Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (SOC 1): (AICPA)

This updated and improved guide is designed to help accountants effectively perform SOC 1® engagements under AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, of Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. With the growth in business specialization, outsourcing tasks and functions to service organizations has become increasingly popular, increasing the demand for SOC 1 engagements. This guide will help: Gain a deeper understanding of the requirements and guidance in AT-C section 320 for performing SOC 1 engagements. Obtain guidance from top CPAs on how to implement AT-C section 320 and address common and practice issues. Provide best in class services related to planning, performing, and reporting on a SOC 1 engagement. Successfully implement changes in AT-C section 320 arising from the issuance of SSAE 18, which is effective for reports dated on or after May 1, 2017. Determine how to describe the matter giving rise to a modified opinion by providing over 20 illustrative paragraphs for different situations. Understand the kinds of information auditors of the financial statements of user entities need from a service auditor's report. Implement the requirement in SSAE No. 18 to obtain a written assertion from management of the service organization. Organize and draft relevant sections of a type 2 report by providing complete illustrative type 2 reports that include the service auditor’s report, management’s assertion, the description of the service organization’s system, and the service auditor’s description of tests of controls and results. Develop management representation letters for SOC 1 engagements.

Table of Contents:
1 Introduction and Background .01-.09 Other Types of Internal Control Engagements .09 2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report .01-.20 Obtaining an Understanding of the Entity and Its Environment, Including the Entity’s Internal Control When the Entity Uses a Service Organization 01-.03 Service Organization Services to Which AU-C Section 402 Does Not Apply .04 Understanding Whether Controls at a Service Organization Affect a User Entity’s Internal Control .05-.11 Types of Service Auditor’s Reports .12 User Auditor Obtains Evidence of the Operating Effectiveness of Controls at a Service Organization 13-.18 Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity’s Internal Control 19-.20 3 Planning a Service Auditor’s Engagement .01-.131 Understanding the Responsibilities of Management of the Service Organization .01-.82 Defining the Scope of the Engagement .02 Determining the Type of Engagement to Be Performed .03-.07 Determining the Period to Be Covered by the Report .08-.13 Determining Whether Services Provided to a Service Organization by Other Entities are Likely to Be Relevant to User Entities’ Internal Control Over Financial Reporting .14-.18 Determining Whether Subservice Organizations Will Be Carved Out or Included in the Description .19-.23 Selecting the Criteria to Be Used .24 Preparing the Description of the Service Organization’s System and Management’s Assertion .25-.67 Specifying the Control Objectives and Stating Them in the Description .68-.76 Identifying Risks That Threaten the Achievement of the Control Objectives .77-.78 Preparing Management’s Written Assertion .79-.81 Having a Reasonable Basis for Its Assertion .82 Responsibilities of the Service Auditor .83-.131 Client and Engagement Acceptance and Continuance .84-.90 Agreeing on the Terms of the Engagement .91-.94 Assessing the Suitability of Criteria .95-.96 Obtaining an Understanding of the Service Organization’s System .97-.105 Assessing the Risk of Material Misstatement .106-.109 Planning to Use the Work of Internal Auditors .110-.127 Using the Work of an Other Practitioner .128-.131 4 Performing a Service Auditor’s Engagement Under AT-C Section 320 .01-.197 Responding to Assessed Risk and Obtaining Evidence .01-.03 Evaluating Whether Management’s Description of the Service Organization’s System is Fairly Presented .04-.55 Materiality Related to the Fair Presentation of the Description of the Service Organization’s System .17-.19 Evaluating Whether Control Objectives are Reasonable in the Circumstances .20-.30 Control Objectives Not Relevant to User Entities’ Internal Control .31-.32 After Engagement Has Been Accepted, Service Auditor Determines Control Objectives are Not Reasonable in the Circumstances .33 Implementation of Service Organization Controls .34-.39 Complementary User Entity Controls .40-.42 Subservice Organizations .43-.55 Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls .56-.77 Types of Assertions in User Entities’ Financial Statements .62-.64 IT General Control Objectives and Related Risks .65-.67 Linking Controls to Risks 68-.70 Multiple Controls Address the Same Control Objective .71 Information Needed to Evaluate Design of Control .72 Effect of Other Components of Internal Control on Design of Controls 73 Control Necessary to Achieve Control Objective is Missing .74 Difference Between Deficiency in Design and Deficiency in Operating Effectiveness .75-.77 Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement .78-.122 Materiality With Respect to Operating Effectiveness of Controls 79 Determining Which Controls to Test .80-.84 Options for Presenting Tests of the Operating Effectiveness of Controls for Controls That Were Subsequently Deemed Not Suitably Designed .85-.86 Designing and Performing Tests of Controls .87-.88 Nature of Tests of Controls .89-.92 Evaluating the Reliability of Information Produced by the Service Organization .93-.100 Timing of Tests of Controls .101-.102 Extent of Tests of Controls .103-.106 Superseded Controls 107-.110 Selecting Items to Be Tested .111-.112 Using the Work of Internal Auditors .113-.121 Revision of Risk Assessment .122 Evaluating the Results of Procedures .123-.149 Evaluating Misstatements—General .127-.128 Evaluating Misstatements in the Description of the Service Organization’s System .129 Evaluating Deficiencies in the Suitability of the Design of Controls .130-.131 Evaluating Deviations in the Results of Tests of Controls (Deficiencies in the Operating Effectiveness of Controls) .132-.136 Evaluating the Sufficiency and Appropriateness of Evidence 137-.142 Other Considerations When Evaluating Evidence .143 Controls Did Not Operate During the Period Covered by the Service Auditor’s Report .144-.149 Extending or Modifying the Period .150-.162 Management’s Written Representations for the Extended or Modified Period .158 Deficiencies That Occur During the Original, Extended, or Modified Period .159-.162 Other Matters Related to Performing the Engagement .163-.167 Controls Designed by a Party Other Than Management of the Service Organization .163 Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Design or Operating Effectiveness of Controls .164 Management Requests a Change in the Scope of the Engagement .165-.167 Forming the Opinion .168-.176 Documentation .175-.176 Completing the Engagement .177-.197 Requesting Written Representations .178-.191 Subsequent Events Up to the Date of the Service Auditor’s Report .192-.196 Management’s Responsibilities During Engagement Completion 197 5 Reporting .01-.98 Describing Tests of Controls and Results .02-.16 Describing Tests of Controls and Results When Using the Internal Audit Function .08-.13 Describing Tests of the Reliability of Information Produced by the Service Organization .14-.16 Preparing the Service Auditor’s Report .17-.34 Elements of the Service Auditor’s Report .17-.18 Report and Assertion When Service Organization Uses the Carve-Out Method .19-.21 Report When Assuming Responsibility for Work of an Other Practitioner .22 Other Information That is Not Covered by the Service Auditor’s Report .23-.34 Modifications to the Service Auditor’s Report .35-.47 Qualified Opinion .37-.39 Disclaimer of Opinion .40-.42 Management Will Not Provide a Written Assertion but Law or Regulation Does Not Permit Service Auditor to Withdraw From Engagement .43-.44 Adverse Opinion .45-.47 Report Paragraphs Describing the Matter Giving Rise to the Modification .48-.76 Illustrative Separate Paragraphs: Description is Not Fairly Presented .48-.67 Illustrative Separate Paragraphs: Controls are Not Suitably Designed .68-.70 Illustrative Separate Paragraphs: Controls Were Not Operating Effectively .71-.74 Illustrative Separate Paragraphs: Disclaimer of Opinion .75-.76 Other Matters Related to a Service Auditor’s Engagement .77-.98 Intended Users of the Report .77-.79 Determining Whether an Entity is an Indirect User Entity .80-.84 Report Date .85 Subsequent Events and Subsequently Discovered Facts .86-.90 Distribution of the Report by Management .91-.93 Service Auditor’s Recommendations for Improving Controls .94 Modifying Management’s Written Assertion .95-.98 Appendix A Illustrative Type 2 Reports B Illustrative Type 2 Reports—Inclusive Method, Including Illustrative Management Representation Letters C Illustrative Management Representation Letters D Illustrative Control Objectives for Various Types of Service Organizations E Comparison of SOC 1®, SOC 2®, and SOC 3® Engagements and Related Reports F Comparison of Requirements in AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, With Requirements of International Standard on Assurance Engagements 3402, Assurance Reports on Controls at a Service Organization G Illustrative Service Auditor’s Report When Reporting Under Both AT-C Section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting, and ISAE 3402, Assurance Reports on Controls at a Service Organization H Overview of Statements on Quality Control Standards Index of Pronouncements and Other Technical Guidance Subject Index

About the Author :
Founded in 1887, the American Institute of Certified Public Accountants (AICPA) represents the CPA and accounting professional nationally and globally regarding rule-making and standard-setting, and serves as an advocate before legislative bodies, public interest groups, and other professional organizations. The AICPA develops standards for audits of private companies and other services by CPAs; provides educational guidance materials to its members; develops and grades the Uniform CPA Examination; and monitors and enforces compliance with the accounting profession's technical and ethical standards. The AICPA's founding established accountancy as a profession distinguished by rigorous educational requirements, high professional standards, a strict code of professional ethics, a licensing status and a commitment to serving the public trust.