Please recollect, correlate and use knowledge of SA 402 & SA 330 to understand concepts of SAE 3402.
Study below given 2 questions
- While doing audit of description of internal control system of service organisation, how to collect evidence regarding description / design & operating effectiveness of internal control system? (SAE 3402)
Obtaining Evidence Regarding the Description
The service auditor shall obtain and read the service organization’s description of its system, and shall evaluate whether those aspects of the description included in the scope of the engagement are fairly presented, including whether:
- Control objectives stated in the service organization’s description of its system are reasonable in the circumstances; (Authorisation / Accuracy / Completeness / Confidentiality etc)
- Controls identified in that description were implemented; (Naresh / Suresh as in example are working, See 402)
- Complementary user entity controls, if any, are adequately described; and
- Services performed by a subservice organization, if any, are adequately described, including whether the inclusive method or the carve-out method has been used in relation to them.
The service auditor shall determine, through other procedures in combination with inquiries, whether the service organization’s system has been implemented. Those other procedures shall include observation, and inspection of records and other documentation, of the manner in which the service organization’s system perates and controls are applied.
Obtaining Evidence Regarding Design of Controls
The service auditor shall determine which of the controls at the service organization are necessary to achieve the control objectives stated in the service organization’s description of its system, and shall assess whether those controls were suitably designed. This determination shall include:
- Identifying the risks that threaten the achievement of the control objectives stated in the service organization’s description of its system; and (Manipulation in courier / Typing error etc)
- Evaluating the linkage of controls identified in the service organization’s description of its system with those risks. (Secured Courier / Naresh Records & Confirms etc)
Obtaining Evidence Regarding Operating Effectiveness of Controls
When providing a type 2 report, the service auditor shall test those controls that the service auditor has determined are necessary to achieve the control objectives stated in the service organization’s description of its system, and assess their operating effectiveness throughout the period. Evidence obtained in prior engagements about the satisfactory operation of controls in prior periods does not provide a basis for a reduction in testing, even if it is supplemented with evidence obtained during the current period.
When designing and performing tests of controls, the service auditor shall:
- Perform other procedures in combination with inquiry to obtain evidence about:
- By whom or by what means the control was applied; (Manual Vs Automated & People Involved)
- The consistency with which the control was applied; and (Whether all types of transactions are properly processed)
- How the control was applied;
- Determine whether controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those indirect controls; and
- Determine means of selecting items for testing that are effective in meeting the objectives of the procedure.
When determining the extent of tests of controls, the service auditor shall consider matters including the characteristics of the population to be tested, which includes the nature of controls, the frequency of their application (for example, monthly, daily, a number of times per day), and the expected rate of deviation.
- Explain contents of Type 2 report ? (SAE 3402)
Independent Service Auditor’s Assurance Report on the Description of Controls, their Design and Operating Effectiveness
To: XYZ Service Organization
We have been engaged to report on XYZ Service Organization’s description at pages [bb-cc] of its [type or name of] system for processing customers’ transactions throughout the period [date] to [date] (the description), and on the design and operation of controls related to the control objectives stated in the description.
XYZ Service Organization’s Responsibilities
XYZ Service Organization is responsible for: preparing the description and accompanying assertion at page [aa], including the completeness, accuracy and method of presentation of the description and assertion; providing the services covered by the description; stating the control objectives; and designing, implementing and effectively operating controls to achieve the stated control objectives. If some elements of the description are not included in the scope of the engagement, this is made clear in the assurance report.
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on XYZ Service Organization’s description and on the design and operation of controls related to the control objectives stated in that description based on our procedures. We conducted our engagement in accordance with Standard on Assurance Engagements 3402, “Assurance Reports on Controls at a Service Organization,” issued by the Institute of Chartered Accountants of India. That standard requires that we comply with ethical requirements and plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls are suitably designed and operating effectively.
An assurance engagement to report on the description, design and operating effectiveness of controls at a service organization involves performing procedures to obtain evidence about the disclosures in the service organization’s description of its system, and the design and operating effectiveness of controls. The procedures selected depend on the service auditor’s judgment, including the assessment of the risks that the description is not fairly presented, and that controls are not suitably designed or operating effectively. Our procedures included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the control objectives stated in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the description, the suitability of the objectives stated therein, and the suitability of the criteria specified by the service organization and described at page [aa].
We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.
Limitations of Controls at a Service Organization
XYZ Service Organization’s description is prepared to meet the common needs of a broad range of customers and their auditors and may not, therefore, include every aspect of the system that each individual customer may consider important in its own particular environment. Also, because of their nature, controls at a service organization may not prevent or detect all errors or omissions in processing or reporting transactions. Also, the projection of any evaluation of effectiveness to future periods is subject to the risk that controls at a service organization may become inadequate or fail.
Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in forming our opinion are those described at page [aa]. In our opinion, in all material respects:
- The description fairly presents the [the type or name of] system as designed and implemented throughout the period from [date] to [date];
- The controls related to the control objectives stated in the description were suitably designed throughout the period from [date] to [date]; and
- The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the period from [date] to [date].
Description of Tests of Controls
The specific controls tested and the nature, timing and results of those tests are listed on pages [yy-zz].
Intended Users and Purpose
This report and the description of tests of controls on pages [yy-zz] are intended only for customers who have used XYZ Service Organization’s [type or name of] system, and their auditors, who have a sufficient understanding to consider it, along with other information including information about controls operated by customers themselves, when assessing the risks of material misstatements of customers’ financial statements.
Signature / Date / Place