Category Archives for "Auditing"

when are SOC reports needed
Feb 06

When are SOC Reports Needed by an External Auditor?

By Charles Hall | Auditing

Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, when are SOC reports needed? 

when are SOC reports needed

When are SOC Reports Needed?

SOC reports are needed when:

  • The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
  • The SOC report provides information concerning a significant transactions cycle

Many organizations outsource portions of their accounting to service organizations. Think ADP–a service organization that provides payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.

All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.

A financial statement auditor is concerned with material misstatements, regardless of how or where they occur–and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and outsourced service organizations.

As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.

Definitions Related to Service Organizations

Before delving into the details of service organization controls, let’s define a few key words. These definitions come from AU-C 402.

Complementary user entity controls. Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.

Service auditor. A practitioner who reports on controls at a service organization.

Service organization. An organization or segment of an organization that provides services to user entities that are relevant to those user entities’ internal control over financial reporting.

User auditor. An auditor who audits and reports on the financial statements of a user entity.

User entity. An entity that uses a service organization and whose financial statements are being audited.

Audit Standard for Service Organizations

AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

  1. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
  2. The procedures within both IT and manual systems by which the user entity’s transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements;
  3. The related accounting records, supporting information, and specific accounts in the user entity’s financial statements that are used to initiate, authorize, record, process, and report the user entity’s transactions. This includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form;
  4. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
  5. The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
  6. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.

If a service organization’s work affects any of the items listed in a. through f., those services are a part of the audited entity’s information system.

When is a SOC report not needed?

When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.

Complementary User Entity Controls

The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as “complementary user entity controls.” If the complementary controls operate effectively, the user auditor–an auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.

Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions, then the user auditor may need SOC reports or other service organization information.

Is the Placement of a SOC Report in the Audit File Sufficient?

Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.

A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.

Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.

If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).

Type 1 or Type 2 SOC Reports?

Service organization auditors can issue type 1 or type 2 reports.

A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.

A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.

Should the Auditor Visit the Service Organization?

Usually, the auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.

Apr 08

How to Document the Use of a Specialist

By Charles Hall | Auditing

As an auditor, you often use the work of specialists such as actuaries, appraisers, and engineers. Such work can seem mystical, like something conjured up from a mathematical soup. And since we don’t always understand their incantations, we wonder, “Can we rely on the information?” Thankfully, the audit standards provide guidance.

Picture is courtesy of

Picture is courtesy of

A specialist can be hired by your audit firm or by management. If you audit banks, you might hire an appraiser to assist with loan collateral reviews–an example of an auditor’s specialist. If your client uses an actuary, then you will obtain audit evidence from a specialist hired by management. As we begin our look into the use of specialists, let’s define the terms auditor’s specialist and management’s specialist.


AU-C 620 provides the following definitions:

Auditor’s specialist. An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient appropriate audit evidence. An auditor’s specialist may be either an auditor’s internal specialist (who is a partner or staff, including temporary staff, of the auditor’s firm or a network firm) or an auditor’s external specialist.

Management’s specialist. An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements.

Now let’s take a look at audit considerations for both the auditor’s specialist and management’s specialist.

Use of Auditor’s Specialist

AU-C Section 620–Using the Work of an Auditor’s Specialist provides guidance on the use of an auditor’s specialist.

Is the Specialist Needed?

AU-C 620.07 states, “If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence, the auditor should determine whether to use the work of an auditor’s specialist.” Before using the services of a specialist, consider the significance of the information for which you might need a specialist. If the (specialist) information has little impact on the financial statements, then the specialist issue will be of less importance.

Specialist Considerations

AU-C 620.09 says, “The auditor should evaluate whether the auditor’s specialist has the necessary competence, capabilities, and objectivity for the auditor’s purposes.” So if you hire an investment pricing specialist, you want to know if she is reputable, what her experience is, whether she can perform the work appropriately, and whether she can be objective.

Auditor's Specialist

Picture is courtesy of Adobe Stock

According to AU-C 620.A16, information regarding the competence, capabilities, and objectivity of an auditor’s specialist may come from the following:

  • Personal experience with previous work of that specialist
  • Discussions with that specialist
  • Discussions with other auditors or others who are familiar with that specialist’s work
  • Knowledge of that specialist’s qualifications, membership in a professional body or industry association,   license to practice, or other forms of external recognition
  • Published papers or books written by that specialist
  • The quality control policies and procedures of the auditor’s firm and such other procedures the auditor considers necessary in the circumstances

If you’ve previously worked with the aforementioned pricing specialist, you have personal experience with her work. This helps. You might call her with regard to current year issues, and since you already know her, you probably already know her qualifications.

Regarding objectivity, the auditor should inquire about any relationships that the specialist may have with the client, and if necessary, obtain a signed representation letter– from the specialist–concerning their objectivity. Continuing with our pricing specialist illustration, you want to ask her if she has any business relationships with the auditee. Are there any family relationships? Is there any reason her objectivity might be lessened?

Engagement Letter with Specialist

Does the audit firm need an engagement letter with its specialist?

Though not required, the auditor can use a written engagement letter to define the work of the specialist. AU-C 620.A45 provides suggestions for the engagement letter as follows:

  • Nature, Scope, and Objectives of the Auditor’s External Specialist’s Work
  • The Respective Roles and Responsibilities of the Auditor and the Auditor’s External Specialist
  • Communications and Reporting
  • Confidentiality

When an engagement letter is not used, document the work of the specialist in a memorandum or other audit work papers such as an audit program.

Adequacy of the Specialist’s Work

Auditors must evaluate the adequacy of the specialist’s work.

AU-C 620.12 says:

The auditor should evaluate the adequacy of the work of the auditor’s specialist for the auditor’s purposes, including:

  1. The relevance and reasonableness of the findings and conclusions of the auditor’s specialist and their consistency with other audit evidence.
  2. If the work of the auditor’s specialist involves the use of significant assumptions and methods,
    • obtaining an understanding of those assumptions and methods and
    • evaluating the relevance and reasonableness of those assumptions and methods in the circumstances, giving consideration to the rationale and support provided by the specialist, and in relation to the auditor’s other findings and conclusions.
  3. If the work of the auditor’s specialist involves the use of source data that is significant to the work of the auditor’s specialist, the relevance, completeness, and accuracy of that source data.

Bottom line: Does the work of the specialist provide sufficient and appropriate audit evidence with regard to the issue at hand (e.g., investment pricing)?

When to Start Thinking About a Specialist

When should an auditor begin to think about the use of a specialist? Before the engagement is accepted. Why? If we accept an audit without the necessary skill sets, we have a problem. As we consider our acceptance of an audit, we should consider if there is a need to hire a specialist–and whether such a specialist is available at a reasonable price.

Reference to a Specialist in an Auditor’s Opinion

AU-C 620.14-15 says the following about references to a specialist’s work in an audit opinion:

The auditor should not refer to the work of an auditor’s specialist in an auditor’s report containing an unmodified opinion.

If the auditor makes reference to the work of an auditor’s external specialist in the auditor’s report because such reference is relevant to an understanding of a modification to the auditor’s opinion, the auditor should indicate in the auditor’s report that such reference does not reduce the auditor’s responsibility for that opinion.

What does this mean? Regardless of the use of a specialist, the opinion is the auditor’s (and not the specialist’s). We may use the specialist’s work as audit evidence, but the audit opinion is ours.

The audit standards do allow auditors to reference the work of a specialist when the opinion is modified, but if you do so, get the specialist’s permission (consider getting written authorization).

Confidentiality Language in the Client Engagement Letter

When an auditor hires an external specialist, should the audit engagement letter change?

Picture is courtesy of AdobeStock

Picture is courtesy of AdobeStock

When an audit firm hires an external specialist, the firm should follow the Code of Conduct section ET 1.700.040, Disclosing Information to a Third-Party Service Provider. How can you comply with this ethical requirement? By including additional language in your engagement letter advising the client that you might provide confidential information to an outside party; in effect, you are gaining consent to share client information. If you are not using an outside specialist, but someone who works for your firm, then no such consent is necessary.

Use of Management’s Specialist

AU-C Section 500–Audit Evidence provides guidance on the use of information from management’s specialist.

Your audit client might use their own specialist such as a pension plan actuary. To rely on the actuary, you need to know if she is competent and objective. You also need to understand–at least in a general sense–what the actuary is doing.

Specialist Considerations

AU-C 500.08 states:

If information to be used as audit evidence has been prepared using the work of management’s specialist, the auditor should, to the extent necessary, taking into account the significance of that specialist’s work for the auditor’s purposes,

  1. evaluate the competence, capabilities, and objectivity of that specialist;
  2. obtain an understanding of the work of that specialist; and
  3. evaluate the appropriateness of that specialist’s work as audit evidence for the relevant assertion.

AU-C 500.A39 provides the following insights into evaluating competence, capabilities, and objectivity:

Information regarding the competence, capabilities, and objectivity of management’s specialist may come from a variety of sources, such as the following:

  • Personal experience with previous work of that specialist
  • Discussions with that specialist
  • Discussions with others who are familiar with that specialist’s work
  • Knowledge of that specialist’s qualifications, membership in a professional body or industry association, license to practice, or other forms of external recognition
  • Published papers or books written by that specialist

Representation Letter

Exhibit B of AU-C 580, Written Representations, provides the following example of language that an auditor might include in the representation letter:

We agree with the findings of specialists in evaluating the [describe assertion] and have adequately considered the qualifications of the specialists in determining the amounts and disclosures used in the financial statements and the underlying accounting records. We did not give or cause any instructions to be given to specialists with respect to the values or amounts derived in an attempt to bias their work, and we are not otherwise aware of any matters that have had an effect on the independence or objectivity of the specialists.


So how do you document your use of a specialist? As you can tell, the audit standards provide a framework, and the documentation will vary depending on the type of specialist used and the importance of the information. At a minimum, consider documenting:

  1. Why you need the specialist (or their work product)
  2. The abilities, reputation, and experience of the specialist
  3. The objectivity of the specialist
  4. The adequacy of the work provided

At the end of the day, auditing is all about obtaining reasonable assurance by obtaining audit evidence. As you consider the use of a specialist, ask yourself how their work impacts your risk assessment, your audit procedures, and finally your opinion.

Feb 24

Group Audit Standards Applicability When One Firm Audits Consolidated Financial Statements?

By Charles Hall | Auditing

Do the group audit standards apply when one firm audits all of the entities comprising a consolidated whole?


You say, “confusing.” I say, “I agree.”

The confusion–at least for me–lies in the pre-clarity auditing standard, AU 543, Part of Audit Performed by Other Independent Auditors, which focused on who was performing the audit. The clarity standard, AU-C 600 Special Considerations — Audits of Group Financial Statements, focuses on what is being audited. The word group (as applied to the group audit standards) does not mean more than one auditor.

Regarding applicability (of the group audit standards), we look at the entities and business activities being audited rather than how many audit firms are involved. We used to focus on the interaction with other auditors; now we focus on the risks associated with the group financial statements.

Businessman holding a transparent screen with an inscription a auditing. Business, technology, internet and networking concept.

The picture is courtesy of

Group Audit Standards When There is Only One Audit Firm

The AICPA’s Technical Questions and Answers (8800.24) says the following about the applicability of AU-C Section 600 (Audits of Group Financial Statements) when only one engagement team is involved:

Inquiry—Company X consolidates the operations of Entity A. The same group engagement team that audits Company X also audits Entity A. Because only one engagement team is involved, does AU-C section 600 apply? If so, what does AU-C Section 600 require that is not already covered by other auditing standards?

ReplyAU-C section 600 applies to all audits of group financial statements, which are financial statements that contain more than one component. In the circumstances when the same engagement team audits all components of the group, the considerations addressed in AU-C Section 600 that relate to component auditors are not relevant. However, considerations addressed in AU-C section 600, such as understanding the components; identifying components that are significant due to individual financial significance and the significant risk of material misstatement; determining component materiality; understanding the consolidation process; and addressing the risks, including aggregation risk, of material misstatement in the group financial statements; are relevant in all group audits.

What does this mean?

If your firm audits consolidated financial statements, then the group audit standards apply, and you do need to comply with certain provisions (even though your firm audits all entities included in the consolidation). Consequently, you have some additional documentation requirements. Your audit file should contain the following documentation:

  • Your understanding of the components
  • Your identification of significant components (due to financial significance or risk)
  • Component materiality
  • Your understanding of the consolidation process
  • How you plan to address the identified risk of material misstatement (including aggregation risk)

Group Financial Statements

What are group financial statements? They are statements that include the financial information of more than one component.

Here are examples of components:

  • Subsidiaries
  • Geographical locations
  • Divisions
  • Investments (equity method)
  • Products or services
  • Component units of a state or local government

You can see from these examples of components, the concept of group financial statements is broader than that of consolidated or combined financial statements.

The idea behind the group audit standards is to highlight the risk of material misstatement whether at the group level or a lower level. If for example, a component is not financially significant but it has particularly risky assets (e.g., derivatives), then the group audit standards direct our attention here.

Examples of When Group Audit Standards are Applicable

Here are examples of when the group audit standards are in play:

  • Consolidated subsidiary
  • Combined financial statements due to common control
  • Investment accounted for using the equity method
  • Consolidated affiliate (due to variable-interest considerations)

Notice we made no mention of other auditors in these examples. It is possible that another firm may audit a subsidiary (for example), but this factor is not the determinant of when the group audit standards apply.

1 11 12 13