Designed for the standards you're held to.
Auditshore is purpose-built around the standards that govern how auditors evaluate service organizations. Every reliance assessment in Auditshore maps to something the standards actually require — no interpretive leaps.
Why this matters
When a client uses a service organization, the auditor has to evaluate that organization, document what they relied on, and explain how they handled deviations. None of that is optional. The question for an audit firm isn't whether to document — it's how efficiently.
What AICPA AU-C 402 asks of the auditor
AICPA AU-C 402 governs how an auditor evaluates a service organization. Here's what it asks for and where Auditshore covers it.
Identify which controls apply to this client.
AI applicability evaluation per client, with use-case quotes, confidence scores, and reviewer confirmation.
Evaluate every deviation for client impact.
Per-client severity, client impact, recommended action, and management-response quality. Reviewer overrides are logged.
Evaluate whether the service auditor's testing was sufficient.
Per-objective testing reasonableness assessment (Reasonable / Marginal / Inadequate) with evidence quotes from the report.
Evaluate whether the report's scope and assertion cover what the client relies on.
Per-client scope coverage and assertion adequacy assessments (Adequate / Partial / Inadequate) with use-case alignment.
Track subservice organizations.
Inclusive vs. carve-out per subservice, with AI risk assessment.
Evaluate the service auditor's opinion.
Opinion type extracted (unqualified / qualified / adverse / disclaimer) with qualification basis quoted verbatim.
Cover the gap between report period and audit date.
Bridge-letter status gates the review conclusion. Freshness alerts on stale reports.
Test each user-side control.
Workpaper-reference field required on every applicable control before sign-off.
Consider the service auditor's competence and independence.
Service auditor firm summary surfaced for reviewer consideration.
Produce documentation to professional standards.
AICPA-aligned workpaper PDF covering risk assessment, controls, exceptions, subservice orgs, and review conclusion.
Record who did what, when.
Field-level audit log. Append-only by database design.
For PCAOB engagements
On a public-company integrated audit, two PCAOB standards apply.
Auditshore covers one and produces inputs for the other.
Covered
PCAOB AS 2601
Governs how the auditor evaluates a service organization on a public-company integrated audit. The same Auditshore artifacts that document AU-C 402 reliance work also serve AS 2601 procedures.
- Applicable user-entity controls documented with workpaper references
- Deviations evaluated against the client's use case, with reviewer override workflow
- Subservice organizations tracked with inclusive vs. carve-out treatment
- AICPA-aligned workpaper PDF covering risk assessment, controls, exceptions, subservice orgs, and review conclusion — with a full audit trail
Inputs produced
PCAOB AS 2201
Asks the auditor to decide whether identified deficiencies — including those at service organizations — rise to a material weakness in the client's internal controls. Auditshore produces the evidence the auditor brings to that decision. The conclusion stays with the auditor.
- Per-deviation severity scored against the client's specific use of the service
- Client impact assessment for every exception, tied to the client's use case and financial-reporting context
- Recommended next steps surfaced for the auditor's judgment
- Quality assessment of the service organization's response
Complements the audit file
Auditshore complements your workpaper file.
The auditor reaches the conclusion.
Auditshore is purpose-built for the SOC-reliance section of the audit file: CUEC applicability, deviation severity, scope and assertion adequacy, testing reasonableness, subservice assessment. Each one is presented as evidence and analysis for the auditor's judgment to confirm, override, or reject.
Your main workpaper binder — entity-level controls, materiality, financial-statement-level risk, audit conclusions — stays where it belongs: in the auditor's file, where peer review can examine the auditor's professional judgment. Auditshore feeds that judgment with structured, traced, defensible SOC inputs.
What the auditor delivers
A standards-aligned workpaper — procedures performed, opinion analysis, scope and assertion coverage, controls, deviations, subservice organizations, applicability decisions, and reviewer sign-offs at first and second review. Every assessment carries its rationale; every claim cites the source page. Drop it into your audit binder ready for partner sign-off.
The auditor's analysis — structured, traceable to the source, documented to professional standards.
See exactly how the workpaper file looks.
Schedule a 30-minute walkthrough — no slides, just the real product.