Title Details

Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting profession nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession’s technical and ethical standards.
The AICPA’s founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public interest.

Other Types of Internal Control Engagements 10

2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report .01-.20

Obtaining an Understanding of the Entity and Its Environment, Including the Entity’s Internal Control When the Entity Uses a Service Organization 01-.03

Service Organization Services to Which AU-C Section 402 Does Not Apply 04 Understanding Whether Controls at a Service Organization Affect a User Entity’s Internal Control 05-.11

Types of Service Auditor’s Reports 12

Obtaining Evidence of the Operating Effectiveness of Controls at a Service Organization 13-.18

Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity’s

Internal Control 19-.20

3 Planning a Service Auditor’s Engagement 01-.112

Responsibilities of Management of the Service Organization 01-.112

Defining the Scope of the Engagement 02 Determining the Type of Engagement to Be Performed .03-.06

Determining the Period to Be Covered by the Report .07-.09

Determining Whether Any Subservice Organizations Will Be Included In or Carved Out of the Description .10-.34

Selecting the Criteria for the Description of the System .35

Preparing the Description .36-.56

Specifying the Control Objectives .57-.77

Preparing Management’s Written Assertion 78-.98

Assessing the Suitability of Criteria 99-.100

Planning to Use the Work of the Internal Audit Function .101-.108

Coordinating Procedures With the Internal Audit Function .109-.112

Chapter Paragraph 4 Performing an Engagement Under AT Section 801 .01-.147

Obtaining and Evaluating Evidence About Whether the Description of the Service Organization’s System Is
Fairly Presented 01-.14

Other Information in the Description That Is Not Covered by the Service Auditor’s Report .11-.12

Materiality Relating to the Fair Presentation of the Description of the Service Organization’s System .13-.14

Evaluating Whether Control Objectives Relate to Internal Control Over Financial Reporting 15-.41

Implementation of Service Organization Controls .18-.23

Changes to the Scope of the Engagement 24-.27

Complementary User Entity Controls .28-.31

Subservice Organizations 32-.40

Other Matters Relating to Fair Presentation 41

Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls 42-.65

Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement .66-.67

Determining Which Controls to Test .68-.73

Designing and Performing Tests of Controls 74-.99

Nature of Tests of Controls 79-.89

Timing of Tests of Controls 90-.91

Extent of Tests of Controls .92-.95

Superseded Controls .96-.99

Selecting Items to Be Tested .100-.103

Using the Work of the Internal Audit Function 104-.115

Direct Assistance .114-.115

Evaluating the Results of Tests of Controls 116-.128

Controls That Did Not Operate During the Period

Covered by the Service Auditor’s Report .120-.126

Documentation .127-.128

Extending or Modifying the Period 129-.147

Management’s Written Representations for the Extended or Modified Period 139

Deficiencies That Occur During the Original, Extended, or Modified Period .140-.143

Examination Quality Control 144-.147

5 Reporting and Completing the Engagement .01-.102

Responsibilities of the Service Auditor .01-.64

Describing Tests of Controls and the Results of Tests .02-.13

Preparing the Service Auditor’s Report .14-.23

Chapter Paragraph 5 Reporting and Completing the Engagement—continued Modifications to the Service Auditor’s Report .24-.64

Other Matters Related to the Service Auditor’s Report .65-.74

Intended Users of the Report 65-.67

Determining Whether an Entity Is an Indirect User Entity 68-.73

Report Date .74

Completing the Engagement 75-.93

Obtaining Written Representations 76-.87

Subsequent Events Up to the Date of the Service Auditor’s Report 88-.92

Subsequently Discovered Facts That Become Known to the Service Auditor After the Release of the Service Auditor’s Report .93

Service Auditor’s Recommendations for Improving Controls .94

Management’s Responsibilities During Engagement Completion 95-.102

Modifying Management’s Written Assertion 96-.99

Distribution of the Report by Management .100-.102

Appendix

A Illustrative Type 2 Reports

B Illustrative Assertions By Management of a Service Organization and Management of a Subservice Organization for a Type 2 Engagement in Which the Inclusive Method Is Used to Present the Subservice Organization

C Illustrative Management Representation Letters

D Reporting on IT General Controls Only; Illustrative Management Assertions and Service Auditor’s Reports

E Illustrative Control Objectives for Various Types of Service Organizations

F Comparison of SOC 1, SOC 2, and SOC 3 Engagements and Related Reports

G Other Referenced Authoritative Standards H Schedule of Changes Made to the Text From the Previous