This non-authoritative EBPAQC tool is intended to assist CPAs auditing the financial statements of EBPs that use one or more service organizations (user auditors). It is designed to assist user auditors in documenting their procedures and findings related to controls at a service organization that are likely to be relevant to the plan’s internal control over financial reporting.
It focuses on the user auditor’s use of a “report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls” (a type 2 report).
This tool is not intended to be used as an audit program or to provide authoritative guidance and should be tailored to the user audit or firm’s EBP audit practice and the circumstances of the individual plan audit.
Certain sections of this tool may be completed by the user auditor firm’s reviewer (if applicable) to document the use of a type 2 SOC 1 report in an EBP audit while other sections may be prepared by the engagement team to document procedures performed to evaluate controls at a service organization.