ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Area II: Risk AssessmentRisk AssessmentService OrganizationsSOC Reports

CPA · Question 24 · Area II: Risk Assessment

Scenario: An auditor is engaged to audit the financial statements of a nonissuer. The entity uses a service organization for payroll processing. The auditor obtains a SOC 1 Type 2 report. The report states that 'Control X' at the service organization was not operating effectively during the period. Control X relates to the reconciliation of payroll tax withholdings.<br/><br/>What is the auditor's MOST appropriate response?

Answer options:

A.

Immediately increase the assessed level of control risk to maximum for payroll.

B.

Assess whether the user entity (client) has a complementary user entity control (CUEC) that mitigates the risk.

C.

Withdraw from the engagement due to inability to obtain sufficient appropriate evidence.

D.

Contact the service auditor to request they re-test the control.

How to approach this question

SOC reports have two parts: What the Service Org does, and what the Client (User) must do (CUECs). If the Service Org fails, check if the Client caught it.

Full Answer

B.Assess whether the user entity (client) has a complementary user entity control (CUEC) that mitigates the risk.✓ Correct
Assess whether the user entity (client) has a complementary user entity control (CUEC) that mitigates the risk.
When a service organization control fails, the auditor should determine if there are Complementary User Entity Controls (CUECs) at the client that would prevent or detect the error. For example, if the client reconciles the payroll reports returned by the service org, that reconciliation might mitigate the service org's failure.

Common mistakes

Ignoring CUECs and jumping straight to control failure.
23All questions25

Practice the full CPA AUD Practice Exam 3

78 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01A CPA firm is performing an audit of a nonissuer in accordance with GAO Government Auditing Stand...HardQ02During the audit of an issuer, the engagement partner learns that the firm's tax partner, who pro...HardQ03An auditor is planning an audit of a nonissuer's financial statements. The auditor decides to use...MediumQ04An auditor is assessing control risk for a nonissuer's revenue cycle. The auditor identifies that...HardQ05During the audit of a manufacturing company's inventory, the auditor utilizes a variables samplin...Hard
View all 78 questions →