Audit Considerations Relating to an Entity Using a Service  Organization
7 Pages
English

Audit Considerations Relating to an Entity Using a Service Organization

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

February 17, 2009 Auditing Standards Board American Institute of Certified Public Accountants Audit – Tax – Advisory 1211 Avenue of the Americas Grant Thornton LLP New York, NY 10036-8775 175 W Jackson Boulevard, 20th Floor Chicago, IL 60604-2687 T 312.856.0200 F 312 565 4719 www.GrantThornton.com Dear Board Members and Staff: We appreciate the opportunity to comment on the proposed Statement on Auditing Standards (SAS), Audit Considerations Relating to an Entity Using a Service Organization (Redrafted), and proposed Statement on Standards for Attestation Engagements (SSAE), Reporting on Controls at a Service Organization, approved for exposure by the Auditing Standards Board of the American Institute of Certified Public Accountants. We support the Board’s issuance of the proposals, particularly separating them within the audit and attestation standards, and respectfully submit our comments and recommendations. Overall, we are very pleased with the proposals and commend the Board on this significant undertaking to clarify extant AU section 324, Service Organizations, and converge it with the standards of the International Auditing and Assurance Standards Board (IAASB). Objectives and requirements We believe the objectives to be achieved by the auditor, the related requirements, and the revisions to converge with proposed International Standard on Auditing (ISA) 402 (Revised and Redrafted), Audit Considerations Relating ...

Subjects

Informations

Published by
Reads 19
Language English
February 17, 2009 Auditing Standards Boar American Institute of Certified Public Accountants 1211 Avenue of the Americas New York, NY 100368775
Dear Board Members and Staff:
Audit–Tax–Advisory Grant Thornton LLP 175 W Jackson Boulevard, 20th Floor Chicago, IL 606042687 T 312.856.0200 F 312 565 4719 www.GrantThornton.com
We appreciate the opportunity to comment on the proposed Statement on Auditing Standards (SAS),Audit Considerations Relating to an Entity Using a Service Organization(Redrafted), and proposed Statement on Standards for Attestation Engagements (SSAE),Reporting on Controls at a Service Organization,approved for exposure by the Auditing Standards Board of the American Institute of Certified Public Accountants. We support the Board’s issuance of the proposals, particularly separating them within the audit and attestation standards, and respectfully submit our comments and recommendations.
Overall, we are very pleased with the proposals and commend the Board on this significant undertaking to clarify extant AU section 324,Service Organizations, and converge it with the standards of the International Auditing and Assurance Standards Board (IAASB).
Objectives and requirements We believe the objectives to be achieved by the auditor, the related requirements, and the revisions to converge with proposed International Standard on Auditing (ISA) 402 (Revised and Redrafted),Audit Considerations Relating to an Entity Using a Third Party Service Organization, and proposed International Standard on Assurance Engagements (ISAE) 3402,Assurance Reports on Controls at a Third Party Service Organization, are, for the most part, appropriate. With respect to convergence, however, the Board should: ·Consider the final clarified ISA and ISAE before finalizing the proposals, as the IAASB made significant enhancements to their proposals based on the comments they received during exposure.
·Reconsider whether the various wording changes are necessary, as different words may imply different meaning. The paragraphlevel comments below provide some specific examples of wording changes that may not be correct.
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
2
·Consider, upon clarifying AT section 101,Attest Engagements, including matters that pertain to all assurance engagements in AT section 101 and removing them from the proposed SSAE. In the meantime, we support including the necessary requirements within the proposal, provided they are consistent with AT section 101 and other attestation standards.
Management’s assertion We support an assertionbased engagement because it requires the service organization to include an explicit acknowledgment of management’s responsibilities and management’s assertions about the fair presentation of the description of the system, the suitable design of controls, and in the case of a Type 2 report, the operating effectiveness of controls. We believe such explicit acknowledgment is appropriate and in the public interest.
However, we believe the proposed SSAE could be enhanced to address the evidence that supports management’s assertion. We refer the Board to paragraphs 14 through 17 of AT section 501,An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With an Audit of Its Financial Statements. These paragraphs adequately describe management’s responsibility to identify and document the controls and the control objectives that they were designed to achieve, that such documentation serves as a basis for management’s assertion, and that management’s monitoring activities may provide evidence of design and operating effectiveness. The Board should consider including these paragraphs as application and explanatory material in the proposed SSAE.
Effective dates We concur that the proposed SSAE may become effective prior to the proposed SAS and that it may have the same effective date as proposed ISAE 3402, as a service auditor’s report under the proposed SSAE will meet the needs of a user auditor under extant standards. Nonetheless, the Board should consider the implementation time that may be necessary for service auditors, as well as service organizations, to properly apply the proposal.
Our main concern with the effective dates in both proposed standards, however, relates to early implementation. Although it would be acceptable for a user auditor and a service auditor to apply a higher standard, we believe there may be conceptual, as well as procedural, complexities in applying the clarified standards on an individual basis, more so for the audit standards versus the attestation standards. The Board should consider whether this is appropriate and should provide clear and concise guidance with respect to individually implementing the clarified standards as they are approved by the Board.
Assessing the risks of material misstatement In the proposed SAS, paragraph 12 pertains to obtaining audit evidence of operating effectiveness related to controls that are applied only at the service organizationwhen the user auditor’s risk assessment includes an expectation that such controls are operating effectively for certain assertions. The Board added item d to this paragraph, which is not in proposed ISA 402, as a procedure that may be used by the user auditor to obtain such evidence. Item d permits the user auditor to obtain evidence of operating effectiveness related to controls that are applied only at the service organization by only testing the user entity’s controls over the activities of
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
3
the service organization. We would argue that, although the auditor may test a user entity’s controls, such tests alone may not provide sufficient evidence about the operating effectiveness of controls that are applied only at the service organization. Such testing only provides indirect evidence of operating effectiveness.
Intentional acts by service organization personnel In the proposed SSAE, we believe the emphasis on “intentional acts by service organization personnel” in paragraph 32, as well as in the application and explanatory material, is unwarranted and potentially misleading with respect to the expectations of user entities and the responsibilities of service auditors. A user auditor is concerned with material misstatements that result from deficiencies in internal control over financial reporting. The emphasis on intentional acts by service organization personnel indirectly implies the service auditor has a responsibility with respect to material misstatements at the user entity.
Although we agree that if an intentional act represents a risk that a control objective stated in the description of the service organization’s system will not be achieved, we believe the service auditor’s responsibility for such acts is no different than that of errors or omissions. The service auditor is to obtain reasonable assurance that the description is fairly presented, the controls are suitably designed to achieve the control objectives, and in a Type 2 report, the controls operated effectively to achieve the control objectives, which takes into consideration errors, omissions and intentional acts.
We note that the requirement in paragraph 32 is not included in proposed ISAE 3402. For the reasons stated above, we believe the requirement should also not be included in the proposed SSAE. However, if emphasis on intentional acts by service organization personnel is to be retained in the proposed SSAE, we suggest the Board clearly describe the service auditor’s responsibilities in this area, as they differ from those of a user auditor. We believe this is necessary from a public interest perspective. We further suggest the requirement in paragraph 32 be broadened to refer to errors and omissions, in addition to intentional acts by service organization personnel.
Paragraphlevel comments The following offers specific paragraphlevel comments for the Board’s consideration.
Paragraph Comment
Proposed SAS 3 Wenoted the proposed SAS deletes item (f) from proposed ISA 402. We believe this item should be reinstated; otherwise, there appears to be an unexplained inconsistency between the proposed SAS and proposed ISA 402 as to when a service organization’s services are part of an entity’s information and communication systems. There would also be an inconsistency with paragraph 19 of proposed SAS,Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement(Redrafted). We suggest the language in this paragraph align with the language in paragraph 19 of the aforementioned proposed SAS.
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
Paragraph Comment
8
14
18
A7, A8
A17
A18
A21
A32
The definition of service auditor diverges from proposed ISA 402. The ISA is clear in that the service auditor issues an assurance report. The proposed SAS does not include such specificity, which could imply any type of report (e.g., consulting). If the intention of the Board was to expand the definition of service auditor, we believe this should be clarified in the application and explanatory material.
The definitions of report on a description of a service organization’s system and the suitability of the design of controls, and report on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls were modified to align with the definitions in the proposed SSAE. This indirectly implies that only assurance reports prepared in accordance with the proposed SSAE or its equivalent, such as proposed ISAE 3402, would be permitted to be used by the auditor as audit evidence under the proposed SAS. Proposed ISA 402 includes different definitions of these terms than those included in proposed ISAE 3402 to allow for the possibility of service auditor’s reports prepared in accordance with other standards that may not include the specificity of ISAE 3402. We believe this is appropriate as such reports could be used as audit evidence by the service auditor. The Board should reconsider this matter to determine whether it is necessary to modify the definitions as proposed by the IAASB.
If the definitions are not modified, we further note the proposed SAS does not clearly indicate what is, or should be, included in the “description of the service organization’s system.” We believe this is an important detail that was lost with the use of the definitions in the proposed SSAE. In this regard, the Board should consider including the definition of “service organization’s system” currently in paragraph 7 of the proposed SSAE.
We believe the first sentence of this paragraph should be moved to the application and explanatory material. It is not essential to the application of this requirement.
We also believe the requirement in paragraph 14 for the auditor to perform the procedure in paragraph 13b should be deleted, as it is repetitive.
Further, we believe item c is similar to item a, and therefore, suggest item a be more general by referring to the description, design and operating effectiveness of controls.
Similar to our previous comment to consider the final ISA, this paragraph seems misplaced. We believe it should be moved further up into the document under a heading pertaining to responding to assessed risks, followed by the requirements in paragraphs 12 and 14. This would be consistent with more recent changes considered by the IAASB.
We also believe the phrase “through the user entity” is not required. We believe the last sentence of paragraph A7 addresses this matter.
Consider moving the last sentence of paragraph A7 as the first sentence in paragraph A8.
We prefer the ISA language. It is clearer in that if the user auditor is unable to obtain the necessary understanding of the user entity’s internal control, a modified opinion (rather than report) is required.
The example in the first sentence does not seem to fit with the content of the sentence. The example seems to address a user auditor’s procedures, and not the procedures a user auditor would request a service auditor to perform at the service organization.
Although this is similar to proposed ISA 402, the Board should consider whether the requirement and the related application guidance are clear. It appears as though the items listed in this paragraph as matters the auditor may consider are also in paragraph 14 as requirements; for example, item c in paragraph 14 and item a in paragraph A21.
The use of the phrase “examination report” has not been used consistently throughout the proposed SAS.
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
4
Paragraph Comment
A35
In the last sentence of paragraph A32, we question whether the phrase “need not” is strong enough with respect to identifying the service auditor by name. We believe it is never acceptable to name the service auditor; a general reference is sufficient.
We recommend moving the phrase “under AT section 201” to the second sentence, which relates specifically to the performance of agreedupon procedures.
Proposed SSAE
4
7
10, 11
14
21
In the last sentence, we believe it is not necessary to refer to “reporting guidance,” as the entire standard is written on the premise that management will provide a written assertion.
It may be helpful to add, after paragraph 4, a reference to relevant ethical requirements with respect to the performance of nonattest services related to the service organization’s controls and documentation thereof. See paragraph 5 of AT section 501.
The definition of control objectives uses the term “significant account or disclosure,” which aligns with the definition in AT section 501. However, the Board’s proposed SAS,Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements(Redrafted), refers to “material” rather than significant. The Board should address this apparent inconsistency.
In the definition of criteria, we believe the last two sentences do not form part of the definition and could be moved to the application and explanatory material.
In the definition of inclusive method, we prefer deleting the phrase “included in the scope of the service auditor’s engagement.” It is not needed and makes the definition difficult to read.
We believe the definition of test of controls should revert back to the definition in proposed ISAE 3402. A control prevents, or detects and corrects errors. The absence, inadequacy, and/or non operation of a control is a deficiency. Therefore, we believe the definition in the proposed SSAE is incorrect.
The Board should consider streamlining paragraph 10 and placing it and paragraph 11 in the section entitled “Preparing the Service Auditor’s Report.” It seems misplaced and unnecessarily complex. The first sentence of paragraph 11 can be moved to paragraph 9, which can include a reference to these reporting requirements.
Although we agree with this requirement, it indirectly reflects that management must use suitable criteria to support its assertion. The Board should consider whether reference to management’s assertion should be more explicit within this paragraph.
We note the proposed SSAE uses the term “should evaluate,” while proposed ISAE 3402 uses the term “should consider.” If the Board intends a different auditor action and related documentation, the application and explanatory material should be enhanced. Otherwise, the phrase “should consider” should be used to maintain consistency with proposed ISAE 3402.
22, 23, 25We note that paragraph 22 was revised to address internal audit’s direct assistance to the service provider. When internal audit works under the direction of the service auditor, their work is directly scoped, supervised and reviewed by the service auditor. In this regard, we question whether the addition in paragraph 22 unnecessarily complicates the requirements in paragraphs 23 and 25, which were written in the context of work that is not under the service auditor’s direction. The Board should consider whether direct assistance should be covered by the application and explanatory material instead of the requirement in paragraph 22. We also believe the Board should consider the requirements paragraph 23 of AT section 201,AgreedUpon Procedures Engagements. Any reference to internal audit’s work should not imply shared responsibility. In addition, the service auditor should not report internal audit’s findings as the service auditor’s own findings. Because the guidance in this proposed standard is different than the guidance in AT 201, we do not understand whether the appropriate use of internal audit assistance is different than when performing agreedupon procedures engagements and, if so, why that would be the case.
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
5
Paragraph Comment
2630
34
35
37
38c
39
40
40b
41
42
The proposal contains requirements pertaining to the use of a service auditor’s specialist. We concur with such requirements provided related application guidance is included that clearly explains how the service auditor would use a specialist and how the requirements interrelate with existing requirements in AT section 101. We note that AT section 201 also addresses this topic. As stated previously, we believe matters pertaining to all assurance engagements should be eventually addressed by AT section 101. In the meantime, the Board should ensure consistency.
The requirement in paragraph 28 was revised to impose a written understanding with the service auditor’s specialist. If the service auditor’s specialist is employed by the service auditor, a written understanding may not be necessary. Accordingly, we believe the Board should revert back to the proposed ISAE 3402 language.
The changes in this paragraph from proposed ISAE 3402 can be interpreted as a weaker requirement. The Board should consider whether the changes are necessary; specifically, the deletion of the requirement to perform observation and inspection.
We believe combining these requirements indirectly seems to change the meaning of what the auditor is required to do. The revised requirement may be read to say that the auditor only needs to do a or b. Proposed ISAE 3402 indicates that the auditor should at least do a and b. We see no reason to alter the ISAE 3402 language.
We agree with the nature of the requirements herein. However, we prefer the initial requirement be rewritten to focus the auditor on evaluating whether management’s description appropriately includes changes in the service organization’s controls, as well as changes in the service organization’s system (such as manual processes and application systems). Management is responsible for the description of the service organization’s system. The auditor is responsible for determining whether the description is fairly presented.
The language in this paragraph was revised and does not align with the language in paragraph 8 of the Board’s proposed SAS,Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained(Redrafted). As stated previously, we suggest consistent language be used throughout the Board’s standards.
The last sentence requires the auditor to refer to AU section 350,Audit Sampling, if the service auditor determines that sampling is appropriate. This requirement, as written, does not clearly describe the auditor’s responsibilities, including whether the requirements in AU section 350 must be complied with by the service auditor. It is also inconsistent with how the proposed SSAE addresses the use of internal audit or a service auditor’s specialist, without reference to the audit standards.
In reference to our previous comments, we suggest deleting the additional language that was added regarding intentional acts by service organization personnel. Alternatively, this language should be deemphasized by also referring to errors and omissions.
We do not understand why the last sentence was added to this requirement. Although it is a fact that compensating controls may limit the severity of a deficiency, we do not believe this sentence is essential to the application of this requirement. We further believe the sentence is confusing, as it is the user entity’s and user auditor’s responsibility to determine whether the compensating control would limit the severity of a deficiency in internal control over financial reporting at the user entity. A compensating control at a service organization may assist the service organization in achieving the control objective.
We understand the Board considered anomalies as part of their discussion of AU section 350 and deleted a similar paragraph therein. We suggest the Board do the same in the proposed SSAE.
We believe item b should be more closely aligned with paragraph 8b(6)(a).
We believe item c(2) should be more linked to the services covered by the engagement and matters that may affect one or more user organizations. Also, the example should not be part of the requirement.
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
6
Paragraph Comment
45
51, 52
57k
58
59
61
A9
ISAE 3402 31
We believe this paragraph should be clearer by stating that a failure to obtain written representations constitutes a scope limitation.
For consistency, the reference to “significant matters” should be to “significant findings or issues,” as in paragraph 53.
Similar to paragraph 110 of AT section 501, we suggest adding a requirement stating that the service auditor should date the report no earlier than the date on which the service auditor has obtained sufficient appropriate evidence to support the service auditor's opinion.
Conceptually, we agree with and like this requirement. However, the required report wording seems too prescriptive. That is, it appears as if these exact words must appear in the service auditor’s report. As such, we recommend revising this requirement to be more principles based.
This paragraph requires the auditor to report deviations even if the control that was tested is subsequently removed from the description of the service organization’s system. We believe it would be helpful to state that the auditor should describe the related tests as well, including tests of any compensating controls.
We believe this paragraph needs to be reconsidered by the Board. We note that item (1) does not seem to align with other requirements, as it uses superseded language in extant standards that pertains to deficiencies in internal control and is not appropriately linked to the control’s ability to achieve the control objectives (see language in paragraph A25). It also requires modification of the report, and not the opinion, if there are design deficiencies that are not mitigated. If there are design deficiencies, it would seem that one or more of the stated control objectives would not be achieved and such would require a modified opinion under paragraph 60b without this paragraph. On the other hand, we question whether the paragraph implies that the auditor is required to evaluate the adequacy of the control objectives, and inadequate objectives would lead to a modified report.
This paragraph seems out of context in consideration of paragraph A10. We recommend deleting this paragraph, but including the first sentence as the first sentence in paragraph A10.
Paragraph 31 of proposed ISAE 3402 was deleted, but is not highlighted as a difference with the proposed SSAE in Exhibit E.
We would be pleased to discuss this letter with you. If you have any questions, please contact Mr. John L. Archambault, Managing Partner of Professional Standards, at (312) 6028701.
Sincerely,
Grant Thornton LLP U.S. member firm of Grant Thornton International Lt
7