Service Organizations
Help Questions
CPA Auditing and Attestation (AUD) › Service Organizations
A nonissuer e-commerce company is undergoing a financial statement audit and uses a service organization for order fulfillment and returns processing, which generates return accrual reports used to estimate sales returns. The SOC 1 Type 2 report notes that controls over timely recording of returns were not operating effectively during peak season and identifies a complementary user entity control requiring the company to review weekly returns trend analytics. Which action should the auditor take based on SOC 1 findings?
Reduce audit work over returns because peak season issues are expected and therefore not relevant to the audit.
Modify the audit opinion because deficiencies at a service organization require a qualification even if financial statements are fairly stated.
Rely on inquiry of management about returns processing rather than performing further procedures because the SOC 1 report already identified the issue.
Increase risk for the sales returns estimate, test the company’s weekly analytics review control, and expand substantive procedures over the returns reserve and related disclosures.
Explanation
AU-C Section 402 guides procedures for returns estimates in nonissuer audits. The report notes untimely recording during peak, with weekly analytics required. Choice A correctly increases risk, tests the control, and expands procedures, per AU-C 402. Choice B is incorrect, peak issues relevant; choice C wrong, no automatic modification. Choice D insufficient. Use analytics for estimates. Rule: Seasonal deficiencies require targeted period testing.
A nonissuer insurance agency is undergoing a financial statement audit and uses a service organization to calculate and remit commissions payable to agents, providing monthly commission statements used to record liabilities. The SOC 1 Type 2 report indicates that controls over completeness of policy data used in commission calculations were not operating effectively and notes the user entity must reconcile policy listings to commission statements monthly. Based on the SOC 1 report, which audit procedure is most appropriate?
Obtain written representations from the service organization’s management to replace testing of commission liabilities.
Focus additional audit work on inventory because completeness issues generally indicate pervasive financial statement risk.
Rely on the SOC 1 report to reduce substantive procedures because commission calculations are performed by a specialist service organization.
Test the agency’s monthly reconciliation control and expand substantive testing of commissions payable completeness and accuracy.
Explanation
AU-C Section 402 addresses commission completeness in nonissuer audits. The report indicates ineffective policy data controls, with monthly reconciliations required. Choice A is correct by testing the control and expanding testing, per AU-C 402. Choice B is incorrect, specialists do not reduce procedures; choice C wrong focus. Choice D insufficient per AU-C 580. Use reconciliations for completeness. Rule: Test data inputs when SOC has completeness issues.
An issuer is undergoing an integrated audit and uses a third-party service organization for customer refunds processing, including approving refunds and initiating ACH payments. The SOC 1 Type 2 report identifies a deficiency where refund approvals were not consistently evidenced and notes a complementary user entity control requiring the issuer to review a weekly refund register for unusual items. What is the most appropriate response to control deficiencies noted in the SOC 1 report?
Test the issuer’s weekly refund register review control and increase substantive procedures over refunds, revenue adjustments, and cash disbursements.
Issue a qualified ICFR opinion solely because the SOC 1 report noted a deficiency, without evaluating severity at the issuer level.
Use the SOC 1 report to reduce fraud risk assessment procedures because refunds are controlled by a third party.
Conclude that refund controls are outside the scope of ICFR because they are performed by a service organization.
Explanation
PCAOB AS 2201 tests responses to refund deficiencies in integrated audits. The report identifies un-evidenced approvals, with weekly register reviews required. Choice A correctly tests the review and increases procedures, per AS 2201. Choice B is incorrect, part of ICFR; choice C wrong, evaluate severity. Choice D does not reduce fraud risk. Mitigate via user reviews. Framework: For disbursements, enhance fraud procedures on SOC deficiencies.
A nonissuer municipality is undergoing a financial statement audit and uses a service organization to process utility billing and collections, with daily interfaces to the municipality’s accounting system. The SOC 1 Type 2 report notes exceptions in controls over completeness of interface transmissions and specifies a complementary user entity control requiring finance staff to review and resolve interface error logs daily. Based on the SOC 1 report, which audit procedure is most appropriate?
Use the SOC 1 report to support conclusions about compliance with grant requirements because utility billing affects federal awards.
Test the municipality’s daily review of interface error logs and expand substantive procedures over utility revenue completeness and cash receipts.
Rely on the SOC 1 report to eliminate testing of utility revenue because controls were tested by the service auditor.
Defer all consideration of interface controls until the next year’s audit because the SOC 1 report covers the current year.
Explanation
The professional standard being tested is AU-C Section 402, which addresses audit considerations relating to an entity using a service organization, including the use of SOC 1 Type 2 reports to evaluate controls relevant to the user entity's internal control over financial reporting. In this scenario, the SOC 1 Type 2 report identifies exceptions in the service organization's controls over the completeness of interface transmissions and specifies a complementary user entity control (CUEC) requiring the municipality's finance staff to review and resolve interface error logs daily. The most appropriate audit procedure is to test the municipality’s daily review of interface error logs and expand substantive procedures over utility revenue completeness and cash receipts, as this aligns with AU-C 402 by ensuring the auditor obtains evidence about the operating effectiveness of CUECs and responds to identified control deficiencies with increased substantive testing to mitigate risks of material misstatement. Relying on the SOC 1 report to eliminate testing of utility revenue is incorrect because AU-C 402 prohibits full reliance when exceptions are noted, as the service auditor's testing does not absolve the user auditor from performing necessary procedures. Using the SOC 1 report for compliance with grant requirements is inappropriate under AT-C Section 205, as SOC 1 reports focus on financial reporting controls, not compliance objectives, and utility billing's impact on federal awards requires separate compliance testing; deferring consideration of interface controls is also wrong per AU-C 402, as the report pertains to the current period and must be evaluated timely to inform risk assessment. A transferable professional judgment framework for using SOC 1 reports involves first assessing the report's scope, exceptions, and CUECs to determine reliance levels, then testing relevant user entity controls and adjusting substantive procedures accordingly. This decision rule ensures auditors maintain sufficient appropriate evidence while leveraging service auditor work to enhance efficiency without compromising audit quality.
An issuer is undergoing an integrated audit and uses a service organization for stock-based compensation administration, including maintaining award data and generating expense reports uploaded into the issuer’s ERP. The SOC 1 Type 2 report identifies that controls over segregation of duties for award modifications were not operating effectively, and it lists a complementary user entity control requiring the issuer to approve all award modifications before processing. What is the most appropriate response to control deficiencies noted in the SOC 1 report?
Test the issuer’s approval control over award modifications and adjust planned procedures over stock-based compensation expense and disclosures.
Issue an adverse opinion on ICFR solely because the service organization had a segregation of duties issue.
Assume controls are effective because the service auditor issued an unmodified opinion on the SOC 1 report.
Treat the deficiency as an independence impairment for the issuer’s auditor because the service organization performed a management function.
Explanation
PCAOB AS 2201 tests evaluation of segregation deficiencies in SOC reports for ICFR opinions. The report identifies ineffective segregation for award modifications, with issuer approval required. Choice A is appropriate by testing the approval and adjusting procedures for compensation, per AS 2201. Choice B is incorrect as unmodified opinions do not override deficiencies under AS 2201; choice C is wrong, no independence issue per AS 1005. Choice D overstates, as AS 2201 requires severity assessment. Test user controls to mitigate SOC deficiencies. Framework: Do not equate SOC deficiencies to automatic adverse opinions; evaluate per issuer's overall ICFR.
A nonissuer financial services company is undergoing a financial statement audit and uses a service organization to process wire transfers and produce a daily cash movement report used for bank reconciliations. The SOC 1 Type 2 report notes that controls over dual authorization for certain wire templates failed for a sample of transactions and indicates the user entity must review daily exception reports of template changes. Which action should the auditor take based on SOC 1 findings?
Reclassify the engagement as an attestation engagement because wire transfers are processed by a service organization.
Communicate the deficiency only to the service organization’s auditor because it is outside the scope of the user auditor’s communications.
Expand audit procedures over cash and cash disbursements, and test whether the company performed the daily exception report review control.
Rely on the SOC 1 report to reduce substantive testing because wire processing is fully outsourced.
Explanation
AU-C Section 402 addresses incorporating SOC findings into nonissuer audit procedures for cash processes. The report notes failures in dual authorization, with user review of exceptions required. Choice A is correct by expanding procedures and testing the review, per AU-C 402 and AU-C 330. Choice B is incorrect as outsourcing does not reduce testing under AU-C 500; choice C is wrong, audits remain under AU-C standards. Choice D misapplies AU-C 260 communications. Integrate SOC deficiencies by testing user mitigations and increasing substantives. Rule: Use SOC to inform, not replace, user auditor evidence gathering.
A nonissuer health services company is undergoing a financial statement audit and uses a third-party claims administrator to process claims payable and provide a month-end claims payable report used to book the liability. The SOC 1 Type 2 report notes an exception in controls over the completeness of claims data received from providers and states a complementary user entity control requires the company to reconcile provider submissions to claims accepted by the administrator. How should the auditor incorporate the SOC 1 findings into the audit plan?
Increase planned reliance on controls over claims payable because the SOC 1 report is Type 2 and therefore overrides the noted exception.
Use the SOC 1 report to support audit evidence over the company’s revenue recognition assertions, since claims processing impacts revenue.
Communicate the service organization’s exception directly to those charged with governance of the service organization.
Plan to test the company’s reconciliation complementary control and expand substantive testing of claims payable completeness and valuation.
Explanation
AU-C Section 402 guides auditors on incorporating SOC 1 findings into audit plans for nonissuers, emphasizing response to noted exceptions and complementary controls. The SOC 1 Type 2 report notes an exception in completeness controls for claims data, with a required user reconciliation. Choice B is appropriate by planning to test the reconciliation and expanding substantive testing for claims payable, aligning with AU-C 402's requirement to adjust procedures based on deficiencies. Choice A is incorrect as AU-C 315 does not support increasing reliance when exceptions exist; choice C is wrong because claims impact expenses, not revenue per ASC 606. Choice D exceeds AU-C 260 requirements, as communications are to user entity governance. Use SOC exceptions to heighten risk and test user controls for mitigation. A decision rule is to expand substantive procedures proportionally to unmitigated deficiencies in SOC reports.
A nonissuer technology company is being audited and uses a third-party billing platform to generate customer invoices and calculate sales tax. The SOC 1 Type 2 report covers the full year and notes a deficiency in controls over sales tax rate updates; the report also specifies that the user entity must review monthly tax rate change logs. How does the SOC 1 report affect the auditor's risk assessment?
Increase risk for tax-related liabilities and expense assertions impacted by sales tax calculations and evaluate whether the company performed the monthly review control.
Conclude the deficiency requires a disclaimer of opinion on the financial statements because it occurred at a service organization.
Decrease risk for revenue recognition because sales tax controls are part of the billing platform.
Defer consideration of the SOC 1 report until the completion stage because service auditor reports are used only for final analytical procedures.
Explanation
AU-C Section 402 is the concept, focusing on risk assessment adjustments from SOC 1 deficiencies in nonissuer audits. The report notes a deficiency in sales tax rate updates, with user review of logs required, covering the full year. Choice A is correct by increasing risk for affected assertions and evaluating the review control, per AU-C 402 and AU-C 315. Choice B is incorrect as tax controls do not directly lower revenue risk under ASC 606; choice C is wrong because AU-C 705 requires basis for disclaimers, not automatic from SOC deficiencies. Choice D misstates timing, as AU-C 402 uses SOC for planning. Evaluate SOC deficiencies for assertion impacts and test user controls. Rule: Heighten risk if complementary controls are not verified as operating effectively.
An issuer is undergoing an integrated audit and uses a service organization for revenue contract management, including maintaining contract terms used to calculate variable consideration. The SOC 1 Type 2 report includes a description of controls but indicates that testing of operating effectiveness excluded the last quarter due to timing; complementary user entity controls include quarterly reconciliation of contract master data to executed contracts. How does the SOC 1 report affect the auditor's risk assessment?
Assess lower risk for revenue because the SOC 1 report provides a description of controls even without full-period testing.
Disregard the SOC 1 report because any period not covered requires the auditor to issue a disclaimer on ICFR.
Use the SOC 1 report to support conclusions about cybersecurity risk management because it addresses system controls.
Assess higher risk for revenue-related assertions for the excluded quarter and plan additional procedures, including testing the issuer’s quarterly reconciliation control.
Explanation
PCAOB AS 2201 tests risk assessment for partial SOC coverage in integrated audits. The report excludes the last quarter's effectiveness testing, with quarterly reconciliations required. Choice A correctly assesses higher risk and plans procedures including testing the control, per AS 2201. Choice B is incorrect, descriptions alone insufficient under AS 2201; choice C is wrong, no automatic disclaimer per AS 2201. Choice D misapplies SOC 1 scope. Bridge gaps with user testing. Framework: Treat uncovered periods as higher risk, requiring additional evidence.
An issuer is undergoing an integrated audit and uses a service organization for income tax provision software hosted and maintained by the service organization, including automated rate and rules updates. The SOC 1 Type 2 report indicates a deficiency in controls over review and approval of rules updates and lists a complementary user entity control requiring the issuer to review update release notes and perform a validation test after updates. How should the auditor incorporate the SOC 1 findings into the audit plan?
Rely on the SOC 1 report to reduce tax testing because tax software updates are outside ICFR.
Obtain a management representation that updates were correct and treat it as sufficient appropriate audit evidence.
Test the issuer’s validation control after updates and increase substantive procedures over the tax provision and related disclosures for periods affected by updates.
Apply nonissuer audit guidance because tax provision work is not subject to PCAOB integrated audit requirements.
Explanation
PCAOB AS 2201 is tested for tax provision controls in integrated audits. The report indicates deficiencies in update reviews, with validation testing required. Choice A correctly tests the control and increases procedures, per AS 2201. Choice B is incorrect, updates part of ICFR; choice C insufficient per AS 2301. Choice D misapplies standards. Validate post-update. Framework: For software, test user validations on changes.