Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 288

When an entity uses a service organization, part of the processing that the auditor usually finds in the client’s internal control is physically and operationally separate from that entity (the user entity). In some circumstances, the user entity may be able to implement effective internal controls. This occurs when the user entity authorizes all transactions and maintains accountability that would detect unauthorized transactions or activity.

In other circumstances, the service organization’s procedures relevant to the user entity need to be included when the user auditor is obtaining an understanding of internal control in accordance with AU-C 315. One source of additional information to obtain this understanding is a service auditor’s report. (AU-C 402.12)

The key factors for a user auditor to consider in deciding whether additional information, such as a service auditor’s report, is needed are:

 The nature and significance of the sources provided by the service organization

 The nature of the relationship between the user entity and the service organization, including contractual terms

 The degree of interaction between the activity at the service organization and that of the user organization

 The nature of the transactions processed

 The materiality of the transactions processed

(AU-C 402.09)

Information about a service organization’s controls may be obtained from various sources, including:

 User and technical manuals

 System overviews

 The contract between the user organization and the service organization

 Reports by service organizations, internal auditors, or regulatory authorities on the service organization’s controls

 Reports by the service auditor

 The user auditor’s prior experience with the service organization (if the services and the service organization’s controls are highly standardized)

(AU-C 402.A1 and .A2)

The auditor’s understanding of internal control should be sufficient to “plan the audit.” Additional information from the service center or a service auditor’s report may not be needed if the auditor obtains at the user entity a sufficient understanding of the controls placed in operation by the service organizations to:

 Identify types of potential misstatements

 Consider factors that affect the risk of material misstatement

(AU-C 402.10 and .11)

If the user auditor cannot obtain a sufficient understanding from the user entity, the auditor should consider the following procedures:

 Request specific information from the service organization.

 Visit the service organization and perform procedures to obtain the necessary information.

 Use another auditor to perform the necessary procedures.

 Obtain and read a type 1 or type 2 service organization report.

(AU-C 402.12)

Before deciding to use a type 1 or type 2 report, the user auditor should be satisfied about:

 The service auditor’s professional competence and independence

 The adequacy of the standards used to issue the report

(AU-C 402.13)

When using a Type 1 or 2 report as audit evidence, the auditor should:

 Determine whether the report is as of a date (type 1) or is for a period (type 2) that is appropriate for the audit’s progress,

 Assess the efficiency and appropriateness of the report,

 Evaluate whether complementary user entity controls identified by the service organization are relevant to addressing the user of national misstatements, and

 If those controls are relevant, obtain an understanding of whether the user entity has designed and implemented those controls.

(AU-C 402.14)