3.62
The service auditor should design and perform tests of controls to obtain sufficient appropriate evidence that the controls are operating effectively throughout the period to meet the applicable trust services criteria. Relevant factors in determining the extent of tests of controls include the following:
l The nature of the controls
l The frequency of the performance of the control during the period
(for example, daily management review of open incidents versus monthly review of closed incidents to identify ongoing problems)
l The relevance and reliability of the evidence that can be obtained
to support the conclusion that the controls are operating effectively to meet the applicable trust services criteria
l The extent to which audit evidence is obtained from tests of other
controls designed to meet the same criterion
failure
l The service auditor’s tolerable rate of deviation in the operating
effectiveness of the control
3.63
If the control operates frequently, the service auditor should consider using audit sampling to obtain reasonable assurance about the operating effectiveness of the control. If the control is applied on a periodic basis (for example, a
monthly reconciliation of input to output), the service auditor should consider guidance appropriate for testing smaller populations. Refer further to AU section 350, Audit Sampling (AICPA, Professional Standards), and the Audit Guide Audit Sampling.
3.64
The service auditor should test the operating effectiveness of the control in effect throughout the period covered by the report and determine whether the control has operated frequently enough to be assessed as operating effectively. For example, if a report covers a period of six months, and a control operates only annually, the service auditor may be unable to test the operating
effectiveness of the control within the period. The shorter the test period, the greater the risk that certain controls may not have operated during the period and that the service auditor will be unable to perform sufficient testing and obtain sufficient evidence to express an opinion on the operating effectiveness of those controls.
3.65
Generally, evidence obtained in prior engagements about the satisfactory operation of controls in prior periods does not provide a basis for a reduction in testing in the current examination period, even if it is supplemented with evidence obtained during the current period. If the service auditor plans to use evidence about the operating effectiveness of controls obtained in prior
engagements, the service auditor should adapt and apply the guidance in paragraph .40 of AU section 318, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (AICPA, Professional Standards), which requires the service auditor to obtain evidence about whether changes in those specific controls have occurred subsequent to the prior
engagement by a combination of observation, inquiry, and inspection to confirm the understanding of those specific controls. Paragraph .40 of AU section 318 refers to the guidance in paragraph .24 of AU section 326, Audit Evidence (AICPA, Professional Standards), which states that the service auditor should perform procedures to establish the continuing relevance of evidence obtained in prior periods when the service auditor plans to use such evidence in the current period. For example, in performing the prior examination, the service auditor may have determined that an automated control was functioning as intended. The service auditor should obtain evidence to determine whether changes to the automated control have been made that affect its continued effective functioning (for example, through inquiries of management and the inspection of logs to indicate whether controls have been changed).
Consideration of evidence about these changes may support either increasing or decreasing the expected evidence to be obtained in the current period about the operating effectiveness of the controls.
3.66
If the service auditor intends to use evidence of the operating effectiveness of controls that was obtained in prior periods, and those controls have changed since they were last tested, the service auditor should perform additional tests
of the operating effectiveness of such controls in the current period. Changes may affect the relevance of the evidence obtained in prior periods such that it may no longer be relevant. For example, changes in a system that enable the service organization to receive a new report from the system probably do not affect the relevance of prior period evidence; however, a change that causes data to be accumulated or calculated differently does affect it.
3.67
If the service auditor identified deviations in the operation of a control in a prior year, the service auditor may decide to increase the extent of testing in the current period. For example, if the opinion in the prior year’s service auditor’s report was qualified because of deviations in controls over the authorization of user access, the service auditor may decide to increase the number of items tested in the current examination period. This would be the case if the design or operation of the control had not been corrected in the current year, which may result in the same kinds of deviations, or if a new control had been implemented (a new control may not have been thoroughly tested and may have unexpected deficiencies in design or operating effectiveness, increasing the risk that the controls would not have operated effectively).
3.68
Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control
operation. An automated control should function consistently, unless the program, including the tables, files, or other permanent data used by the program, is changed. Once the service auditor determines that an automated control is functioning as intended, which could be determined at the time the control is initially implemented or at some other date, the service auditor should perform tests to determine that the control continues to function effectively. Such tests might include determining that changes to the program are not made without being subject to the appropriate program change controls, that the authorized version of the program is used for processing transactions, and that other relevant IT general controls are effective.
3.69
A control may be designed to address an identified risk on its own or may function in combination with another control. Often, the effectiveness of the control will depend on both manual and automated procedures. For example, management’s follow-up of system-identified security access violation events is dependent on the proper configuration and functioning of the security
monitoring software.