AICPA
Reporting on an Examination of Controls at a Service Organization Relevant to User Entities′ Internal Control Over Financial Reporting (SOC 1)
Paperback Engels 2017 9781943546640
Verwachte levertijd ongeveer 16 werkdagen
Specificaties
ISBN13:9781943546640
Taal:Engels
Bindwijze:paperback
Aantal pagina's:368
Uitgever:John Wiley & Sons
Serie:AICPA
Lezersrecensies
Wees de eerste die een lezersrecensie schrijft!
Inhoudsopgave
<p>1 Introduction and Background 01–09</p>
<p>Other Types of Internal Control Engagements 09</p>
<p>2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report 01–20</p>
<p>Obtaining an Understanding of the Entity and Its Environment, Including the Entity s Internal Control When the Entity Uses a Service Organization 01–03</p>
<p>Service Organization Services to Which AU–C Section 402 Does Not Apply 04</p>
<p>Understanding Whether Controls at a Service Organization Affect a User Entity s Internal Control 05–11</p>
<p>Types of Service Auditor s Reports 12</p>
<p>User Auditor Obtains Evidence of the Operating Effectiveness of Controls at a Service Organization 13–18</p>
<p>Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity s Internal Control 19–20</p>
<p>3 Planning a Service Auditor s Engagement 01–131</p>
<p>Understanding the Responsibilities of Management of the Service Organization 01–82</p>
<p>Defining the Scope of the Engagement 02</p>
<p>Determining the Type of Engagement to Be Performed 03–07</p>
<p>Determining the Period to Be Covered by the Report 08–13</p>
<p>Determining Whether Services Provided to a Service Organization by Other Entities Are Likely to Be Relevant to User Entities Internal Control Over Financial Reporting 14–18</p>
<p>Determining Whether Subservice Organizations Will Be Carved Out or Included in the Description 19–23</p>
<p>Selecting the Criteria to Be Used 24</p>
<p>Preparing the Description of the Service Organization s System and Management s Assertion 25–67</p>
<p>Specifying the Control Objectives and Stating Them in the Description 68–76</p>
<p>Identifying Risks That Threaten the Achievement of the Control Objectives 77–78</p>
<p>Preparing Management s Written Assertion 79–81</p>
<p>Having a Reasonable Basis for Its Assertion 82</p>
<p>Responsibilities of the Service Auditor 83–131</p>
<p>Client and Engagement Acceptance and Continuance 84–90</p>
<p>Agreeing on the Terms of the Engagement 91–94</p>
<p>Assessing the Suitability of Criteria 95–96</p>
<p>Organization s System 97–105</p>
<p>Assessing the Risk of Material Misstatement 106–109</p>
<p>Planning to Use the Work of Internal Auditors 110–127</p>
<p>Using the Work of an Other Practitioner 128–131</p>
<p>4 Performing a Service Auditor s Engagement Under AT–C Section 320 01–197</p>
<p>Responding to Assessed Risk and Obtaining Evidence 01–03</p>
<p>Evaluating Whether Management s Description of the</p>
<p>Service Organization s System Is Fairly Presented 04–55</p>
<p>Materiality Related to the Fair Presentation of the</p>
<p>Description of the Service Organization s System 17–19</p>
<p>Evaluating Whether Control Objectives Are Reasonable in the Circumstances .20–.30</p>
<p>Control Objectives Not Relevant to User Entities Internal Control 31–.32</p>
<p>After Engagement Has Been Accepted, Service Auditor Determines Control Objectives Are Not Reasonable in the Circumstances 33</p>
<p>Implementation of Service Organization Controls 34–39</p>
<p>Complementary User Entity Controls 40–42</p>
<p>Subservice Organizations 43–55</p>
<p>Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls 56–77</p>
<p>Types of Assertions in User Entities Financial Statements 62–64</p>
<p>IT General Control Objectives and Related Risks 65–67</p>
<p>Linking Controls to Risks 68–70</p>
<p>Multiple Controls Address the Same Control Objective 71</p>
<p>Information Needed to Evaluate Design of Control 72</p>
<p>Effect of Other Components of Internal Control on Design of Controls73</p>
<p>Control Necessary to Achieve Control Objective Is Missing 74</p>
<p>Difference Between Deficiency in Design and Deficiency in Operating Effectiveness 75–77</p>
<p>Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement 78–122</p>
<p>Materiality With Respect to Operating Effectiveness of Controls 79</p>
<p>Determining Which Controls to Test 80–84</p>
<p>Options for Presenting Tests of the Operating Effectiveness of Controls for Controls That Were Subsequently Deemed Not Suitably Designed 85–86</p>
<p>Designing and Performing Tests of Controls 87–88</p>
<p>Nature of Tests of Controls 89–92</p>
<p>Evaluating the Reliability of Information Produced by the Service Organization 93–100</p>
<p>Timing of Tests of Controls 101–102</p>
<p>Extent of Tests of Controls 103–106</p>
<p>Superseded Controls 107–110</p>
<p>Selecting Items to Be Tested 111–112</p>
<p>Using the Work of Internal Auditors 113–121</p>
<p>Revision of Risk Assessment 122</p>
<p>Evaluating the Results of Procedures 123–149</p>
<p>Evaluating Misstatements General 127–128</p>
<p>Evaluating Misstatements in the Description of the Service Organization s System 129</p>
<p>Evaluating Deficiencies in the Suitability of the Design of Controls 130–131</p>
<p>Evaluating Deviations in the Results of Tests of Controls (Deficiencies in the Operating Effectiveness of</p>
<p>Controls) 132–136</p>
<p>Evaluating the Sufficiency and Appropriateness of Evidence 137–142</p>
<p>Other Considerations When Evaluating Evidence 143</p>
<p>Controls Did Not Operate During the Period Covered by the Service Auditor s Report 144–149</p>
<p>Extending or Modifying the Period 150–162</p>
<p>Management s Written Representations for the Extended or Modified Period 158</p>
<p>Deficiencies That Occur During the Original, Extended, or Modified Period 159–162</p>
<p>Other Matters Related to Performing the Engagement 163–.167</p>
<p>Controls Designed by a Party Other Than Management of the Service Organization 163</p>
<p>Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Design or Operating Effectiveness of Controls 164</p>
<p>Management Requests a Change in the Scope of the Engagement 165–167</p>
<p>Forming the Opinion 168–176</p>
<p>Documentation 175–176</p>
<p>Completing the Engagement 177–197</p>
<p>Requesting Written Representations 178–191</p>
<p>Subsequent Events Up to the Date of the Service Auditor s Report 192–196</p>
<p>Management s Responsibilities During Engagement Completion 197</p>
<p>5 Reporting 01–98</p>
<p>Describing Tests of Controls and Results 02–16</p>
<p>Describing Tests of Controls and Results When Using the Internal Audit Function 08–13</p>
<p>Describing Tests of the Reliability of Information Produced by the Service Organization 14–.16</p>
<p>Preparing the Service Auditor s Report 17–34</p>
<p>Elements of the Service Auditor s Report 17–18</p>
<p>Report and Assertion When Service Organization Uses the Carve–Out Method 19–21</p>
<p>Report When Assuming Responsibility for Work of an Other Practitioner .22</p>
<p>Other Information That Is Not Covered by the Service Auditor s Report 23–34</p>
<p>Modifications to the Service Auditor s Report 35–47</p>
<p>Qualified Opinion 37–39</p>
<p>Disclaimer of Opinion 40–42</p>
<p>Management Will Not Provide a Written Assertion but Law or Regulation Does Not Permit Service Auditor to Withdraw From Engagement 43–44</p>
<p>Adverse Opinion 45–47</p>
<p>Report Paragraphs Describing the Matter Giving Rise to the Modification 48–.76</p>
<p>Illustrative Separate Paragraphs: Description Is Not Fairly Presented 48–67</p>
<p>Illustrative Separate Paragraphs: Controls Are Not Suitably Designed 68–70</p>
<p>Illustrative Separate Paragraphs: Controls Were Not Operating Effectively 71–74</p>
<p>Illustrative Separate Paragraphs: Disclaimer of Opinion 75–76</p>
<p>Other Matters Related to a Service Auditor s Engagement 77–98</p>
<p>Intended Users of the Report 77–79</p>
<p>Determining Whether an Entity Is an Indirect User Entity 80–84</p>
<p>Report Date 85</p>
<p>Subsequent Events and Subsequently Discovered Facts 86–90</p>
<p>Distribution of the Report by Management 91–93</p>
<p>Service Auditor s Recommendations for Improving Controls 94</p>
<p>Modifying Management s Written Assertion 95–98</p>
<p>Appendix</p>
<p>A Illustrative Type 2 Reports</p>
<p>B Illustrative Type 2 Reports Inclusive Method, Including Illustrative Management Representation Letters</p>
<p>C Illustrative Management Representation Letters</p>
<p>D Illustrative Control Objectives for Various Types of Service Organizations Appendix</p>
<p>E Comparison of SOC 1®, SOC 2®, and SOC 3® Engagements and Related Reports</p>
<p>F Comparison of Requirements in AT–C Section 320</p>
<p>G Illustrative Service Auditor s Report When Reporting Under Both AT–C Section 320</p>
<p>H Overview of Statements on Quality Control Standards</p>
<p>Index of Pronouncements andOther TechnicalGuidance</p>
<p>Subject Index</p>
<p>Other Types of Internal Control Engagements 09</p>
<p>2 Understanding How a User Auditor Uses a Type 1 or Type 2 Report 01–20</p>
<p>Obtaining an Understanding of the Entity and Its Environment, Including the Entity s Internal Control When the Entity Uses a Service Organization 01–03</p>
<p>Service Organization Services to Which AU–C Section 402 Does Not Apply 04</p>
<p>Understanding Whether Controls at a Service Organization Affect a User Entity s Internal Control 05–11</p>
<p>Types of Service Auditor s Reports 12</p>
<p>User Auditor Obtains Evidence of the Operating Effectiveness of Controls at a Service Organization 13–18</p>
<p>Information That Assists User Auditors in Evaluating the Effect of a Service Organization on a User Entity s Internal Control 19–20</p>
<p>3 Planning a Service Auditor s Engagement 01–131</p>
<p>Understanding the Responsibilities of Management of the Service Organization 01–82</p>
<p>Defining the Scope of the Engagement 02</p>
<p>Determining the Type of Engagement to Be Performed 03–07</p>
<p>Determining the Period to Be Covered by the Report 08–13</p>
<p>Determining Whether Services Provided to a Service Organization by Other Entities Are Likely to Be Relevant to User Entities Internal Control Over Financial Reporting 14–18</p>
<p>Determining Whether Subservice Organizations Will Be Carved Out or Included in the Description 19–23</p>
<p>Selecting the Criteria to Be Used 24</p>
<p>Preparing the Description of the Service Organization s System and Management s Assertion 25–67</p>
<p>Specifying the Control Objectives and Stating Them in the Description 68–76</p>
<p>Identifying Risks That Threaten the Achievement of the Control Objectives 77–78</p>
<p>Preparing Management s Written Assertion 79–81</p>
<p>Having a Reasonable Basis for Its Assertion 82</p>
<p>Responsibilities of the Service Auditor 83–131</p>
<p>Client and Engagement Acceptance and Continuance 84–90</p>
<p>Agreeing on the Terms of the Engagement 91–94</p>
<p>Assessing the Suitability of Criteria 95–96</p>
<p>Organization s System 97–105</p>
<p>Assessing the Risk of Material Misstatement 106–109</p>
<p>Planning to Use the Work of Internal Auditors 110–127</p>
<p>Using the Work of an Other Practitioner 128–131</p>
<p>4 Performing a Service Auditor s Engagement Under AT–C Section 320 01–197</p>
<p>Responding to Assessed Risk and Obtaining Evidence 01–03</p>
<p>Evaluating Whether Management s Description of the</p>
<p>Service Organization s System Is Fairly Presented 04–55</p>
<p>Materiality Related to the Fair Presentation of the</p>
<p>Description of the Service Organization s System 17–19</p>
<p>Evaluating Whether Control Objectives Are Reasonable in the Circumstances .20–.30</p>
<p>Control Objectives Not Relevant to User Entities Internal Control 31–.32</p>
<p>After Engagement Has Been Accepted, Service Auditor Determines Control Objectives Are Not Reasonable in the Circumstances 33</p>
<p>Implementation of Service Organization Controls 34–39</p>
<p>Complementary User Entity Controls 40–42</p>
<p>Subservice Organizations 43–55</p>
<p>Obtaining and Evaluating Evidence Regarding the Suitability of the Design of Controls 56–77</p>
<p>Types of Assertions in User Entities Financial Statements 62–64</p>
<p>IT General Control Objectives and Related Risks 65–67</p>
<p>Linking Controls to Risks 68–70</p>
<p>Multiple Controls Address the Same Control Objective 71</p>
<p>Information Needed to Evaluate Design of Control 72</p>
<p>Effect of Other Components of Internal Control on Design of Controls73</p>
<p>Control Necessary to Achieve Control Objective Is Missing 74</p>
<p>Difference Between Deficiency in Design and Deficiency in Operating Effectiveness 75–77</p>
<p>Obtaining and Evaluating Evidence Regarding the Operating Effectiveness of Controls in a Type 2 Engagement 78–122</p>
<p>Materiality With Respect to Operating Effectiveness of Controls 79</p>
<p>Determining Which Controls to Test 80–84</p>
<p>Options for Presenting Tests of the Operating Effectiveness of Controls for Controls That Were Subsequently Deemed Not Suitably Designed 85–86</p>
<p>Designing and Performing Tests of Controls 87–88</p>
<p>Nature of Tests of Controls 89–92</p>
<p>Evaluating the Reliability of Information Produced by the Service Organization 93–100</p>
<p>Timing of Tests of Controls 101–102</p>
<p>Extent of Tests of Controls 103–106</p>
<p>Superseded Controls 107–110</p>
<p>Selecting Items to Be Tested 111–112</p>
<p>Using the Work of Internal Auditors 113–121</p>
<p>Revision of Risk Assessment 122</p>
<p>Evaluating the Results of Procedures 123–149</p>
<p>Evaluating Misstatements General 127–128</p>
<p>Evaluating Misstatements in the Description of the Service Organization s System 129</p>
<p>Evaluating Deficiencies in the Suitability of the Design of Controls 130–131</p>
<p>Evaluating Deviations in the Results of Tests of Controls (Deficiencies in the Operating Effectiveness of</p>
<p>Controls) 132–136</p>
<p>Evaluating the Sufficiency and Appropriateness of Evidence 137–142</p>
<p>Other Considerations When Evaluating Evidence 143</p>
<p>Controls Did Not Operate During the Period Covered by the Service Auditor s Report 144–149</p>
<p>Extending or Modifying the Period 150–162</p>
<p>Management s Written Representations for the Extended or Modified Period 158</p>
<p>Deficiencies That Occur During the Original, Extended, or Modified Period 159–162</p>
<p>Other Matters Related to Performing the Engagement 163–.167</p>
<p>Controls Designed by a Party Other Than Management of the Service Organization 163</p>
<p>Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Design or Operating Effectiveness of Controls 164</p>
<p>Management Requests a Change in the Scope of the Engagement 165–167</p>
<p>Forming the Opinion 168–176</p>
<p>Documentation 175–176</p>
<p>Completing the Engagement 177–197</p>
<p>Requesting Written Representations 178–191</p>
<p>Subsequent Events Up to the Date of the Service Auditor s Report 192–196</p>
<p>Management s Responsibilities During Engagement Completion 197</p>
<p>5 Reporting 01–98</p>
<p>Describing Tests of Controls and Results 02–16</p>
<p>Describing Tests of Controls and Results When Using the Internal Audit Function 08–13</p>
<p>Describing Tests of the Reliability of Information Produced by the Service Organization 14–.16</p>
<p>Preparing the Service Auditor s Report 17–34</p>
<p>Elements of the Service Auditor s Report 17–18</p>
<p>Report and Assertion When Service Organization Uses the Carve–Out Method 19–21</p>
<p>Report When Assuming Responsibility for Work of an Other Practitioner .22</p>
<p>Other Information That Is Not Covered by the Service Auditor s Report 23–34</p>
<p>Modifications to the Service Auditor s Report 35–47</p>
<p>Qualified Opinion 37–39</p>
<p>Disclaimer of Opinion 40–42</p>
<p>Management Will Not Provide a Written Assertion but Law or Regulation Does Not Permit Service Auditor to Withdraw From Engagement 43–44</p>
<p>Adverse Opinion 45–47</p>
<p>Report Paragraphs Describing the Matter Giving Rise to the Modification 48–.76</p>
<p>Illustrative Separate Paragraphs: Description Is Not Fairly Presented 48–67</p>
<p>Illustrative Separate Paragraphs: Controls Are Not Suitably Designed 68–70</p>
<p>Illustrative Separate Paragraphs: Controls Were Not Operating Effectively 71–74</p>
<p>Illustrative Separate Paragraphs: Disclaimer of Opinion 75–76</p>
<p>Other Matters Related to a Service Auditor s Engagement 77–98</p>
<p>Intended Users of the Report 77–79</p>
<p>Determining Whether an Entity Is an Indirect User Entity 80–84</p>
<p>Report Date 85</p>
<p>Subsequent Events and Subsequently Discovered Facts 86–90</p>
<p>Distribution of the Report by Management 91–93</p>
<p>Service Auditor s Recommendations for Improving Controls 94</p>
<p>Modifying Management s Written Assertion 95–98</p>
<p>Appendix</p>
<p>A Illustrative Type 2 Reports</p>
<p>B Illustrative Type 2 Reports Inclusive Method, Including Illustrative Management Representation Letters</p>
<p>C Illustrative Management Representation Letters</p>
<p>D Illustrative Control Objectives for Various Types of Service Organizations Appendix</p>
<p>E Comparison of SOC 1®, SOC 2®, and SOC 3® Engagements and Related Reports</p>
<p>F Comparison of Requirements in AT–C Section 320</p>
<p>G Illustrative Service Auditor s Report When Reporting Under Both AT–C Section 320</p>
<p>H Overview of Statements on Quality Control Standards</p>
<p>Index of Pronouncements andOther TechnicalGuidance</p>
<p>Subject Index</p>
Rubrieken
- advisering
- algemeen management
- coaching en trainen
- communicatie en media
- economie
- financieel management
- inkoop en logistiek
- internet en social media
- it-management / ict
- juridisch
- leiderschap
- marketing
- mens en maatschappij
- non-profit
- ondernemen
- organisatiekunde
- personal finance
- personeelsmanagement
- persoonlijke effectiviteit
- projectmanagement
- psychologie
- reclame en verkoop
- strategisch management
- verandermanagement
- werk en loopbaan