5.5. CONTROL OBJECTIVES AS SPECIFIED BY SERVICE ORGANIZATION MANAGEMENT
Control objectives are specified by the service organization's management. However, service auditors play a significant role in consulting with management to ensure that the control objectives specified address the primary risks associated with the service organization's operations. Following each control objective is a detailed description of the policies and procedures purported to be in place to ensure that the control objective is attained. Management of the service organization also provides this information. For service auditor reports that include the auditor's opinion on the operating effectiveness of the policies and procedures placed in operation, the service auditor specifies the tests performed to gain reasonable, but not absolute, assurance as to their effectiveness. These tests typically include inquiries with management and staff of the service organization, sample tests of individual transactions, examinations of system access controls, assessment of segregation of duties, observation of service organization operations, and so on.
Exhibits 5.1 to 5.4 depict some types of control objectives that can be specified within service auditor reports in various industries. Although many unique risks exist within each industry, some of the control objectives are very similar, even though the service organizations serve different industries. This is because many of the risks associated with information ...
Get Auditing Information Systems, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
