Whether you are an auditor of an entity that uses service organizations or an auditor issuing reports on the controls of service organizations, it is critical to understand the complexities of service organizations, including the functions they performed, the related controls, and their effects on an entity’s financial statements. AICPA publications provide information on recent developments, guidance, and practice aids to assist practitioners when working with service organizations, including
- reporting under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, which replaces the guidance for service auditors in SAS No. 70.
- discussions on planning, performing, and reporting on a service auditor’s engagement.
- SSAE No. 16 itself.
- illustrative type 1 and type 2 reports.
- management representation letters and control objectives for various types of service organizations.
- understanding the kinds of information auditors of the financial statements of user entities need from a service auditor’s report.
- matters to be considered and procedures to be performed by the service auditor in planning and performing the engagement to test (1) the fairness of the presentation of management’s description of the service organization’s system; (2) the suitability of the design and operating effectiveness of the controls included in the description; and (3) in a SOC 2 engagement that addresses the privacy principle whether the service organization complied with the commitments in its statement of privacy practices.
- the service auditor’s responsibilities when reporting on a SOC 2 engagement.
- cloud computing.