| Page of |
| Audit Program forConsideration of Type 1 and Type 2 Reports |
| Company: | Balance Sheet Date: |
| |
| Audit Objective | Audit Procedure for Consideration | N/A Performed By | Workpaper Index |
| | Audit Objectives Determine whether a type 1 or type 2 report is required to:Obtain an understanding of the design of internal controls and whether they have been placed in operation (all audits)Assess control risk below the maximum for certain financial statement assertions (if applicable)Read and understand the type 1 or type 2 report to determine how service organization’s controls affect the:Types of potential misstatements to the entity’s financial statementsFactors that affect the risk of material misstatementDesign of substantive audit testsAssessment of control risk for individual assertions | | |
| | Planning | | |
| A. | Identify transactions that are processed by a service organization. | | |
| A. | Link the transactions identified in step 1 to the entity’s financial statements and relevant assertions. | | |
| A. | Determine whether a type 1 or type 2 report is needed for each of the transactions identified in step 1.If a type 1 or type 2 report is not needed or is unavailable, then either:Perform alternative procedures to obtain the information necessary to plan the audit, orModify the auditor’s report for a scope limitation. | | |
| A. | Obtain the necessary Section 324 report(s), either from the client or directly from the service organization. | | |
| | Read and Assess the Implication of the Type 1 or Type 2 Report | | |
| B. | Read the service auditor’s report and assess its implications for the audit of the entity’s financial statements, including:Whether the service auditor prepares a type I or type II reportThe nature of the opinions rendered and whether these included any modifications to the standard reporting languageThe timing of the engagement, that is,The date “as of” which the description of controls appliesThe period of time covered by the tests of operating effectiveness of controls, if control risk is to be assessed below the maximum | | |
| B. | Read the description of the service organization’s controls and evaluate the effect of the following on the audit of the entity’s financial statements:Whether the description includes all significant transactions, processes, computer applications, or business units that affect the audit of the entity’s financial statementsWhether the description includes all five components of internal controlWhether the description is sufficiently detailed to understand how the service organization’s processing affects the entity’s financial statements, including estimates and disclosuresChanges to service organization controlsInstances of noncompliance with service organization controlsWhether the description of controls is adequate to provide an understanding of those elements of the entity’s accounting information system maintained by the service organization | | |
| B. | List all complementary user organization controls identified in the type 1 or type 2 report that the service auditor assumed were maintained by the entity. Cross-reference this list to the audit work performed to:Understand the design of these complementary user controls and whether they have been placed in operation, andIf applicable, tests of operating effectiveness of these controls. | | |
| | Tests of Operating Effectiveness (if applicable) | | |
| B. | Review the service auditor’s description of the tests of controls and assess their adequacy for your purposes. Consider:The link between the financial statement assertion and the control objectiveThe link between the control objective and the controls testedThe nature, timing, and extent of the tests performed | | |
| B. | Evaluate the results of the tests of controls and determine whether they support assessing control risk below the maximum. | | |
