 Come to the session, this is Professor Farhad in which we would look at reporting on an examination of control at a service organization. Simply put, we're gonna be looking at the SAC report. We're gonna look at SAC report one. So we don't lose track of what we are doing. This is within the attestation and engagement that we can provide three levels of service, examination, review and agree upon procedures. In the prior session, we looked at prospective financial information, pro forma financial information, compliance attestation and management discussion and analysis. In this session, we're gonna be focusing on examination of the service organization control. And simply put, we can only have examination. So under examination is a yes, we don't provide a review. We don't provide an agreed upon procedures. Now for most of you, this concept, the control at a service organization is a new concept. Therefore, I'm gonna be defining terms before I start to explain the concept because it's very important that you define the players that are in this session. Starting with Farhat lectures. Let's assume my company, I have 10 employees, I don't, but let's assume that's the case. Well, here's what's gonna happen. When you have employees, you have to pay them. You have to pay salary. Well, that's easy. You just have to pay. But the difficulty in that is you have to withheld the appropriate amount of federal, state, local. If they have benefit, if they have health insurance, you have to withhold the appropriate amount, send the money to the insurance company. If they participate in a 401K plan, you have to withhold the money. If there's any type of withholding, then you are responsible for all of that. So you need the whole system for payroll. And what companies learned over the years, and you might notice this from your paycheck, that they outsourced this process. So on your paycheck, you might see the word ADP or you might see the word paycheck. Now those are not the only two companies, payroll companies. There are many other payroll companies that provide services for clients. For example, where I used to work, my CPA firm, my old CPA firm, Bucknall City & Company, we had a payroll company. One of the partners created a payroll company to compete with ADP and paycheck and simply put, in other words, to service our customers if they want the service payroll. So simply put, let's go back to my company. And my company, Farhat Lectures, has 10 employees. And as a result, I need to have a payroll system. Well, I don't want to worry about all the deductions. So I'm going to hire ADP. ADP is a payroll processing company. I'm gonna go ahead and hire them. And by the way, my cousin worked there, so that's why I chose ADP. So the first thing, we need to define few terms. Farhat Lecture is called a user entity in this context. The user entity is the entity that uses the service of the service organization. Now, who's the service organization? ADP is the service organization or the service provider. ADP is the service organization. It's the organization that provides services to user entities. Who are user entities? I am the user entity in this example that are relevant to those entities internal control over financial reporting. Now think of it this way. Now, Farhat Lectures, we have a revenue cycle or a revenue module. We have an expense module. We would have an operation module. And notice the payroll is a different one. Payroll is from an outsider. So basically what's embedded in my accounting information system is a foreign entity, a foreign system. Now, bear in mind that ADP is embedded in many different companies. And on a yearly basis, I have to audit my financial statements because my bank want me to audit the financial statement. So I'm gonna hire Adam CPA services to audit Farhat Lectures. Well, in order to audit Farhat Lectures, you need to learn about the internal control whether you wanna rely on them or not so on and so forth. Now, ADP is not part of my company. How is Adam CPA services going to audit my company, audit my payroll system if my payroll system is handled by ADP? Well, ADP knows this. So ADP also, they have an auditor or let's assume PWC and what they do, they are going to ask their auditor to do what? To report on the internal control over their financial reporting, specifically for Farhat Lectures over their payroll. So simply put, they will ask their auditor to issue a report to give some sort of an assurance for, in quote, Adam services or the other auditor. So simply put, Adam CPA services is the auditor of the user entity. So I hire Adam on a yearly basis to do my audit. Now, ADP knows about this. They know that I get an audit every year. They know that their client gets an audit every year. So what do they do? They have their own auditor. And for the sake of this example, they have PWC. I really don't know. I should have looked whether PWC audit them or not. But for the sake of the example, it doesn't really matter. Now, the service auditor will issue a report, audit reports to the auditor of the user organization. So PWC will issue a report to Adam company of the user organization about the internal control at ADP, specifically about the internal control over their financial reporting. And specifically for Adam, Adam is interested in the payroll process. The purpose of this is to build trust and confidence and the services performed. So now Adam CPA services, which is the auditor of far-hat lectures of the user entity will have some assurance, whether they want to accept this assurance or do their own testing, that's fine. But at least they have some assurance from PWC because PWC, they would issue a SOC1 report. And a SOC1 report will have two type. We're gonna have type one and type two. So notice it's SOC1, but it has two types. I'm gonna one and two, type one and type two. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's gonna help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions, as well as exercises. Go ahead, start your free trial today, no obligation, no credit card required. So what is SOC1 report? SOC1 report is reports on controls at the service organization relevant to the user's entity, internal control over financial reporting, in case of Adam, specifically payroll. Now bear in mind, we also have SOC2. We're not gonna cover SOC2, but here's what I'm gonna tell you. SOC2 is very similar to SOC1 in contests and they have two types. Also SOC2, they have type one and let me write one properly, type one, SOC2 will have type one and they will have type two. They would also have two types, type one and type two. But SOC2 report on controls at service organization relevant to, notice security, availability, processing integrity, confidentiality and privacy. Simply put SOC2 deals with IT concern, whether you are hosting your data or your server at a third location, at a second location. Well, in other words, you're outsourcing these services rather than outsourcing part of your accounting system, which is ADP. Everything we're gonna learn for SOC1 applies to SOC2, except we are dealing with a different subject matter. Now then we also have SOC3, which is we don't worry about this, but basically it's a trust service report for service organization. SOC3 report is for general distribution. Obviously what I'm implying, SOC1 and SOC2 are of limited distribution. So now we need to talk about SOC1 reports. A little bit more. Remember we have type one and type two. Again, what is SOC1? It's report on controls at the service organization that's relevant to the users, entities, internal control over financial reporting. What is the purpose of it? Again, this is a review. To meet the needs of entities that uses the service organization. Well, to meet the needs of far hat lectures, I have clients, I have customers, I have an auditor. They want to have some assurance about my payroll. Well, guess what? The SOC1 report will give them that assurance. Remember Adam company that audit me is responsible for understanding my internal control. How are they gonna audit ADP? Well, PWC will give them some help. There are two types of report on control that PWC can provide. This is gonna be type one report. What is type one and what is type two? Because this is what they try to trick you on. I would say it's easy to remember, but let me go through it step by step. Type one report on management description of a service organization system and the suitability of the design of the control. So simply put, they'll give you a report explaining the internal control, narrating the internal control, the description and the design of it. Also, they'll give you some written assertions about the control and they provide you an opinion. So this is what a type one is. Simply put, this is how the control works. They may give you flow charts. They can show you the design of it, but that's about it. This is type one report. Type two report on management description. Hold on a second. Didn't type one report on this? Yes, type two would report on this and the suitability of the design. Hold on a second. We just said this. Yes. So type two is simply put type one plus the operating effectiveness of the control. Here, when they give you a type two, it means they tested the control and they are giving you a report about its effectiveness. So you really want type two. If you're Adam Company, you want more assurance. Well, they can tell me what the design looks like. They can describe it to me. They can show it to me. But hold on a second. If they're gonna test it and tell me how well, if it's operating effectively or not, I would like that. So type two would include type one plus a report about the operating effectiveness. More assurance. Obviously, it's gonna include written assertions about the control and not an onion. They will provide me an opinion which we'll talk about later. Let's focus now on type one report. Once again, type one is when we express an opinion which is an examination about the fairness of the description and the suitability of the design. That's all what we do in type one. So how would the service auditor, how would PWC come up with that conclusion, the service auditor responsibility? Well, they obtain and read the system description prepared by the organization and assess whether the description is fairly presented. Simply put, we're going back to audit 101 and learning about the internal control. We evaluate whether management use suitable criteria and preparing and presenting the description. PWC would evaluate whether the organization description include information about procedure by which description are initiated, transactions are initiated, authorized, recorded, processed, corrected, reported at the user's entity, so on and so forth. Simply put, they learn about the internal control as we do in a regular audit. They would also evaluate if the control has been designed to address risk threatening the achievement of the control objective. And what would they tell you in the report after they do all of this? Here's what they will tell you. If control working as described, basically they learn about it and they think it's a great control on paper, they would say if it's working at describe, it should provide reasonable assurance that you will be able to mitigate the risk. Okay, you would not be basically put, provide reasonable assurance that the risk would not prevent the achievement of control objective. But it's good, that's what we want. But all what they're saying, if it's working properly, that's all what type one is. And they give you the description and the suitability. Type two report would include, as I said earlier, type one, I know I'm repeating this several times, but this is what they test you on, what's in type two. Type two is type one engagement plus the service auditor PWC perform test of the operating effectiveness. And this is great, this is what you want to do. This is what Adam wants to see, type two report. Type two report contains three opinion. One, and I divide one into two, a description which we talked about in type one and suitability also on type one. And by the way, I did not mention this, I'm gonna mention it now. Type one report is a point in time. So it has a date, for example, December 31st, 20x4, a point in time. In addition to those two opinions about the description and suitability and we'll look at the opinion later, they give you the operating effectiveness. The operating effectiveness of the control is for a throughout a period, for a period of time. Okay, for example, for six months ending December 31st. It's a period of time rather than a point in time. You remember how the balance sheet versus the income statement, the balance sheet is a point in time, the income statement is a period of time. The operating effectiveness is throughout a period of time. Now, remember, you have to restrict both report, restrict the use of the report to specified party. Who are the potential specified party? Who do you think? Well, the entity itself, of course, its customers might want it, suppliers, business partners and regulators. So you don't distribute it to the general public, but if someone asks for it, they have a use for it, you understand it, here's the report, type one and type two. Now be aware that the user auditor should evaluate the competency and the dependence of the service auditor if you want to rely on type one and type two report. If you want to rely on their description or on the operating effectiveness, whatever PWC is saying, well, you wanna make sure they are competent and make sure they are independent. You should evaluate the relevant control at the user entity and obviously at the user entity. Of course you have to do that. And at the service organization to assess the risk of material misstatement, you might have to do some testing. Although you have type one and type two. Now type two is very helpful. If you really trust them, just don't have to do any testing. But again, you're relying on their competency, knowledge, independence, your trusting, whatever they're telling you is the truth. And if that's what you wanna go with this, that's fine. Or you might have to collect some information yourself. Now you have to issue an opinion. You could have various opinion. You could have unmodified opinion. And an unmodified opinion, you don't refer to the service auditor. There's no division of work here. If you have an unmodified opinion, that's great. If you have a modified opinion, if you modified the opinion for any reason. Now, would you refer to the service auditor? Well, if referring to the service auditor help clarify or understand the modification, then you will do it. Otherwise you would not. If the service auditor has nothing to do with the modification, you don't have to worry about this. You could also give a scope limitation. What is scope limitation? You cannot obtain sufficient appropriate evidence about the services given by the service organization relevant to the user's entity financial statements. You cannot, you're not comfortable with the evidence. Then you would give a scope limitation. Now let's discuss what a report for type one would look like. You have the word independent in the title would have an address C, the nature of the engagement plus the date, the service organization responsibilities, the service auditor's responsibilities. We followed the ICPA standard. They would describe the examination. They will disclaim the opinion on the operating effectiveness. Remember, we are dealing with a type one report. In a type one report, you don't test the operating effectiveness. So that's why I highlight this in yellow because when I show you type two, it's not gonna be there. So that's why I'm highlighting it in yellow. Then you will discuss the inherent limitation, basically no internal control is perfect. And you will give your opinion. Remember, type one report has two opinion. One about the description of the internal control and the suitability design. Two, then you restrict the distribution. So this is type one. Now type two would look mostly very similar except you're gonna have three opinions. This will not be there, right? Because you are going to test the internal control. Type two, the word independent address C, nature of the engagement date, service organization responsibilities, service auditor responsibilities. We followed the ICPA description of the examination and her and limitation opinion. The opinion will have description and control suitability design, which is the type one. I know I'm saying this in so many different time and so many different ways. That's what they test you on on the CPA exam. That's why I keep telling you this, this way, then the other way, then the other way, but it's the same information. Then the third one is control, control tested operated effectively. That's the third opinion that they tell you about. And they describe the test. How did they test the internal control? They use sampling, whatever they did, they will describe it and they would restrict the distribution as well. Now, what should you do? Go to FARHAT lectures and work MCQs. That's going to help you understand this important topic on the CPA exam. Recently, SAC report has been tested heavily and it's considered an important topic. Good luck, study hard, stay safe and the CPA exam is worth it.