For purposes of the ISAs, the following terms have the meanings attributed below:

1. Complementary user entity controls:

Controls that the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives, are identified in the description of its system.

2. Report on the description and design of controls at a service organization (referred to in this ISA as a type 1 report) – A report that comprises:

  1. A description, prepared by management of the service organization, of the service organization’s system, control objectives and related controls that have been designed and implemented as at a specified date; and
  2. A report by the service auditor with the objective of conveying reasonable assurance that includes the service auditor’s opinion on the description of the service organization’s system, control objectives and related controls and the suitability of the design of the controls to achieve the specified control objectives.

3. Report on the description, design, and operating effectiveness of controls at a service organization (referred to in this ISA as a type 2 report) – A report that comprises:

  1. A description, prepared by management of the service organization, of the service organization’s system, control objectives and related controls, their design and implementation as at a specified date or throughout a specified period and, in some cases, their operating effectiveness throughout a specified period; and
  2. A report by the service auditor with the objective of conveying reasonable assurance that includes:
    1. The service auditor’s opinion on the description of the service organization’s system, control objectives and related controls, the suitability of the design of the controls to achieve the specified control objectives, and the operating effectiveness of the controls; and
    2. A description of the service auditor’s tests of the controls and the results thereof.

4. Service auditor:

An auditor who, at the request of the service organization, provides an assurance report on the controls of a service organization.

5. Service organization:

A third-party organization (or segment of a third-party organization) that provides services to user entities that are part of those entities’ information systems relevant to financial reporting.

6. Service organization’s system:

The policies and procedures designed, implemented and maintained by the service organization to provide user entities with the services covered by the service auditor’s report.

7. Sub-service organization:

A service organization used by another service organization to perform some of the services provided to user entities that are part of those user entities’ information systems relevant to financial reporting.

8. User auditor:

An auditor who audits and reports on the financial statements of a user entity.