Title Details

Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting professional nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups, and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession's technical and ethical standards.
The AICPA's founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public trust.

1 Introduction and Background 01-.09

Other Types of Internal Control Engagements 09

2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report 01-.20

Obtaining an Understanding of the Entity and Its Environment, Including the Entity’s Internal Control When the Entity Uses a Service Organization 01-.03

Service Organization Services to Which AU-C Section 402

Does Not Apply 04

Understanding Whether Controls at a Service Organization Affect a User Entity’s Internal Control 05-.11

Types of Service Auditor’s Reports 12

User Auditor Obtains Evidence of the Operating Effectiveness of Controls at a Service Organization 13-.18

Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity’s Internal Control 19-.20

3 Planning a Service Auditor’s Engagement 01-.131

Understanding the Responsibilities of Management of the Service Organization 01-.82

Defining the Scope of the Engagement 02

Determining the Type of Engagement to Be Performed 03-.07

Determining the Period to Be Covered by the Report 08-.13

Determining Whether Services Provided to a Service Organization by Other Entities Are Likely to Be Relevant to User Entities’ Internal Control Over Financial Reporting 14-.18

Determining Whether Subservice Organizations Will Be Carved Out or Included in the Description 19-.23

Selecting the Criteria to Be Used 24

Preparing the Description of the Service Organization’s System and Management’s Assertion 25-.67

Specifying the Control Objectives and Stating Them in the Description 68-.76

Identifying Risks That Threaten the Achievement of the Control Objectives 77-.78

Preparing Management’s Written Assertion 79-.81

Having a Reasonable Basis for Its Assertion 82

Responsibilities of the Service Auditor 83-.131

Client and Engagement Acceptance and Continuance 84-.90

Agreeing on the Terms of the Engagement 91-.94

Assessing the Suitability of Criteria 95-.96

3 Planning a Service Auditor’s Engagement—continued Obtaining an Understanding of the Service Organization’s System 97-.105

Assessing the Risk of Material Misstatement 106-.109

Planning to Use the Work of Internal Auditors 110-.127

Using the Work of an Other Practitioner 128-.131

4 Performing a Service Auditor’s Engagement Under AT-C Section 320 01-.197

Responding to Assessed Risk and Obtaining Evidence 01-.03

Evaluating Whether Management’s Description of the Service Organization’s System Is Fairly Presented 04-.55

Materiality Related to the Fair Presentation of the Description of the Service Organization’s System 17-.19

Evaluating Whether Control Objectives Are Reasonable in the Circumstances 20-.30

Control Objectives Not Relevant to User Entities’ Internal Control 31-.32

After Engagement Has Been Accepted, Service Auditor Determines Control Objectives Are Not Reasonable in the Circumstances 33

Implementation of Service Organization Controls 34-.39

Complementary User Entity Controls 40-.42

Subservice Organizations 43-.55

Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls 56-.77

Types of Assertions in User Entities’ Financial Statements 62-.64

IT General Control Objectives and Related Risks 65-.67

Linking Controls to Risks 68-.70

Multiple Controls Address the Same Control Objective 71

Information Needed to Evaluate Design of Control 72

Effect of Other Components of Internal Control on Design of Controls 73

Control Necessary to Achieve Control Objective Is Missing 74

Difference Between Deficiency in Design and Deficiency in Operating Effectiveness 75-.77

Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement 78-.122

Materiality With Respect to Operating Effectiveness of Controls 79

Determining Which Controls to Test 80-.84

Options for Presenting Tests of the Operating Effectiveness of Controls for Controls That Were Subsequently Deemed Not Suitably Designed 85-.86

Designing and Performing Tests of Controls 87-.88

Nature of Tests of Controls 89-.92

4 Performing a Service Auditor’s Engagement Under AT-C Section 320— continued Evaluating the Reliability of Information Produced by the Service Organization 93-.100

Timing of Tests of Controls 101-.102

Extent of Tests of Controls 103-.106

Superseded Controls 107-.110

Selecting Items to Be Tested 111-.112

Using the Work of Internal Auditors 113-.121

Revision of Risk Assessment 122

Evaluating the Results of Procedures 123-.149

Evaluating Misstatements—General 127-.128

Evaluating Misstatements in the Description of the Service Organization’s System 129

Evaluating Deficiencies in the Suitability of the Design of Controls 130-.131

Evaluating Deviations in the Results of Tests of Controls (Deficiencies in the Operating Effectiveness of Controls) 132-.136

Evaluating the Sufficiency and Appropriateness of Evidence 137-.142

Other Considerations When Evaluating Evidence 143

Controls Did Not Operate During the Period Covered by the Service Auditor’s Report 144-.149

Extending or Modifying the Period 150-.162

Management’s Written Representations for the Extended or Modified Period 158

Deficiencies That Occur During the Original, Extended, or Modified Period 159-.162

Other Matters Related to Performing the Engagement 163-.167

Controls Designed by a Party Other Than Management of the Service Organization 163

Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Design or Operating Effectiveness of Controls 164

Management Requests a Change in the Scope of the Engagement 165-.167

Forming the Opinion 168-.176

Documentation 175-.176

Completing the Engagement 177-.197

Requesting Written Representations 178-.191

Subsequent Events Up to the Date of the Service Auditor’s Report 192-.196

Management’s Responsibilities During Engagement Completion 197

5 Reporting 01-.98

Describing Tests of Controls and Results 02-.16

Describing Tests of Controls and Results When Using the Internal Audit Function 08-.13

Describing Tests of the Reliability of Information Produced by the Service Organization 14-.16

Preparing the Service Auditor’s Report 17-.34

Elements of the Service Auditor’s Report 17-.18

Report and Assertion When Service Organization Uses the Carve-Out Method 19-.21

Report When Assuming Responsibility for Work of an Other Practitioner 22

Other Information That Is Not Covered by the Service Auditor’s Report 23-.34

Modifications to the Service Auditor’s Report 35-.47

Qualified Opinion 37-.39

Disclaimer of Opinion 40-.42

Management Will Not Provide a Written Assertion but Law or Regulation Does Not Permit Service Auditor to Withdraw From Engagement 43-.44

Adverse Opinion 45-.47

Report Paragraphs Describing the Matter Giving Rise to the Modification 48-.76

Illustrative Separate Paragraphs: Description Is Not Fairly Presented 48-.67

Illustrative Separate Paragraphs: Controls Are Not Suitably Designed 68-.70

Illustrative Separate Paragraphs: Controls Were Not Operating Effectively 71-.74

Illustrative Separate Paragraphs: Disclaimer of Opinion 75-.76

Other Matters Related to a Service Auditor’s Engagement 77-.98

Intended Users of the Report 77-.79

Determining Whether an Entity Is an Indirect User Entity 80-.84

Report Date 85

Subsequent Events and Subsequently Discovered Facts 86-.90

Distribution of the Report by Management 91-.93

Service Auditor’s Recommendations for Improving Controls 94

Modifying Management’s Written Assertion 95-.98

Appendix

A Illustrative Type 2 Reports

B Illustrative Type 2 Reports—Inclusive Method, Including Illustrative Management Representation Letters

C Illustrative Management Representation Letters

D Illustrative Control Objectives for Various Types of Service Organizations

Appendix