WIXLIB

Guidance To User Auditors Of Financial Statements For AnEntity Using One Or More Service Organizations (Cont.) Low degree of interaction: When the service organization initiates, executes and does the accountingpprocessingg of the user organization’sgtransactions,, there is a lower degreegofinteractionbetween the activities at the user organization and those at the serviceorganization. In these circumstances, it may not be practicable for the user organization toimplementeffective controls for those transactions. If the user organization has a low degree of interaction and has not placed into operationeffective internal controls over the activities of the service organization, the userauditorwould most likely need to gain an understanding of the relevant controls at the serviceorganization in order to plan the audit. The understanding can be obtained by: ReviewingR i i a copy off ththe servicei auditor’sdit ’ reportt on theth servicei organization’si ti ’description of its controls, and/or Contacting the service organization to obtain specific information, and/or Visiting the service organization to make inquiries and observations, reviewdocumentation and perform the necessary procedures, and/or Requesting that a service auditor be engaged to perform procedures that willprovide the necessary informationFLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN15A Division of Marcum LLP

Guidance To User Auditors Of Financial Statements For AnEntity Using One Or More Service Organizations (Cont.) Information about the nature of the services provided by a serviceorganization that are part of the user organization’s information system,and the service organization’s controls over those services, may beavailable from a wide variety of sourcessources, such as the following: User manualsSystem overviewsT h i l manualsTechnicallThe contract between the user organizationand the service organizationReports by service auditors, internal auditorsor regulatory authorities on the serviceorganization’s controlsIf the user auditor is unable to obtain sufficient audit evidence to achievehi or herhish auditdit objectives,bj titheth user auditordit shouldh ld qualifylif hishi or herhopinion or disclaim an opinion on the financial statements because ofa scope limitation.FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN16A Division of Marcum LLP

Guidance To User Auditors Of Financial Statements For AnEntity Using One Or More Service Organizations (Cont.) When the user obtains an understanding of the internal control,including reviewing the user organization’s SAS 70, the user auditor mayidentify certain user organization controls that, if effective, would permit theuser auditor to assess control risk as low or moderate for particular assertionsassertions. Note: Although a type 1 report is sufficient for the user auditor to obtain anunderstanding of the internal control to determine whether the controls aredesigned and implemented, it is not sufficient in assess control risk belowmaximumiiin orderd tto reducedsubstantiveb t ti procedures.d In order for the user auditor to assess risk below maximum (relating to theservice auditors internal controls), the user auditor may: A: Rely on the service auditor’s report on controlsplaced in operation and tests of operating effectiveness(type 2 SAS 70 report) B:B Tests of controls performed byb the userser auditora ditorat the service organization C: Test the user organization’s controls over theactivities of the service organizationgFLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN17A Division of Marcum LLP

Guidance To User Auditors Of Financial Statements For AnEntity Using One Or More Service Organizations (Cont.) If the user auditor decides to use a service auditor’s report, the user auditorshould consider the extent of the evidence provided by the report about theeffectiveness of controls intended to prevent or detect material misstatementsin the particular assertions. A user auditor should determine whether the specific tests of controls andresults in the service auditor’sauditor s report are relevant to assertions that aresignificant in the user organization’s financial statements. The user auditor remains responsible for evaluating the evidence presented bythe service auditor and for determining its effect on the assessment of controlrisk at the user organization. In evaluating these factors, user auditors shouldalso keep in mind that, for certain assertions, the shorter the period covered bya specific test and the longer the time elapsed since the performance of the test,the less support for control risk reduction the test may provideprovide.FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN18A Division of Marcum LLP

Guidance To User Auditors Of Financial Statements For AnEntity Using One Or More Service Organizations (Cont.) In considering whether the service auditor’s report is satisfactoryfor his or her purposes, the user auditor should make inquiriesconcerning the service auditor'sauditor s professional reputation. Appropriatesources of information concerning the professional reputation of theservice auditor are discussed in Sect. 543, Part of Audit Performedby Other Independent Auditors. When assessing a service organization’s controls and how theyinteract with a user organization's controls, the user auditor maybecome aware of the existence of significant deficiencies or materialweaknesses in internal control. In such circumstances, the user auditorshould consider the guidance provided in Sect. 325, CommunicatingInternal Control Related Matters Identified in an Audit (SAS 112/115).FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN19A Division of Marcum LLP

Type 1 - Reports On Controls Placed In OperationNote: The following apply to both type 1 and type 2 reports The information necessary for a report on controlsplaced in operation ordinarily is obtained throughdiscussions with appropriate service organizationpersonnell andd throughthh referenceftot variousiformsfof documentation, such as system flowchartsand narratives. The description should contain a discussion of thefeatures of the service organization’s controls thatwould have an effect on a user organization'sginternal control.FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN20A Division of Marcum LLP

Type 1 - Reports On Controls Placed In Operation (Cont.) They may include controls within the control environment,risk assessment, control activities, information andcommunication and monitoring components of internal control.communication,control The control environment may include hiring practices andkey areas of authority and responsibility. Risk assessment may include the identification of risksassociated with processing specific transactions. Control activities may include policies and procedures overthe modification of computer programs, and are ordinarilydesigned to meet specific control objectives. Information and communication may include ways in whichuser transactions are initiated and processed. Monitoring may include the involvement of internal auditors,audit committeecommittee, etcetc.FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN21A Division of Marcum LLP

Type 1 - Reports On Controls Placed In Operation (Cont.) Although a service auditor’s report on controls placed in operation isas of a specified date, the service auditor should inquire aboutchanges in the service organization’sorganization s controls that may have occurredbefore the beginning of fieldwork. If the service auditor believes that the changes would be consideredsignificantgbyy user organizationsgand their auditors,, those changesg shouldbe included in the description of the service organization’s controls. If the service auditor concludes that the changes would be consideredsignificant by user organizations and their auditors, and the changes arenot included in the description of the service organization’sorganization s controls,controls thenthe service auditor should describe the changes in his or her report. Suchchanges include: Procedural changes made to accommodate provisions of a newStatement of Financial Accounting Standards Major changes in an application to permit online processing Procedural changes to eliminate previously identified deficienciesFLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN22A Division of Marcum LLP

Type 1 - Reports On Controls Placed In Operation (Cont.) Changes that occurred more than 12 months before thedate being reported on normally would not be considered significant,because they generally would not affect user auditorsauditors’ considerations. The description of controls and control objectives required for thesereports may be prepared by the service organization. If the serviceauditor prepares the description of controls and control objectives,objectivesthe representations in the description remain the responsibility of theservice organization. A service auditor’s report expressing an opinion on a description offcontrols placed in operation at a service organization should contain: A: A specific reference to the applications, services, products orotherth aspectst off theth servicei organizationi ti covered.d B: A description of the scope and nature of the serviceauditor’s procedures.FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN23A Division of Marcum LLP

Type 1 - Reports On Controls Placed In Operation (Cont.) C: Identification of the party specifying the control objectives D: An indication that the purpose of the service auditor’s engagementwas to obtain reasonable assurance about whether (1) the serviceorganization’s description presents fairly, in all material respects, theaspects of the service organization's controls that may be relevant toa user organization’s internal control as it relates to an audit offinancial statements; (2) the controls were suitably designed toachieve specified control objectives; and (3) such controls had beenplaced in operation as of a specific date. E: A disclaimer of opinion on the operating effectiveness of the controls F: The service auditor’s opinion on whether the description presents fairly,in all material respects, the relevant aspects of the service organization’scontrols that had been placed in operation as of a specific date andwhether, in the service auditor's opinion, the controls were suitablydesigned to provide reasonable assurance that the specified controlobjectives would be achieved if those controls were complied withsatisfactorilyFLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN24A Division of Marcum LLP

Type 1 - Reports On Controls Placed In Operation (Cont.) G: A statement of the inherent limitations of the potential effectiveness ofcontrols at the service organization and of the risk of projecting to futureperiods any evaluation of the description H: Identification of the parties for whom the report is intended If the service auditor believes that the description is inaccurate oriinsufficientlyffi i tl completel t ffor user auditors,ditthenth theth servicei auditor’sdit ’report should so state and should contain sufficient detail to provideuser auditors with an appropriate understanding. If there are significant deficiencies in the design or operation of theservice organization’s controls that preclude the service auditor fromobtaining reasonable assurance that specified control objectiveswould be achieved,achieved then the report should be modified.modifiedFLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN25A Division of Marcum LLP

Type 1- Reports On Controls Placed In Operation (Cont.) In our opinion, except for the matter referred to in the preceding paragraph,the accompanying description of the aforementioned application presentsfairly, in all material respects, the relevant aspects of XYZ ServiceOOrganization’si ti ’ controlst l ththatt hadh dbbeen placedld iin operationti as off [i[inserttdate].For the service auditor to expresspan opinionpon whether the controlswere suitably designed to achieve the specified control objectives,it is necessary that: A: The service organization identify and appropriately describesuch control objectives and the relevant controls B: The service auditor consider the linkage of the controls tothe stated control objectives C: The service auditor obtain sufficient appropriate auditevidence to reach an opinionFLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN26A Division of Marcum LLP

Type 2 - Reports On Controls Placed In OperationAnd Tests Of Operating EffectivenessIn addition to the requirements of type 1, there are additional requirementsto type 2 Similarto type 1,1 the information necessary for a report on controlsplaced in operation ordinarily is obtained through discussions withappropriate service organization personnel and through reference tovarious forms of documentation, such as system flowcharts andnarratives. However with a type 2, the service auditor mustperform tests of controls. Theservice auditor applies tests of controls to determine whetherspecific controls are operating with sufficient effectiveness toachieve specified control objectives. Sect. 350, Audit Sampling,as amended, provides guidance on the application and evaluationof audit sampling in performing tests of controls.FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN27A Division of Marcum LLP

Type 2 - Reports On Controls Placed In OperationAnd Tests Of Operating Effectiveness (Cont.) A service auditor’s report expressing an opinion on a description ofcontrols placed in operation at a service organization and tests ofoperating effectiveness should contain: A: A specific reference to the applications, services, products or otherof the service organization covered [same as type 1] B: A description of the scope and nature of the service auditor’sprocedures [same as type 1] C: Identification of the party specifying the control objectives[same as type 1] D: An indication that the purpose of the service auditor’s engagementwas to obtain reasonable assurance about whether (1) the serviceorganization’s description presents fairly, in all material respects, the aspectsof the service organization’s controls that may be relevant to auserorganization’s internal control as it relates to an audit of financialstatements; (2) the controls were suitably designed to achieve specifiedcontrol objectives; and (3) such controls had been placed in operationas of a specific date [same as type 1]FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE aspectsGRAND CAYM AN28A Division of Marcum LLP

Type 2 - Reports On Controls Placed In OperationAnd Tests Of Operating Effectiveness (Cont.) E: The service auditor’s opinion on whether the description presents fairly, inall material respects, the relevant aspects of the service organization’scontrols that had been placed in operation as of a specific date and whether,in the service auditor’sauditor s opinionopinion, the controls were suitably designed toprovide reasonable assurance that the specified control objectives would beachieved if those controls were complied with satisfactorily [same as type 1] F: A reference to a description of tests of specific service organizationcontrols designed to obtain evidence about the operatingeffectiveness of those controls in achieving specified controlobjectives. The description should include the controls that weretested,, the control objectivesjthe controls were intended to achieve,,the tests applied, and the results of the tests. The description shouldinclude an indication of the nature, timing and extent of the tests, aswell as sufficient detail to enable user auditors to determine the effectof such tests on user auditors'auditors assessments of control risk. To theextent that the service auditor identified causative factors forexceptions, determined the current status of corrective actions, orobtained other relevant qualitative information about exceptionsnoted such information should be provided [only type 2].noted,2]FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN29A Division of Marcum LLP

Type 2 - Reports On Controls Placed In OperationAnd Tests Of Operating Effectiveness (Cont.) K: A statement that the service auditor has performed no procedures toevaluate the effectiveness of controls at individual user organizations[ l type[onlyt2] L: A statement of the inherent limitations of the potential effectiveness ofcontrols at the service organization and of the risk of projecting to thefuture any evaluation of the description or any conclusions about theeffectiveness of controls in achieving control objectives[same as type 1] M: Identification of the parties for whom the report is intended[same as type 1]FLORIDAPII OPAASS SS NEWO NNYORK NEWY I TCONNECTICUTPENNEEENCEI N JERSET E G RYE XX CCE LL SLLYLE VAN NICAE GRAND CAYM AN30A Division of Marcum LLP

Changing Uses Of SAS 70RReportstScott Price, AA-lignlign CPAs

Original Uses Of SAS 70 Reports Communicate operational controls to comply with SAS 55 Communicate controls and control testing results needed for userorganization financial statement audit purposes CommunicateCi t controlst l andd controlt l testingt ti resultslt tot companymanagement and Board of Directors32

Evolution Of SAS 70 Report Uses Comply with contractual obligations Comply with regulatory requirements– HIPAA– Gramm-Leach-Bliley– FFIEC– FDIC33

Evolution Of SAS 70 Report Uses(Cont.) Communicate business continuity/disaster recovery controls–

What Is SAS 70? Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA)Accountants (AICPA). It represents that a service organizationhas been through an in-depth audit of its control objectives and control activities.