Statement on Auditing Standards, Audit Considerations Relating to an Entity Using a Service Organization (Redrafted)

1. Introduction. This SAS

a) Supersedes SAS No. 70, Service Organizations (AICPA, Professional Standards, vol. 1, AU sec. 324), which contains guidance for auditors auditing the financial statements of entities that use a service organization (user auditors) and for auditors reporting on controls at a service organization (service auditors).

b) Contains guidance for user auditors. Guidance for service auditors will be contained in a new Statement on Standards for Attestation Engagements (SSAE), Reporting on Controls at a Service Organization, which is being exposed for comment concurrently with this SAS.

2. Affects Existing Standards

a) A user organization is known as a user entity.

b) In a type 2 report, the service auditor’s report would contain an opinion on the fairness of the description of the service organization’s system and on the suitability of the design of the controls for a period rather than as of a specified date, as it currently does.

c) A user auditor is permitted to make reference to the work of a service auditor in his or her report to explain a modification of the user auditor’s opinion. In those circumstances, the user auditor’s report would be required to indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (As in extant AU section 324, the user auditor would be prohibited from making reference to the work of a service auditor in a user auditor’s report containing an unmodified opinion. The user auditor cannot divide responsibility for the audit of user’s financial statements by referring to the service auditor’s report.)

d) A user auditor is required to inquire of management of the user entity about whether the service organization has reported to the user entity any fraud, noncompliance with laws and regulations, or uncorrected misstatements. If so, the user auditor would be required to evaluate how such matters affect the nature, timing, and extent of the user auditor’s further audit procedures.

e) The SAS is applicable to situations in which an entity uses a shared service organization that provides services to a group of related entities.

3. Convergence

a) Drafted using the December 2007 exposure draft of International Standard on Auditing (ISA) 402 (Revised and Redrafted), Audit Considerations Relating to an Entity Using a Third Party Service Organization, as a base.

b) Differences between the SAS and the ISA 402 exposure draft, for which the ASB believes there is no compelling reason to be different, have been eliminated.

c) The ASB has made various changes to the language in the proposed ISA, including replacing terms or phrases used in the proposed ISA with those more commonly used in the United States, and tailoring examples and guidance so that they are more appropriate for the U.S. environment.

4. Effective Date

a) The SAS is effective for audits of financial statements for periods ending on or after December 15, 2012.