC Subsemice OrganiTation\ description of ir

their ltyltc or notrc ofl system for processing user
entities' transacti ons lor idcntilicution of thc
Junction
perJormet) by tlrc sysLcml Lhroughout the periocl

des

od

b.

xyt

OrE

to ldatel (dcscription) ancl the suitabiliry of

the design and operaring ellecriveness of XyZ
Semice Organization\ and ABC Subsewice
[datc)

Organizatiotr\ controls to achieve the related control oblecLives stated in the clescription. ABC
Subsemice Organization is an independent sem-

sult
anc(

achi

lhro

c.

entities, ds yrell as releyant control objectives and

controls oJ ABC Subsemice Organization.
Opu'Lion

u'hi,
able

ed ir
effec

Ali other

47I.

Exhibit

In our opinion, except fbr the matrer described in

the precedrng paragraph, and based on the criteria

XYZ Service Organization\ responsibilities

described in XYZ Service Organrzation's assertion

on page laal, in all rnaterial respects. . .

Organizarion and ABC Subsewice Organization

hm have providecl an their assertictns about the fairness olthe presenration ofrhe descnption and suitabilily of the design and operating ef{ectir.eness o[

On page XX o[ rhe description, XyZ

rhe

AB(

ice organiTation that provides computer process_

ing semices to XYZ Semice Organization. XyZ

Semice Organizationa description includes Q
description oJ ABC Subsemice OrganiTation\
[type or name of] system used, by XyZ Sewice
Orgdnization to process trdnsactions Jor its user

the

Manag
Service

wwwjou rnalofaccountancy.com

The

asse

ization n

tion

01

tl

attached

wwwja

,;

!Ol

l(JuEtunorrvJo lBurnof 0I0Z lsnSnv

'pazuoqlnB'pstuurur

aJE suollfESuBJl

-3131

uoncullo]ul ],rotsrp ro lrluo lolt

s3op ll

uralsls aqtlo seulu3 Jasnlo suoullsuert

Surtrodal puu Surssa:o,rd or ruc^alal aJe

loltuoJ'(sassalorcl ssaursncl patelar

3utpn1:ut'suott

tELlt slo,ulroJ Suuotruoru puE 'sauhrtJB

asoqt r{lrl,,rr ,{c1 'surats{s lztlueru puc

p3tBtuolnu qloq urqlr,,t'sa:nparo"rd aqt 17;
'passaro:d suollJBSuEJ] Jo sasseit 3qt (I)

Surpnllul) surats{s uottr:tunuturo:

'tuauruorl\ua loltuo: ,rno .Jo stlaclse laqto

'sanu:alqo asoqt a^arqle ot p:uBrsap

ot alQeFg,re apeur ualsds ar{1,to{ slllasaJd I

rl Lll JldA\ UOIIJTSSE Slql

pue uorlEr.ruo1ur'ssaco:d luauss:sse

-Jr?sliErt tuE^alar ssarold ot p:tuaualdur

scn urats(s:qt.1o sanuua l?sn
pr-rr p:u8rsap

,^,-.t,,
---^
LtUl
lUlr.rsJP

Jql

Surleru ur p3sn 3.tr Euatul aqJ 'lrutlsfs ttlt ,{c1

plLu.tot)d tLontw{ t4l lb ratnlhuapt,rol suou
-JBSuE-u lraqt Surssa:olcl ro1 1alnpl 1o sc urats,(s
Jrlt Jo sanltua Jasn ot 3lqullu^e aprlu uatsds 1p
JLuDLt .to )d&l 3r1] sruJsarcl durBl uorrdursap aql ?
lEql
'Jarlscl puE aSpslaoul ]no Jo lsaq aql ol 'Lu,tuuor
er11 Surtrod:r [Er]uEuU ot turl3[3r sut:ts{s uot]
-ErrunluruoJ puE uorlEruloJur ,satltlua rasn 3o 8ut
-puetsrapun ue SurulBtqo uaqa'sa^l3stu3qt salltu3
.rasn dq patu:uralduu s1o:tuo: tnoqu uoleuuo3ut 8ut
-pn[]ur uouBixroJur:aqto qtltr Suole 'tI Japrsuor ol
Surpurtsrapun tuarJrUns B J^Eq oqa s.totrpne r3sll
lrai{t puE 'JrlDp] Jo su ruats,{s aqt jo s3ltlluJ -I3sn .toJ
(uonduls3p) rrr3rsf,s [o tun'nt n ilf]] s,uortuzrutFrg

ollu3s ZIX

1o

uortdrl:sap aqi pa:eda:d a^Eq q\A

uoruassv s.LlouezruuS:6 al,ua5 7try

ar{t

>1su

Jsorit llJlrl^\ ,{q 'suats{s lenuuu pue

p3tEruolle qtoq urqtr,tr'sornpacord aqt (7)
pessaro:cl suoulEsuB-lt Jo sassplJ arp ( t)

pue p:u8rsap su,n urals{s:qt.1o saultua lJSn

ot alqlr^E apuur ruatsds aqt.uoq stuasa:d I
uoudu:sap aqt teqt ara,tr uotl

-uor lEnuEtu raqtaqa Burpnl:ur'pau8rsap

sr: parldde dpu:tsrsuor araa sloltuof 3llt ur
puB :pa^arqlD

Surpnllut'suott
-Jtsurl luglalJl ssalo:d ol p:ru:rualdut

3^Eq oq/u slBnpurpur,{q parlddc ala^\ slo.ll

dtuoqtne puu aruatadruo: ateudorddu aqt

iucltlPztue8ro

lcql slsll

3ql

t8r{t
so.urr:k1o

prluor

,ro] sLroulBSLrE.u :rarp liurssa:olcl lo] Ir7DPl ot

)lr)p] pouJd Jqt Jo Ilr .ro lruos Surlnp urals{s
I
lasn ot JlctBllE^E apEru r-uals{s [rb
sruasa:dd1"nr1 uottdursap arp n
3Lp Jo Sanuus

twnu

-to

ld[1]:qr

1,aoul lno

Jo ts3cl 3qt ot

ol

aqt

lql'Jallaq Pue aBPa

'ruirluor a^|slu3luslels

[El]uELru ,s3r1r1ua Jasn Jo slu3lu3ll?lssllx lcrJalEul

1o slsu :qt SurssJsse uaq,\\ 's3^l3suaqt uratstrs aqt
paruaur:1drut sloltuol tnoqB uort

.;o sertrtua:asn

I]ua1IJ:)

3sol1l 3A3rL{JIr ot [r]Dpl

loluoJ aqt ot patul3r sloJtuo3

pou:d B sra^ot uortdulsJp 3qt

fq pa,ia,ro: pouacl aqt 8ur

ed&l aqt jo r::clsu ,{"rara apnlrur

rJSn lcnpt-\rpur qJEJ tuqt ruals,{s

aqtJo.{ltu3
1lb auLou

:qt

lq

-EuuoJui 8urpn1:ui'uolEuI.roJur ratpo tprlt 3uo1e

raprsuo: o1 Surpuerslapun:tuallUJns E Jr\eq oqa

'r

s.rotrpnB r3sn

]laqt puB'lrlDp] or irtDP] pouad 3ql

rasn JoJ
.1o 11c ro auros 8ul inp urats,(s aqt.1o saonu3
(uortdurs3p) ruarstrs fo twnu.ro tdfi] s,uortezrue8r6
3l^lrs ZI{ Jo uortdurs:p aqr pa:cdard 3^q r \
LlourJSSV s,uortuzturSr6 aJI^JeS

ZI{

l.rodag 7 addl e:o; uortuzruu8rg ar1.,uag

u3o tuaura8euel4l dq uorlrassy :1 aldtuuxg
'suonBntrs

1p ot alqerrlclclu .ro artlsnBLIXJ

pue lluo a:ueprn8

alr suoul3ssp luaura8eueur a,r.uelsn1l Surntoloj aq1

-sls aqt 1o saultu3 rasn Jo a8ue: peorq r 1o

spaau uor.uLLroJ Jqt taau ot pareclard st uotl

Jq ot paplr3tut tou

3soi{t Jo srolpnD tuapuaclaput aqt

pur

LuJ}

3,rE

ro3

lfql

SUOUI3SSB JOJ

l/vvv\

aq1 uorrdu:sap aqt ot paLpElru

uratsds s,uorezturS"to

altuas

3qt Jo uolt

uJoc'I3

Jo Ssaua,

Jlns pur
-11J

aql

uorluzr
3f,rAras

lo luouaoeueuu

'ILv

'pa8uoqtun

papualut al SUOIll3Sse a^il

t.n

stldo.r8o.totl l.Lntlet ,rtt1ltt 11y

lrsll

sll

2)1^.DS

'[JtDl] ol
I.'t,ill pourd :qr tnoqBnorqt,(1:.ril::1;.r
paterado'pa^3tLlJE a.ran uottdu:sap 3qt ur pa
-tets sa,ut:alqo lo]tuor aqt tEqt 3JuElnsse alqe
-uoseal apr,rord ot {IBSSJrau 3soqt aJo,tr rlJrtl,tt.
'p3rsar aA y)tli uotlDznDSto aJruasqns, )gv
puv uotiDzruD8to zoruas 4yp s1o:ruor aqt
'Il1Dpl o)
lrlDpl pouad aql lnoqSnorql
,4ia,utraga pateraclo sloituor 3r{t Jl pa^lqre

:r

quouoz

sapn

zIX',u(
-ssatot
'

fgv

lu

-d-r2s

-uoJ pa
2)rMzsq

jo,{trtiq

-.rnssc al(l[uosrJr :plrord ot pluBrstp ,{lqrtrns

ara,n uoitclr:osap aqt ur patpts uo1iuzrlta8.to
z:tuasqns )gV puD uottDzruD8to :ot^,tas ZE{

zLx p

aq plno^\ s:.urrafqo lo.nllor 3rp reqt

aruB

/o sa,ut:alqo lo]tuoJ aqt ot patel3,l slolruot

aqt

por:ad

uotlnnl
q

'plDPl 01 IrlDpl po

21aM

rasn 3u
g

IO IIT

pil,

-rrad aqt tnoq8nortp paruauialclur puu pauBrsap

s,u

tsql [1u2ls{s Euol1ozrun8n atuuas

arll f,q pawoltad uorltun{ aql lo norlotrJiuapl

tol sapnu? Dsn s1r to{ suotltttsutttl ssatotd o1
trorlozrun8t6 atruag 7try {clpzsn uals{s fo
awou ,rc adKll ruolloztuD8io zol^rasqns

)gV

prrn urats,{s fo aumu rc adfi1ry s,uorlozruo8tg

nrr"t?S ZA)t stuasa.rd .{1:tr1 uortdu:s:p 3tlt

'uot?D?

-uo)p21

puu quortezrue8lO a)rruoS ZtrX tn paqtracls uuatu:

arlt uo p3seq'stradsal puateu 11e ut'uorutdolno tq

-DztuDg.

quorlezruz8rg a)r^r3sqns JgV

slotluo)

'IDD]
aSud uo suorrasse

tuotuttl6

uot7Dz
-1Dl?1

uo u0!l(

IlrJ ro 3^rtr3j]aur aruoracl,(e ut uotloztuoS to

nluasqns -ro uonuzrue8ro aJrlras E :lE slo,tluol
tEqt ISr.l aqt ot t:alqns st sa.ltlcalqo lolluol p31el3l
aqt a^arqJE ot sloluol arll Jo ss3u3^llJajja SuuB
-r:do ro u8rsap aqr 1o drqrqerrns aqt tnoq suorsnll
-uor,{uu ro uortdu:sap aqt Jo uortEtlr3sard aqt jo
ssauJrEj aql Jo uoltEnlE^a ,{ur 1o arnlnl 3ql ol uoll
-ralbrcl aqt 'oslv suolllesullrt 8uu:odar "ro Sutssa:
-ord ur suorssruro ro sro,u3 lle 'tJJrroJ pue llatap lo
'tu3^Jrcl tou drrrl uollozlun8n attn-tasqns ro uouuzl
-uc8.to acruls e tB s[oIUoJ 'a]nitu rt3qt lo asnelag
si.r0lTlrllrul j lu J_lrqllJ
uondursap aqt ul

p31Ets

-lwlwo:
-otd n

3Ll1

ot

ul p

sloJtr

jo

aqr

Jr?rl,l p
uot

-nd

-llu3 l3
s,uonczl

sarttralqo 1or]

-uol ll3lela.r aqt a^arqJ or sloluol Surturun:op

pue 'Surtuarualdun 'Suru8rsap pue 'ur,ratu: :qt 8ut
-tJalas 'sa^nJ3fqo loluoJ aqt Jo tu3tu3^3rqJE ar{t ua
Jeal{t tEqt s>1sr,r aqt Surd3ituapt'uottdtr:sap aqt ur
uaqt Surleis pue sarutcalqo lolruol aqt Surdpads
'uoudursap
3qt Sutpt,to:d
dq
pa,ra,ro:
sal,t.ras
aqt
jo uortetuasard 1o
'suourassB puu uortdursap aqt

,{q r4\o
u,roqs
sasn uor

ur 3sn
ad,{r an

poqt3ul pue Xce:nl:e 'ssau:raldruor aqt Surpnpur

'suoulasse pue uottclu:sap aqt SuuEdalcl ro1 alqls
)gV plrD
-uodsar

JJP

uroc'^cuelunocseloleuJno['

-errsn11r 8urmo11o1

:q {cru:o

-ducsap s.tu:ru:8cueu ur papnllur aq,{eru uottrzr

-uu8:o a:r.tras aqt jo tuarua8eueu .{c1 uoruasse aq1

uollpz!ue6ro arl/trss

Iq suoluassv e^llerlsnlll rV ilqlqxg

(/)

puD sa

slo.ituor puu salu:a[qo 1o:ruor palyrads 19;

tuslsds aql Jo .s3ll
-uu3 lasn ot psprr\oJ(l uorlsul-rojur laqlo
:o stroclo.r :rcclarcl ot pasn ssa:o.rd aqt (G)
'suorlJr?suBl uEql raqlo

'suonlpuol llur sru3,\a tuuoiltu8rs s:

-ssarpp pue sa:nrder rualsds 3qt
(t)
^\oq
tuatsls aqt.;o sJlrlrua Jasn
ot patuasarcl strodar aql ot ll3l,l33suul
sr uouEur.ro]ur aoq puE uouEuuojur
tJsr.roJur Jo uous3l,loJ 3qt saplllJur slql
lsuortresuclt troclar puc'ssaro.id'pro:ar
'aziJoqlnB '3lr?nrur ol pasn 3lE lEql
stunolfe :r1r:ads pue'uourutro1ut 8ut
-lroddns'sproral Surruno::u patelal aqt ()
'uatsds aqt
1o s:uuua rasn ot patuasard
spocla: aqt ot pal.lalsurlt pue ',{ressa
-Jau sc patl3-r.lol 'passaro:d 'paplor:r
'pazuoqlnE'p3tBrlrur aJc suorllEsLlEll

trodan 1 ad{1 e ro3 uortezrue8rg aru:a5

uortrassy :7 aldruexE

u 3o tuauraSeuuy,l dq

-rassu srqt Bur>1ett ut p3sn J^\ EuatuJ aqJ ltttJj

-s[s arll fq pttu,LoJ,nd uo4nn! t1l ]o tLosat{quap1

Suroq uror.J uouclu:sap 3qt ur patets

sa,r.rtrafqo loJtuor 3llt tu:,ta:d tou p1no,u
s{su asoql lELll 3luPrnssrl alqBuosEl,l
apr,rorcl 'paqursap sr Sunu:ado Jl 'plno^\
uoitclurs:p JLp uI paqrlu3pl sloltuol aqt tl
arl^ras 3qt ,{q par.lpuapi usaq 3ABLI uoll
-du:sap aqt ur patfls sonur:[qo loJtuo] aql
Jo tuaua^arqJE 3qt ustEJlql

3r3a uourJSSE srql SurIBUr uI p3sn 3ilr

aql

Ir:/Dp] pouacl ar{t tnoq8norqr ,(larnrajja pater:clo

pur: pru8rs:p (lqcllns JIJ^\ uortrlurs:p :t1 I ut pa

-tuts s:,rnrak1o

auut 1o

uaqm uouclursap aqt

-rnp urats,{s s,uouezrue8ro:l,uas aqt ot sa8urqr

Jo slutap tuc^313.r sapnlJur uortdu:sap

luaruuo,nl\u3 relnrn:ed u,{\o sll ur luEl
-:clchur,r:lprsuo: {Eur Jollpne sll pur uats,4s

'tou ,{eur pur 'saultu3 resn

'ero1al3qt

'uonclt'rrsap aqt ur p3pnlrul

-dr,r:s:p aqt teqt SurBpallroul:e a1q,tr'urat

-sls fo awotL,Lo td,{]] oqt 1o ado:s aqt ot tue,r

s+

?io uollvzruD8to ert-tasqns,

uortezrueBr6 JlrNaS

zIt

uortdr:csap aqt ur patels

sa.r.rtc:fqo 1o:tuoo pa]Bl3r arit a^atiJe ot slo,uuoJ 3Lll

s!tsv:r13u lvlclJlo

OFFICIAL REIEASES
recorclecl, processed, conected as necessary and transfcrrcd ro lhe rcporls
presented to user entities of the system.

(3) the related accounting records, supporting information, ancl specific accounts
that are used to initiate, authorizc,

Controls

dt a

Ser\)ice

this includes the corrcction oI incorrect

dilferenccs. This analysis is not authoritative and

prepared for infonnational purposes only.

other r hxn I ransacl ions.

(5) the proccss uscd to preprrc rcporls of

or he r inlnrmrrion nronclcrl tu uscr e ntities of the system.

(b) specificd control objectives and Lonlrols

designed to achieve those objectives.

(7) other aspects o[ our control environment, risk assessment process, in[orma-

tion rnd

communicution systcnls

(including the related business proccsses), control activities, and monitoring

controls that are relevant to processing
and reporting transactior.ls of user entitiec nf rhe c\/+Pnr

does not omit or distort information relef1y1'6 pr aotc of sys-

vant to thc scopc o[ the

tem. whilc acknorvledging that

thc

prepared to meet the common

ncrdsof r broa,l rannc o[uscrcnlilicsof thL

description

rs

.v.tem rnrl "'_

the "'*_f
indencndrnt auditr)rs oI
those user entities, and may not, therefore,

include evcry rspect o[thc lrypc or natni ofl

system that each individual user entity of the
systcm end its auditor mry eonsiclcI irttporlrnl in ils own pxrlicular cnvironmenl.
the controls related to the control objectives stated in the description were suitably designed as
of Idate] to achieve those control ol.rjectives. The
criteria we used in making this assertion were
that
i. the risks that threaten the achievement of
rhe control objcctivcs stated in thc description have been identified by the sewice
organrzatron.

the controls identified

would, if operating

in the

description

as described, provicle rea-

sonable assurance that those risks rvould not

^,-..-^|h^ ^^h,r l ^laiccli\.es statcd in thc

descdnrion from heins achiercd.
1^72.

Exhibit B: Comparison of Requirements

of Statement on Standards for Attestation
Engagements No.16, Reporting On
Controls at a Seruice Organization,wilh
Requirements of International Standard
on Assurance Engagements 3402,
Assurance Reports on Controls at a
Seruice Qrganization

of AU

section 322, The Awlitors

6. Docun
Paragrapl

Consideration oJ the Internal AudiL Ftntction in an Audit

TOT TO

of

ment file

Fintrncial StatemetlLs (AlCPA, ProJessionul

Standards, vol. l), rvhen the service auditor uses

members of the service organization's internal audit

function to provide direct assistance. Bccause AU

ASS

of asseml

ly basis af
ance repo

the senicr
umentatic

Paragraph 26 of the SSAE requires the service audi-

of the internal audit function in a direct assistance

capacity, paragraph 35 of the SSAE also prondes lbr
this. The lnternational Standards on Auditing and
the ISAEs do not pror,rde fbr use ol the internal audit
lunction for direct assistance.

Intentional Acts by Service Organization

Personnel
tor to investigate the nature and cause of any deviations iclentified, as does paragraph 28 of ISAE
3402. Paragraph 27 ofthe SSAE indicates that ifthe
service auditor becomes aware that the deviations
rcsulturl lrom intentionll r(ls by s(rvtrc orgcnlziltion persomrel, the setwice auditor shoulcl assess rhe
risk that the description of the service organization s
system is not fairly presented and that the controls
arc not suitably designed or operating eflectively
The ISAE does not contain the reqllirement included in paragraph 27 ol the SSAE. The Auditing
Standards Board (ASB) believes that inlbrmation
about intentional acts affects the nature, timing, and
extent ofthe service auditor's procedures. Therefore,
paragraph 27 provides follow-up action fbr the seruice auditor when he or she obtains rnfbrmatbn
about intentional acts as a result of perlorming the
procedures in paragraph 26 of the SSAE.
Paragraph 36(c)(ii) of the SSAE, which is not includ-

ed in ISAE 3402, also requires the sewice auclitor

to reqlrest written representations liom management that it has disclosed to the service allclitor
knowledge of any actual, suspected, or alleged
intentional acts by management or the service organization's crnployees, ofwhich it is aware, that could
adversely alfect the fairness of the presentation o[
mxnagemenl.s description o[ Ihe scrvicc organization's system or the completeness or achievement
of the control objectives stated in the description.
2. Anomalies
trrirgraph 2q of lsA[ 3402 ronlrins a rcquircrncnl
that enables a serwice auditor to conclude that a
deviation identilied in tests of controls involving
sampling is not representative of the population
from which the sample was drawn. The SSAE does
not include this requirement because of concerns
about use of terms such as, "in the extremely rare
circumstances" and "a high degree of certainty."
These terms are not used in U.S professional standards and the ASB believes their introduction in the
SSAE could have unintended consequences. The
ASts also believes that the deletion of this requirement will enhance exanination quality becar-rse
deviations identified by the seNice auditor in tests
of controls involving sampling will be treate d in the
same manner as any other deviation identified by
the practitioner, rather than as an anomaly

This analysis was prepared by the AICPA Audit and

3. Direct Assistance
Paragraph 35 of the SSAE requires the service audj-

of Accountancy August 2010

graph .27

section 322 prondes fbr an auditor to use the work

Auest Standards staff to highlight substantive dif-

102 Journal

tor to adapt and apply the requirements in para-

rs

l.

(4) how the system captures and addresscs sipnilrcant evcnls :rnJ condiLiorrs,

ii.

on

Orgdnization, and to explain the rationale fbr those

user entities of the system.

b.

Assurcrrce Rcports

record, process, and report transactions;

information and how inlormation is

transferred to the reports provided to

ii.

ferences betwecn Statement on Standarcls lbr

Attestation Engagements (SSAE) No. 16, Rcporling
on Controls dL a Sevice Organizcrtion (AICPA,
PrcJessional Standards, vol. 1), and lnternational
Standard on Assurancc Engagements (ISAE) 3402,

admrnrstr
engageme

that a tim

ing the ser

made this

4. Subsequent Events
With respect to events that occur subscquent to the
period covered by the description of the service
organization's system up to the date o[ the senice
ruditor's rcpun. paragraph 42 ofthc SSAE lcquircs
the service auditor to disclose in the sen'ice auditor's report, if not disclosed by management in its
description, any event that is of such a nature and
signilicancc that rts disclosure is neccss:rly to prcvent users o[ a type 1 or type 2 report fiom being
misled. The ASB believes that information about
such events could be important to user entities and
their auditors. ISAE 3402 lirnits the types of subscqucnt events that would need to be disclosed in
the service auditor's report to those that could have
a significant eflect on the service auditor's report.

ument\tio

scction
PioJessionr

7. Engagr

Paragraph
the accepl

to feport (
o[ the con
ancl accep

audrtor wt
sior.r

o[the

rhis *:qui

acCeptancr

8. Disclai
1i manager

Paragraph 43 ol the SSAE requires the service auditor to adapt and apply the guidance in AU section
56I,itbsequent Discoyery oJ Facts ExistiKat the DaLe
oJ the AuditorlReport (AICPA, Proldssional Slnndards,
vol. l.) if, after the release o[ the service auditor's
report, the service auditor becomes aware of conclitions thar existed at the report date that might

tor with

ce

40 ot ISAI
discussing
an oprnlor
39 of the

appropriat
an oprnror

have affected managemcnt's asscrtion and the serv-

ice auditor's report had the service auditor been

aware o[ thern. The ISAE does not include a similar requirement. The ASB believes thaL, by analogy,
AU section 56 I provides needed guidance to a sewice auditor by presenting the vadous circumstances
r hat could ocLur during thc subscqucnt cvcnls periocl and the actions a servicc auditor should take.

Paragraphs

incrementz

plans to dr:

9. Elemenr

Required

Paragraphs
requiftlmenj

5. Statement Restricting Use of the Service

tors repon,

Auditor's Report
The SSAE requires the serwice auclrtor's report to

in paragrapl

3402. Thes

inch.rde a statement restncting the use o[ the report

I

o l nanagcnrcnt oI thc

se

rvit

orgrnizet ion.

usc r ent

i-

53(eXiv); (:

ties ol the seruice organization's system, and user

auditors. The ASB beiieves that the unambiguous language in the restricted use statement prevents misunderstanding regarding who the report is intcnded

Darrel R.

Sr

for. Paragraphs A.61-A62 ofthe SSAE explain the rea-

Emest E

Bz

sons for restricting the use of the report. ISAE 3402

Sheila M. B

requires the seruice auditors rcport to inclucle

Brian R. Bh

state-

ment indicating that the report is intended only for

user entities and their auditors, Horvever, the ISAE
does not require the inclusion ofa statement restricting the use ofthe report to specified parties, although

Robert E.

Jacob J. Co

David D.

Charles E.

it does noL prohibrt the inclusion ol restricted use lanorro,'in rhp rpnnrr

Andrerv Nf

wwwjournalofaccou ntancy.com

wwwjoul

David M.

6.

eO! druEtunorrvJo lEurnof

0lOZ tsn8nv

'slusuf,Inb?r lrpn! tulluulr^o8 puP'(sv3) sPrr/,urlsSurltrryturlu

-!.1i^0, Japun slrpn[ iar]u[uu roj sp]lpuNts rqt'sprrpuBls SLltDnr
(iltrJuJB qth rlutplof,JE ul prunoJr.d stDnu .ruwCiluoJ
patdJJJe

sassJrppr
-nV

'(l0B ,.s nv 'I

iluDUduo)

'

lII

lo,\ 'sirD|liils irliolssilor.l 'vdll\o s)lP

slxrpuqs Bu|rpnv uo tuJluJtuq I

oN (SVS)

qtlr

'tuaruaSeuEru Jo trrqrqrsuoclsar 3qr sr

tl3llp

tl

'

lo {tlyqrsuo ds aA

00b8-09t

@lO IID .to tuot1t18uf,dot'nrm llsl^ anald '4-tou

sl\l Jb i.md {uD {o setdor

n[

a4DLu o1

ttoLssruuad9utlnnba.t

a.mpnotd ary filqD uoliDLLul{u! .tog

llv'sll8-9t00't
arnsua ot 'aJuErxs^o8 qtl,\\ paSlEqt ssoqt Jo lq36Jaro

aql

yawaSouo

1,t1

pl!fry-D)

':l-lqt MeN

''1111

patLasa.L

s1t13t,r

's?uD1unD)v1\qnd

^N LrDruruv & OtOt O n!tL[do1

fo lfi]Ltsul

trluiq plr.lrpor ul sSV5 pllurp 1c Sururrtuor prnssl lq llr^\

svs ruo'ssVS pJUuplJ llrJo Jlurnsi ?qt uodn :lrp r,rrl:r1r rurs
.qt ilrq liLtr (ssvs) sprrpuu5 Burtrpny uo sru3uraus p.qurp ilv *

(/V-IV rcd :Ja)I) suorlEln8aU

pua s,ne-1 qtr16 aruuqdurol roJ lrlllqlsuodsa1
'stuJul3lEts

s1

BZluOrlelualxnJoc
27-1 77:rueqdruoruo5l
patradsn5 ro paUuurpl Jo Suruodag
OZ-lI/patladsnS ro p3Uuu3pl
a:uerldurocuoN uaq1\ sarnpaJotd lpnV

9 I*Zllsuortln8ad pue sae-I

qtr,11 aruuqdruoS Jo uonuraprsuol s,rolpr-rv 3qI

stuaruarrnbad
I I/uorlrurJac
617saanra[q6
6/alEC 3^nrsJJA

dur r

pny

ras

nV'I

[qVty

p^'sptDpuDls

lnBaiil

'tE

ruoc'ncuelunoJcelolpuJ nol'/l^/vvv\

l?Lloissr]o-ld

'VdJIV)

oN SVS srpasradns s1u;rua1ri5

roud At_tuvtc
u scuvcNVIS

Ntltcnv No lNf y\fIVIs cf Hluvtc

sapuB-l E

sauofussns

yC

lpld

razlurl/1{ J,\

^\3]puv

ralselj E sallEq]
aa.rnQ c pr^Eo
u?rlof fqolBf

-uel asn
qBnoqr

Jlulsal
AVSI 3
:o3 dlu
-clets e

70+t1
-E3l aq

'.rf 'q8nug
A tsaurE

ad,(r

-sllx

sl

-uEl sn(

roj (I)EE puu :(t)(te) :(^O(a)E

sqclr"iSeLccl

ut purslrod:r Z JJll loj

-Ilu3 l3l

uodar

ot uod
aJ

$uaru:lnb:r
aIEl
-Fad sr
saJuEls

-.uas s

'uorurdo ue ulelcsrp ot sueld

lolrpnr? 3JL\las ar{l uarl,r sluaurJlnb:r luluarualrur
uretral uretuor EVSS rqr lo 1e pu\r gq sqde:3ere6

!{3o1uu

-ruls

uaJq l
-,uas a

'luaut:3e8ua aqt uro{ Burme:pqtr,n ro uorurdo ue

Sunurulcsrp :pn1:ur leur qcrqm 'uonce aleudordde
a{Bt ot rolpnu arnr3s 3r{1 s:lnbar Ey55 aqt Jo 6[

qderBv:ed'saruetsurnrlr 3ruBS 3qt u1 uorurdo uu

rluellsrp ot 'tuarua8eueu qtr,t.taleur aqt Surssnrsrp
raIE 'roltlne 3rr,u3s 3qt sa:rnba: 76tr9 AVSI Jo 0t
qdel8r:ed 'suoletuasard:l uJul-i,lr ureual qIA Jot
-lpne 3Jl^r3s aq1 apuoJcl tou saop tuaur:8euru 11
uorurdggo raurrulJsrq g

1q3rur

-uoJ j
s,lotrp
'sp.tDpu

)|DQ?Ll

uotlt3s
-lpnE J

'uoda
a^uq p

af,ucnuuuof, pue ::lueldarre

tuaru:8e8ua .]o uorlrpuol r se tuaua:rnbar srql
apnlrur tou saop Zgtt EVSI tuarua8e8ua aqt Jo uols

-nlruol aqt

ur pas
-qns l
puB sar

Suraq

3llr3s aql Surpnord:o3 ,{t111c11su6ds3r rdo::u puu

aFpalmoul:e tuarua8euuur teqt sr suouipuoJ allt Jo
3UO UOrlBZrUESrO aJr rsS E tr? SlOllUO:r UO lrOda.r Ol
tu:tua8e8ua uE Jo aJuEnuuuoc pue a:uutd:::e aql
ro; suonlpuol s3qsllqptsa EVSS aqt Jo 6 qda8ure4

llloqu

suouulu:sard:r uailu,rt. qIA loltpne

tu

a)usnurluoJ pue arueldarry lueuraSB8uE

'/

-e:cl ot
pue alr
slr ul :l

-lpnu
sa:tnb:

3ll\las

'(I

:ol1

s3lrrql

VdfIV

uu8atrrl

rroJ*

sr.l,rot\'l{ pl^ec
uetustaiz g ue8a4
radaruapa

1a3on ua,rat5 g
ro1de1 g rye1^tr

lr?llx3ts IN sEluoqf
suaqod J dpuBu

rarTs^aql a tr3qod
tur{nlg d u8ug
l l elraqs

qrlg

papusll

_lu,tll'traqnqrs u laltBc
(0r02-6002)

qlauua)

pleoB sprBpupts Surlrpnv

l3sn
'$rodar

:(lll)(r)e!)

11;7E pue :(r)(ZS) :(^rxa)ZE :(rilXr)(Ze) sqder8ered ur

papnlJui a:e stuarualnbar lrtu3ruarlur asaqf Zgtt

aVSl ui 3soqt ot ltu3ruallur are rllrrl,\\ 'trodal s.ro1
-rpne alruas 3lltJo tualuor aql 3u4r:e8a:

rpql trodag

:o;,(1111q1su6615311

r",r.,r.;y:0, J:1:::""
uort)npolluI

SINf,INOJ
'(1I
guat1)

lDDuDulJ lo IpnV uo tu sttorlolt:8tll ptLo snvl {o

uolloiePlsuo) (sv5) sprepuet5 Suurpnv uo rualu3lprs

+queurelels

lE!f,uPull to ilpnv ue u! suollelnosu

pue smP] lo uonereplsuo3

tcf

CUVOE SCUVCNVIS ENIlIO NV

r{oul 0N[lnsf

s[ll 'I

lrli,

sp.tDpuDts lLluorssaJb.t4

tuaplsald

llsuuaq5

aql

v/lBrrarEI,{
aJroC

ureual uletuoJ aVSS aql Jo E pue 7E sqde:3ae6

'uodag Zgt aVSI aql ur parrnbaA
1VSS aqlJo sluaualA '6

toN arv

B-tlsuonelnSad
puE sA\el qrr/q a:uerlduroS

stuatuatets lErJuEuU s.,{tltua uE uo

tou op tnq'ssaursnq sI tlnpuoJ

? a^eq

qlq.\\ rapun suorsrlo:d

aql auluuatap Laqt teqt ur stuatuetBts lerJuEurl 3rll

uo tualx?tuts

sprBpuEts

srrl/LlrS
sp.rDpltDis $ailV pLrD ilpnv
lntuqnl
I^l qtlpnl

,ta8luDry

JJB]S

'stuaua8e8ug uoqetsaly ro3 sprepupts uo tuauratelS

srqt 1o tuaurdoia^ap aqt ur uaay uosef pue tuefug
pre.trpl Jo {ro^\ 3qt pue 'alloC IsBf suonezrue8r6
alhras aql Jo lerl: l3rxlo1 'la>ltnf H a8toag
sa8pal.r\oulru dllnlaterB SSV aql

1o drqsrapeal aqt

uerustarz g

g1y-gy7suorre1n33U puE s.r\B-I

acueqduro3 1o uou.raprsuol s,,rotrpnV

2y-lyTsuouelnEag

uosqld d ueug
aJJllrBU V sEruoqJ
uropo'd

IBllueuu

rrlt uo tla;Ja lelrateu e arcq,{eru reqt dtrrua aqt

:o3 saruonbasuor:aqto ro 'uorte8rtrt 'sauu ur tlnsar
leu suoneln8a: pue s^\El qtt,t aruerlduroruog
'(ltrunrroddo tuarudoldua lenba pue qtluaq puB
dta]es leuonednrJo or pargl3l asoqt sE qlns) ssau
-rsnq aqt 3o stradse Surte.rado aqt ot {lleraua8 atelar
teqt suoueln8ar pur s,\\El lueur aqt ot .{1uo t:a[
-qns are sraqt6 (sarueduroJ leluraqJ pue s>lueq
se qJns) saulsnpur patrln8al ll.teaq ur aterado
sattuua auos
tl3JJ3

ot paaolle sr ltrtua aqt

3qt tas lo 'tuarua8eueru dq qtr,tr pagduor aq ot

l3qtO sluauatDts lertueurJ
are suotlelnBar:o s.rel

s,ltltua uc ul sarnsolJsrp llue stunotue patrocla:

uo tl{J3 tl3lp r? J^Bq suoneln8a: :o s,,rrul auos Jo
aq1 ryo,u:r.ue.rj.{:otc1n8a: pue 1eBa1 aqt
suorsr.r.ord

atntnsuoc trafqns sr d]rtua ue qlq,t o1 suonelnBar

pur s.ll.pl asoql dlqe:aprsuol s3r-lel suoueln8ar
puB s^\El Jo stusurstEts lBrluguu uo lJaJJa aqf 'z
suorloln8ay puo snol {o nal{E

, suorleln8ar:o snel ljnads qtr,n

aruelldruoo uo dlate:edas uodar pue tsat ot pa8e8ua
{11e:qrcads sr rorpne ar{t qlq^\ ur stuaura8e8ua
3)uernsse r3qto o1 dldde tou saop SVS srqf sturur
-atets 1?rJuEurJ Jo trpnB uB ur suoueln8a: pue s^\ul
l3plsuoJ ot dtlllqlsuodsa.r s..rolpnE 3qt s?ssarppe

(SVS) sprEpuEts Suurpny

[tolanag pun psuno) lDlaulg

I prqrld

rallll{

Surlrpny uo luauratuls srq1.;o ador5

NOU,CnOOUTNI
IV/slu?w)tlls lonuoutg {o ypny
uo ut suopoln9ay pun snnl J'o uollD,rlplsuo)
'697 Furtrpny uo plBpuEtS lEuortEuratul qllA

stulLu:pis lnnunur4 {o lrptty uo tu suorlup8tg

puo srnxl Jo uollD.tzplsLto) splepuBts
Surrrpny uo ruarrrarBrs

Jo uosurduro3 :V trql{xE
0v/uoltBluaIunroo

67y-gTyTacueqduroruoN

p:rr:dsn5 ro pJrJltuJpl 1o Suruoda6

g7y-6 1y7p:t::dsnS ro paultuapl
s1 aruerldruoruoN uaq.4 sarnp3lold lrpnv
qir1\

slEllB A seuroqf
uErul3l[BH slrq]
uErssasl3N auuEzns
uujuS qdssof
dacug traqoS
11.r:apt1 6 saruuf
ursn5 tw41 tf 'uuo] I uolle1

.(:urr:y 3

pulr s.r\El qrrTq aruelldr-uo3 rql dtlllqlsuodsad

0tv-I

hoteuuldxS raqlo puu uortsllddv

'Vdll\')

.lo^'sprrpuDl5

LtotlDtrewtno(f

luuorss;rpr6

Iprly'6et

uoltr3s

:)lr,uas
aql ot

nV lo LZ'qdc:Surucl ur ayop uotltlduu LtoliDiuawll

-rop Jo uoltlurlap aqt lalleled or a8uuq: sult 3pr?ur
gSV

aqf

alsp asual:r uodar s,,rolrpnt; arluas aqr 8ur

0g ueqt ratul ou sr slsEq dlault e teqt

-,mo11o; s,{cp

satElrpur oSlE lnq 'srscc1.,(1aunt

uo 3lU lu3ur38EBua

lpur1 3rlt 3ur1qu-rasse 1o ssaco.rd J.^.uEltsrurtupe

aqt atalduror pue:irg ruar-ua8eBua uB ur uoletuaurn
-rop luaruaSeSua 3llt 3lqu3sse ot rotrpn all\ras 3q1

s:lnbar

osle Ey55 aqt 3o

6j qde:8rrug trodar a:ur

-lnssu s,rolrprle 3Jr^J3s 3qt Jo alep aq1 talc srsuq ,{l

E uo alu tuaruJSpSua lEuu 3q1 Surlqurasse 30

-ault

ss:rord a,r.rle.r1sruu.upD aqt ataldruot pue alu tuaur

-aBBFua uE ur uouutuarunlop aq1 alqiuasse ot Jot
-rpne arrl.ras aqt sarrnbrl aVSl 3qr Jo OE qde:8ere6

{sEI suorlezruu8ro al,r:aS

uorlalduroS uolteluaunJoC'9

]rpne

puc 3u

lo]

sap

Sf,UUlSlr

Iro,\\

nv

asn

rrpnr l
sasn r
I

rru0lss

ttPllv

Lt

!.r0lrprr

-e:ed

srsvSlf u lvrJrrJo