Page 43 - CA Final Audit Titanium Full Book. (With Cover Pages)
P. 43
CA Ravi Taori
(CNO-SA402.180) Using Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the SO
1A. Professional Competence & independence (Reliability): The service auditor’s professional competence
(except where the service auditor is a member
of the Institute of Chartered Accountants of India) and independence from the service organisation; and
1B. Adequacy of the Standards: The adequacy of the standards under which the Type 1 or Type 2 report was
issued.
2. Use for Understanding ICS at SO: If the user auditor plans to use a Type 1 or Type 2 report as audit evidence
to support the user auditor’s understanding about the design and implementation of controls at the service
organisation, the user auditor shall:
2A. Description and Design of controls: Evaluate whether the description and design of controls at the service
organisation is at a date or for a period that is appropriate for the user auditor’s purposes. Evaluate the sufficiency
and appropriateness of the evidence provided by the report for the understanding of the user entity’s internal
control relevant to the audit; and
2B. Complementary User Entity Controls: Complementary user entity controls refer to controls that the
service organisation assumes, in the design of its service, will be implemented by user entities, and which, if
necessary to achieve control objectives, are identified in the description of its system.
Determine whether complementary user entity controls identified by service organisation are relevant to the
user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such
controls.
(CNO-SA402.200) Responding to the Assessed Risks of Material Misstatement
In responding to assessed risks in accordance with SA 330, the user auditor shall: -
Assertions: Evaluate availability of sufficient appropriate audit evidence from user entity's records regarding
relevant financial statement assertions.
Further Audit Procedures: If sufficient evidence is not available, perform further audit procedures to acquire
necessary evidence.
Using Another Auditor: Consider using another auditor to conduct these procedures at the service organisation
on behalf of the user auditor, if necessary.
(CNO-SA402.220) Tests of Controls at Service Organisation
1. Expectation that controls at the service organisation are operating effectively (Relevant Controls): When
the user auditor’s risk assessment includes an expectation that controls at the service organisation are operating
effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from
one or more of the following procedures: -
(In sequence of easy to difficult)
2A. Type 2 Report: Secure a Type 2 report, if accessible.
2B. Visit: Conduct relevant control tests at the service organisation.
2C. Using another auditor: Using another auditor for control testing at the service organisation.
(CNO-SA402.240) Using a Type 2 report as audit evidence that controls at the service organisation are
operating effectively (Shortcut - Appropriate CAR)
Appropriateness: User auditor must evaluate if the description, design, and operating effectiveness of controls
at the service organisation are appropriate for their purposes.
Complementary user entity controls: Assess if complementary user entity controls identified by the service
organisation are relevant, and if so, understand and test their design, implementation, and operating
effectiveness.
www.auditguru.in 2.23
