Читать книгу Wiley Practitioner's Guide to GAAS 2020 - Joanne M. Flood - Страница 292

A service auditor’s report with a “clean opinion” does not mean the service organization controls are effective for the user organization. It means that the control objectives listed and their related controls are described accurately. For example:

 The report may not address all of the control objectives that the user auditor would find helpful. Key control objectives relating to transactions processed by service organizations are often defined in the description as responsibilities of the user organization, not of the service organization.

 The description may state that the system was designed with the assumption that certain internal controls would be implemented by the user organization. In this case, the service auditor’s report includes “and user organizations applied the internal controls contemplated in the design of the service organization’s controls” in the scope and opinion paragraphs.

 One criterion used by service auditors to determine whether a significant deficiency exists is whether user organizations would “generally be expected to have controls in place to mitigate such design deficiencies.” The user auditor needs to consider whether his or her client has these expected controls in place.

Obtaining a service auditor’s report and carefully reading the description are the starting point for obtaining an understanding of internal control and how it is integrated between the service organization and the user entity.

The user auditor should make inquiries concerning the service auditor’s professional reputation. The user auditor should consider the scope and results of the service auditor’s work to decide whether the report provides the needed information and evidential matter that the user auditor needs to achieve the audit objectives. In some cases, the user auditor may clarify his or her understanding of the service auditor’s procedures and conclusions by discussing the scope and results of the work with the service auditor and reviewing the service auditor’s audit program and workpapers.

If the user auditor cannot obtain sufficient evidence to achieve the audit objectives, the user auditor should issue a qualified opinion or disclaim an opinion because of a scope limitation. (AU-C 402.20)

To explain a modification of the user auditor’s opinion, a user auditor may make reference to the work of a service auditor. In that case, the user auditor’s report must indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (AU-C 402.22) However, if the report is not modified, the user auditor’s audit report on the financial statements should not refer to the report of the service auditor. (AU-C 402.21) The service auditor is not responsible for examining any portion of the financial statements.

When the user auditor wishes to reduce the assessed level of control risk and is using a service auditor’s report that reports the results of tests of controls over a specified time period, the user auditor should consider the appropriateness of the time period covered in evaluating the tests performed and results to assess the level of control risk for the user entity.