3.73
In a type 2 engagement that addresses the privacy principle, in addition to expressing an opinion on the design and operating effectiveness of controls, the service auditor also expresses an opinion on whether the service organization complied with the commitments in its statement of privacy practices (privacy commitments). Information obtained from the service auditor’s assessment of the design and operating effectiveness of controls related to privacy contributes to his or her evaluation of the risk of material noncompliance with the service organization’s privacy commitments, which includes both intentional and
unintentional material noncompliance. The service auditor uses this information as part, but not all, of the reasonable basis for his or her opinion regarding the service organization’s compliance with its privacy commitments.
3.74
Based on the assessment of the controls that address the trust services privacy criteria, the service auditor determines the extent to which he or she needs to perform tests to detect material noncompliance with the privacy commitments. Accordingly, the service auditor may alter the nature, timing, and extent of tests performed, based on the assessments and tests of the controls.
In an engagement in which the service auditor reports on an entity’s compliance with its privacy commitments, the service auditor’s consideration of materiality is affected by (a) the nature of the requirements in the statement of privacy practices; (b) the nature and frequency of identified noncompliance, with appropriate consideration of sampling risk; and (c) qualitative considerations, including the needs and expectations of the report users.
3.76
The service auditor should apply procedures to provide reasonable assurance of detecting material noncompliance. Determining these procedures and evaluating the sufficiency of the evidence obtained are matters of professional judgment. When exercising such judgment, the service auditor should consider the guidance in AU section 350 and paragraphs .51–.54 of AT section 101.
3.77
The following example illustrates how a service auditor might consider the foregoing in planning tests of compliance with privacy commitments:
A service organization’s statement of privacy practices contains a commitment not to share personal information obtained from users with other users. Based on the service auditor’s evaluation and tests, the service organization’s controls over access to personal
information are effective in meeting the relevant criteria and in
preventing one user’s employees from accessing personal information provided by any other user. To test compliance with this
commitment, the service auditor compares a daily log of all accesses to personal information with a list, furnished by the user entity, of the names of user-entity employees authorized to access such
information. Because the access controls related to this commitment were effective, the service auditor determined that it would only be necessary to perform this test on a limited number of daily logs throughout the period. Had the controls not been as effective or had the service auditor identified deviations while testing controls, the number of daily logs tested for compliance would need to be greater.
Using the Work of the Internal Audit Function
3.78
Paragraphs 2.16–.22 of this guide discuss the service auditor’s responsibilities for the following:
l Obtaining an understanding of the responsibilities and activities of
the service organization’s internal audit function
l Determining whether work performed by the internal audit
function is adequate for the service auditor’s purposes
l Determining the planned effect of that work on the service
auditor’s procedures
3.79
In order for a service auditor to use specific work of the internal audit function, the service auditor should evaluate and perform procedures on that work to determine whether it is adequate for the service auditor’s purposes by evaluating whether
having adequate technical training and proficiency;
b. the work was properly supervised, reviewed, and documented; c. sufficient appropriate evidence was obtained to enable the internal
audit function to draw reasonable conclusions;
d. conclusions reached are appropriate in the circumstances, and any reports prepared by the internal audit function are consistent with the results of the work performed; and
e. exceptions relevant to the engagement or unusual matters disclosed by the internal audit function are properly resolved.
3.80
The nature, timing, and extent of the service auditor’s procedures performed on specific work of the internal auditor function will depend on the service auditor’s assessment of the significance of that work to the service auditor’s conclusions (for example, the significance of the risks that the controls are intended to mitigate); the evaluation of the internal audit function; and the evaluation of the specific work of the internal audit function. Such procedures may include the following:
l Examination of items already examined by the internal audit
function
l Examination of other similar items
l Observation of procedures performed by the internal audit
function
3.81
When the internal audit function provides direct assistance to the service auditor, as described in paragraphs 2.16 and 4.10 of this guide, the service auditor should
l inform the internal auditors of their responsibilities; the objectives
of the procedures they are to perform; and matters that may affect the nature, timing, and extent of the audit procedures.
l supervise, review, evaluate, and test the work performed by the
internal auditors to the extent appropriate in the circumstances.
Evaluating the Results of Tests
3.82
The service auditor should evaluate the results of tests of controls and, if the report addresses the privacy principle, the results of tests of compliance with the service organization’s commitments in its statement of privacy practices. In evaluating the results of tests, the service auditor investigates the nature and cause of any identified deviations and determines whether
l identified deviations are within the tolerable rate of deviation and
are acceptable. If so, the testing that has been performed provides an appropriate basis for concluding that the control operated effectively throughout the specified period.
l additional testing of the same control or other controls designed
to meet the same criterion is necessary to reach a conclusion about whether the controls related to the criterion operated
effectively throughout the specified period.
l the testing that has been performed provides an appropriate basis
for concluding that the control did not operate effectively throughout the specified period.
3.83
If the service auditor is unable to apply the planned testing procedures or appropriate alternative procedures to selected items, the service auditor considers the reasons for this limitation and ordinarily considers those selected items to be deviations from the prescribed policy or procedure for the purpose of evaluating the sample.
3.84
The service auditor evaluates deficiencies related to the control environment or other components of the service organization’s internal control and determines the effect on the service auditor’s opinion. For example, the service auditor considers how deficiencies in the control environment would alter the nature, timing, and extent of his or her procedures. In certain circumstances, identified deficiencies may be so pervasive that they may prevent controls from meeting one or more of the applicable trust services criteria, which may result in a qualified or an adverse opinion.
3.85
If the service auditor becomes aware of deviations that have resulted from intentional acts by service organization personnel, incidents of noncompliance with laws and regulations, or other adverse events not prevented or detected by a control that may affect one or more user entities, the service auditor should determine whether this information should be communicated to affected user entities and whether this communication has occurred. If the information has not been communicated, and management of the service organization is
unwilling to do so, the service auditor should take appropriate action, which may include the following:
l Obtaining legal advice about the consequences of different
courses of action
l Communicating with those charged with governance of the
service organization
l Disclaiming an opinion, modifying the service auditor’s opinion, or
adding an emphasis paragraph
l Communicating with third parties (for example, a regulator) when
required to do so
l Withdrawing from the engagement
3.86
If, as a result of performing the examination procedures, the service auditor becomes aware that any identified deviations have resulted from intentional acts by service organization personnel, the service auditor reassesses the risk that management’s description of the service organization’s system is not fairly presented; the controls are not suitably designed; the controls are not operating effectively; and if the report addresses the privacy principle, the service
organization has not complied with the commitments in its statement of privacy practices. Additionally, depending on the nature of any intentional acts that are identified and the level of responsibility of the service organization personnel involved in those acts (for example, senior management versus clerical
personnel), the service auditor considers the effect of the intentional act on the engagement and whether it is appropriate for the service auditor to continue with, or withdraw from, the engagement.
3.87
If the service auditor becomes aware of incidents of noncompliance with laws and regulations or other adverse events that have not been prevented or detected by a control and that may affect one or more user entities, the service auditor should determine the effect of such incidents on management’s
description of the service organization’s system; the suitability of the design and operating effectiveness of the controls; if the report addresses the privacy principle, the service organization’s compliance with the commitments in its statement of privacy practices; and the service auditor’s report.
3.88
Paragraph 4.33 of this guide presents an illustrative explanatory paragraph that would be added to the service auditor’s report when controls are not operating effectively.