Category Archives for "Auditing"

SOC Report
Feb 06

When are SOC Reports Needed by an External Auditor?

By Charles Hall | Auditing

Service organization control (SOC) reports are often necessary to understand outsourced accounting services. So, when are SOC reports needed? 

SOC Report

When are SOC Reports Needed?

SOC reports are needed when:

  • The user entity’s complementary controls are not sufficient to lessen the possibility of material misstatements
  • The SOC report provides information concerning a significant transactions cycle

Many organizations outsource portions of their accounting to service organizations. Think ADP–a service organization that provides payroll services. External auditors need to understand a service organization’s system and related controls–particularly if that work could allow material misstatements in the user’s financial statements. This understanding is provided in SOC reports.

All financial statement audits focus upon whether material misstatements are occurring. Moreover, the auditor’s opinion is supported by audit evidence proving the financial statements are fairly stated. But does (some of this) audit evidence come from SOC reports? Sometimes, yes.

A financial statement auditor is concerned with material misstatements, regardless of how or where they occur–and regardless of who allows the misstatement. Therefore, auditors look for internal controls weaknesses in both the entity being audited and outsourced service organizations.

As we will see, the external auditor may not need all SOC reports. On the other hand, some SOC reports may be needed but don’t exist.

Definitions Related to Service Organizations

Before delving into the details of service organization controls, let’s define a few key words. These definitions come from AU-C 402.

Complementary user entity controls. Controls that management of the service organization assumes, in the design of its service, will be implemented by user entities and are necessary to achieve the control objectives stated in management’s description of the service organization’s system, are identified as such in that description.

Service auditor. A practitioner who reports on controls at a service organization.

Service organization. An organization or segment of an organization that provides services to user entities that are relevant to those user entities’ internal control over financial reporting.

User auditor. An auditor who audits and reports on the financial statements of a user entity.

User entity. An entity that uses a service organization and whose financial statements are being audited.

Audit Standard for Service Organizations

AU-C 402, Audit Considerations Relating to an Entity Using a Service Organization, states the following:

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services and the controls over them affect the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organization are likely to relate to financial reporting, other controls also may be relevant to the audit, such as controls over the safeguarding of assets. A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

  1. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
  2. The procedures within both IT and manual systems by which the user entity’s transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements;
  3. The related accounting records, supporting information, and specific accounts in the user entity’s financial statements that are used to initiate, authorize, record, process, and report the user entity’s transactions. This includes the correction of incorrect information and how information is transferred to the general ledger; the records may be in either manual or electronic form;
  4. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
  5. The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
  6. Controls surrounding journal entries, including nonstandard journal entries used to record nonrecurring, unusual transactions, or adjustments.

If a service organization’s work affects any of the items listed in a. through f., those services are a part of the audited entity’s information system.

When is a SOC report not needed?

When does the external auditor not need SOC reports or other information related to a service organization? Paragraph .05 of AU-C 402 answers that question as follows:
 
This section does not apply to services that are limited to processing an entity’s transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker (that is, when the user entity retains responsibility for authorizing the transactions and maintaining the related accountability).
 
Additionally, complementary user entity controls may be strong enough to eliminate the need for information about the service organization’s controls.

Complementary User Entity Controls

The user entity–an entity that uses a service organization and whose financial statements are being audited–may have controls sufficient to eliminate the need for SOC reports or other information from the service organization. Sometimes the user entity has controls that mitigate the risk of material misstatements caused by service organization deficiencies. Such controls are referred to as “complementary user entity controls.” If the complementary controls operate effectively, the user auditor–an auditor who audits and reports on the financial statements of a user entity–may not need SOC reports or other service organization information.

Alternatively, if the service organization initiates, executes, and does the processing and recording of the user entity’s transactions, then the user auditor may need SOC reports or other service organization information.

Is the Placement of a SOC Report in the Audit File Sufficient?

Placing a SOC report in an audit file without reading and understanding it provides little-to-no audit evidence.

A SOC report provides information about how the service organization’s controls lessen the possibility of material misstatement. So, the user auditor needs to read and document how the service organization’s controls lessen the risk of material misstatement. This understanding of controls is necessary if the service organization’s work affects a significant transaction cycle such as payroll.

Think of SOC reports in this manner: Pretend there is no service organization and the company being audited performs the same processes and controls. If the audited entity performs these controls–and no service organization exists–the auditor gains an understanding of the controls using risk assessment procedures such as inquiry, observations, and inspections of documents. Potential control weaknesses are exposed by the risk assessment process. Thereafter, the identified risks are used to develop the audit program and substantive procedures. The same audit process is true when there is a service organization. But when a service organization is used, the user auditor is using the SOC report to gain the understanding of the service organization’s part of the entity’s accounting system.

If controls weaknesses are noted in the SOC report, the user auditor may–as a response–perform substantive procedures. By doing so the auditor lowers the overall audit risk (which is the risk that the auditor will issue an unmodified opinion when one is not merited).

Type 1 or Type 2 SOC Reports?

Service organization auditors can issue type 1 or type 2 reports.

A type 1 SOC report provides a description of a service organization’s system and the suitability of the design of controls.

A type 2 SOC report includes a service organization auditor’s opinion on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls.

The type 1 report provides information about the service organization’s system and related controls. The type 2 report provides an opinion on the system description and the design and effectiveness of the controls. A type 1 or a type 2 report can be used to gain an understanding of the controls.

Should the Auditor Visit the Service Organization?

Usually, the auditor does not need to visit the service organization, but sometimes it is necessary to do so. If the service organization provides no SOC report and the complementary user controls are not sufficient, then the auditor may have no choice but to review the service organization’s system and controls. Only do so if the service organization handles significant parts of the accounting system.

Feb 24

Group Audit Standards Applicability: One Firm

By Charles Hall | Auditing

Do the group audit standards apply when one firm audits all of the entities comprising a consolidated whole?

Yes.

You say, “confusing.” I say, “I agree.”

The confusion–at least for me–lies in the pre-clarity auditing standard, AU 543, Part of Audit Performed by Other Independent Auditors, which focused on who was performing the audit. The clarity standard, AU-C 600 Special Considerations — Audits of Group Financial Statements, focuses on what is being audited. The word group (as applied to the group audit standards) does not mean more than one auditor.

Regarding applicability (of the group audit standards), we look at the entities and business activities being audited rather than how many audit firms are involved. We used to focus on the interaction with other auditors; now we focus on the risks associated with the group financial statements.

Businessman holding a transparent screen with an inscription a auditing. Business, technology, internet and networking concept.

The picture is courtesy of DollarPhotoClub.com.

Group Audit Standards When There is Only One Audit Firm

The AICPA’s Technical Questions and Answers (8800.24) says the following about the applicability of AU-C Section 600 (Audits of Group Financial Statements) when only one engagement team is involved:

Inquiry—Company X consolidates the operations of Entity A. The same group engagement team that audits Company X also audits Entity A. Because only one engagement team is involved, does AU-C section 600 apply? If so, what does AU-C Section 600 require that is not already covered by other auditing standards?

ReplyAU-C section 600 applies to all audits of group financial statements, which are financial statements that contain more than one component. In the circumstances when the same engagement team audits all components of the group, the considerations addressed in AU-C Section 600 that relate to component auditors are not relevant. However, considerations addressed in AU-C section 600, such as understanding the components; identifying components that are significant due to individual financial significance and the significant risk of material misstatement; determining component materiality; understanding the consolidation process; and addressing the risks, including aggregation risk, of material misstatement in the group financial statements; are relevant in all group audits.

What does this mean?

If your firm audits consolidated financial statements, then the group audit standards apply, and you do need to comply with certain provisions (even though your firm audits all entities included in the consolidation). Consequently, you have some additional documentation requirements. Your audit file should contain the following documentation:

  • Your understanding of the components
  • Your identification of significant components (due to financial significance or risk)
  • Component materiality
  • Your understanding of the consolidation process
  • How you plan to address the identified risk of material misstatement (including aggregation risk)

Group Financial Statements

What are group financial statements? They are statements that include the financial information of more than one component.

Here are examples of components:

  • Subsidiaries
  • Geographical locations
  • Divisions
  • Investments (equity method)
  • Products or services
  • Component units of a state or local government

You can see from these examples of components, the concept of group financial statements is broader than that of consolidated or combined financial statements.

The idea behind the group audit standards is to highlight the risk of material misstatement whether at the group level or a lower level. If for example, a component is not financially significant but it has particularly risky assets (e.g., derivatives), then the group audit standards direct our attention here.

Examples of When Group Audit Standards are Applicable

Here are examples of when the group audit standards are in play:

  • Consolidated subsidiary
  • Combined financial statements due to common control
  • Investment accounted for using the equity method
  • Consolidated affiliate (due to variable-interest considerations)

Notice we made no mention of other auditors in these examples. It is possible that another firm may audit a subsidiary (for example), but this factor is not the determinant of when the group audit standards apply.

1 11 12 13
>