Reporting on Controls at a Service Organization

CSAE 3416

Reporting on Controls at a Service Organization

CSAE 3416

Types of Reports to be Issued
  1. Type 1 Report (Report on management’s description of a service organization’s system and the suitability of the design of controls); or
  2. Type 2 Report (Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls)
Type 1 vs. Type 2 Report:
  • Type 1 report contains the following:
    1. Management’s description of the service organization’s system
    2. A written assertion by management of the service organization about whether:
      1. Mgmt’s description of the service organization’s system fairly presents the system that was designed and implemented as of a specified date; and
      2. The controls were suitably designed to achieve control objectives (as described) as of the specified date
    3. A service auditor’s report that expresses an opinion on 2(1) and 2(b)
  • Type 2 report contains everything a type 1 report has with the following additions:
    • A written representation by mgm’t that the controls operated effectively throughout the specified period to achieve control objectives; and
    • The service auditor’s opinion express whether the controls operated effectively through the specified period and includes a description of the tests of controls and the results
Obtaining Evidence Regarding Management's Description of the Service Organization's System
  • The service auditor should read mgmt’s description of the service organization’s system and evaluate whether:
    • The control objectives stated are reasonable
    • Controls identified were implemented (through inspection of record, inquiries and observation)
    • Complementary user entity controls, if any, are adequately described
    • Services performed by a subservice organization, if any, are adequately described
Obtaining Evidence Regarding the Design of Controls
  • Service auditor should determine which of the controls are necessary to achieve the control objectives stated in management’s description and assess whether those controls were suitably designed by:
    • Identifying the risks that threaten the achievement of the control objectives stated in management’s description; and
    • Evaluating the linkage of the controls identified in management’s description with those risks
Obtaining Evidence Regarding the Operating Effectiveness of Controls
  • When performing a type 2 engagement,
    • Test those controls that the service auditor has determined are necessary to achieve the control objectives stated in management’s description and assess their operating effectiveness through the period
    • Inquire about changes in the service organization’s controls that were implemented during the period covered by the service auditor’s report
  • When designing and performing tests of controls:
    • Perform other procedures in combination with inquiry to obtain evidence about:
      1. How the control was applied
      2. The consistency with which the control was applied
      3. By whom or by what means the control was applied
    • Whether the controls to be tested depend on other controls, and if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those other controls
    • Determine an effective method for selecting the items to be tested to meet the objectives of the procedure

Spread the Word!

Scroll to Top
Scroll to Top