Since Service Auditor Reports are traditionally an auditor-to-auditor communication, reading the report for the first time can be challenging. However, by understanding the contents of the report (as documented in FAQ #5), reading the report can be a much easier task.

Independent Service Auditor's Report

The Independent Service Auditor's Report should be easy to identify in the audit report. This is typically a one to two page letter from the independent auditors to the management of the service organization. The language of the opinion generally follows fairly explicit guidelines as determined by the American Institute of Certified Public Accountants (AICPA). The opinion describes the auditor's approach and the scope of the audit. An important item to look for is the date the controls were evaluated and the date(s) the controls were placed into operation. This is an easy way to determine if you are looking at a Type I or Type II report. For example, if the controls were evaluated at a point in time, but you don't see a paragraph discussing the operating effectiveness of the controls over a period of time, then you are most likely looking at a Type I report.

The auditor's conclusion is generally stated towards the end of the opinion. The following table describes the types of opinions that will be concluded on depending upon the type of the Service Auditor Report:

  • Opinion

  • Type I Report

  • Type II Report

  • 1. Whether the service organization's description of controls presents fairly, in all material respects, the relevant aspects of the service organization's controls, that had been placed in operation as of a specified date.
  • Included
  • Included
  • 2. Whether the controls were suitably designed to achieve the specified control objectives.
  • Included
  • Included
  • 3. Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.
  • Not Included
  • Included

The Service Organization's Description of Controls

The service organization's description of controls is the responsibility of the service organization. In many cases, the service auditor will assist the service organization in preparing the description. The description of controls generally should contain the following information:

  • Aspects of the service organization's control environment; risk assessment processes; information and communication processes; and monitoring processes that may affect the services provided to user organizations, as it relates to an audit of financial statements;
  • Control objectives and related controls; and
  • Complimentary controls that may be required at user organizations.

Most of the above items are presented in a narrative format with flowcharts or diagrams to illustrate the control activities. The service organization may also provide background information on the services they provide (e.g. extent of data center locations, applications supported, etc.) and the type of processing environment they maintain.

Information Provided by the Service Auditor

This section of the Service Auditor's Report features a description of the service auditor's tests of operating effectiveness of controls and the results of those tests (this is included in a Type II report). The following elements should be included in the description:

  • The controls that were tested;
  • The control objectives the controls were intended to achieve; and
  • An indication of the nature, timing, extent, and results of the tests supplied in sufficient detail to enable user auditors to determine the effect of such tests on their assessments of control risks.

The above information is generally provided in a table format or matrix format for ease of reference. The service auditor may also provide recommendations for improving the service organization's controls in this section of the report.

Other Information Provided by the Service Organization

A service organization may want to include or present other information that is not part of the description of controls (e.g. a glossary of terms). This type of information would be included in a separate section and would not be covered by the service auditor's opinion.

If you need further information, contact us.

Comments are closed
Mike Thomas commented on 22-Feb-2011 02:28 PM
Why do some companies use Type I and others use Type II?