Many entities use outside organizations to process some portion of their accounting transactions (e.g., ADP and Paychex are service organizations that provide processing for payroll checks and reports).
A service organization's services are considered to be part of a user entity's information system when those services affect the initiation, execution, processing, or reporting of the user company's transactions. In such cases, the controls placed in operation by the service organization are considered to be part of the user organization's information system. Service organizations often have an auditor perform an attestation examination engagement to report on the controls of the service organization that are relevant to the user entities' internal control over financial reporting or are relevant to the security and confidentiality of the information processed by the service organization.
The user auditor should obtain an understanding of the nature and significance of the services provided by the service organization and the effect on the user entity's internal control, sufficient to identify and assess the risks of material misstatement and design and perform audit procedures responsive to those risks.
When a SOC 1 ® service auditor's report is available, the user auditor may utilize the report in its assessment of the user entity's internal controls. (SOC stands for System and Organization Controls).
SOC 1®Type 1 Report: A Type 1 Report may aid the user auditor in obtaining an understanding of controls. However, a Type 1 Report is provided when tests of the operating effectiveness of the service organization's controls were not performed, and therefore it does not provide the user auditor with a basis for reducing the assessment of control risk below maximum for areas of the entity's accounting that are affected by the service organization.
SOC 1®Type 2 Report: A Type 2 Report provides the user auditor with assurance about the design, implementation, and operating effectiveness of the service organization's internal controls and therefore may provide evidence that would allow a reduction in the assessed level of control risk for areas of the entity's accounting that are affected by the service organization.
When a user auditor plans to use a SOC 1 ® Type 2 report as aud it evidence to reduce the assessed level of control risk for areas of the user entity's accounting affected by the service organization, the user auditor should be satisfied rega rding all of the following except: