SA 402

AUDITCONSIDERATIONS RELATING TO AN
ENTITYUSING ASERVICEORGANISATION
(Effective for all audits relating to
accounting periods beginning on or after April 1, 2010)
Contents
Paragraph(s)
Introduction
Scope of this SA......................................................................................1-5
Effective Date ............................................................................................ 6
Objectives................................................................................................. 7
Definitions ................................................................................................ 8
Requirements
Obtaining an Understanding of the Services Provided by a
Service Organization, Including Internal Control............................. .....9-14
Responding to the Assessed Risks of Material Misstatement.............15-17
Type 1 and Type 2 Reports that Exclude the Services of a
Sub service Organization ...... .................................................................. 18
Fraud, Non-Compliance with Laws and Regulations and Uncorrected
Misstatements in Relation to Activities at the Service Organization ....... 19
Reporting by the User Auditor ............................................................20-22
Application and Other Explanatory Material
Obtaining an Understanding of the Services Provided by a
Service Organization, Including Internal Control ............................A1-A23
Responding to the Assessed Risks of Material Misstatement.......A24-A39
Type 1 and Type 2 Reports that Exclude the Services of a
Sub service Organization ...... ............................................................... A40

Published in August, 2009 issue of the Journal.

Hundbook of Audltlng Pronouncements-l.A
5A 402 2
Fraud, Non-Compliance with Laws and Regulations and Uncorrected
Misstatements in Relation to Activities at the Service Organization .... A41
Reporting by the User Auditor .......................................................A42-A44
Material Modifications to ISA 402, Audit Considerations Relating to an
Entity Using a Service Organisation
Standard on Auditing (SA) 402, Audit Considerations Relating to an
Entity Using a Service Organisation, should be read in the context of the
Preface to the Standards on Quality Control, Auditing, Review, Other
Assurance and Related Services
1
, which sets out the authority of SAs
and SA 200, Overall Objectives of the Independent Auditor and the
Conduct of an Audit in Accordance with Standards on Auditing
2
.
1
Published in July, 2007 issue of the Journal.
2
Published in March, 2010 issue of the Journal.
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 3
Introduction
Scope of this SA
1. This Standard on Auditing (SA) deals with the user auditors responsibility
to obtain sufficient appropriate audit evidence when a user entity uses the
services of one or more service organisations. Specifically, it expands on how
the user auditor applies SA 315
3
and SA 330
4
in obtaining an understanding of
the user entity, including internal control relevant to the audit, sufficient to identify
and assess the risks of material misstatement and in designing and performing
further audit procedures responsive to those risks.
2. Many entities outsource aspects of their business to organisations that
provide services ranging from performing a specific task under the direction of an
entity to replacing an entitys entire business units or functions, such as the tax
compliance function. Many of the services provided by such organisations are
integral to the entitys business operations; however, not all those services are
relevant to the audit.
3. Services provided by a service organisation are relevant to the audit of a
user entitys financial statements when those services, and the controls over
them, are part of the user entitys information system, including related business
processes, relevant to financial reporting. Although most controls at the service
organisation are likely to relate to financial reporting, there may be other controls
that may also be relevant to the audit, such as controls over the safeguarding of
assets. A service organisations services are part of a user entitys information
system, including related business processes, relevant to financial reporting if
these services affect any of the following:
(a) The classes of transactions in the user entitys operations that
are significant to the user entitys financial statements;
(b) The procedures, within both information technology (IT) and
manual systems, by which the user entitys transactions are initiated, recorded,
processed, corrected as necessary, transferred to the general ledger and
reported in thefinancial statements;
(c) The related accounting records, either in electronic or manual
form, supporting information and specific accounts in the user entitys financial
statements that are used to initiate, record, process and report the user entitys
transactions; this includes the correction of incorrect information and how
information is transferred to the general ledger;
3
SA315, Identifying andAssessing the Risks of Material Misstatement Through Understanding the
Entity and ItsEnvironment.
4
SA330, TheAuditors ResponsestoAssessed Risks.
Hundbook of Audltlng Pronouncements-l.A
5A 402 4
(d) How the user entitys information system captures events and
conditions, other than transactions, that are significant to the financial
statements;
(e) The financial reporting process used to prepare the user entitys
financial statements, including significant accounting estimates and disclosures;
and
(f) Controls surrounding journal entries, including non-standard
journal entries used to record non-recurring, unusual transactions or
adjustments.
4. The nature and extent of work to be performed by the user auditor
regarding the services provided by a service organisation depend on the nature
and significance of those services to the user entity and the relevance of those
services to the audit.
5. This SA does not apply to services provided by financial institutions that are
limited to processing, for an entitys account held at the financial institution,
transactions that are specifically authorised by the entity, such as the processing
of checking account transactions by a bank or the processing of securities
transactions by a broker. In addition, this SA does not apply to the audit of
transactions arising from proprietary financial interests in other entities, such as
partnerships, corporations and joint ventures, when proprietary interests are
accounted for and reported to interest holders.
Effective Date
6. This SA is effective for audits of financial statements for periods beginning
on or after April 1, 2010.
Objectives
7. The objectives of the user auditor, when the user entity uses the services of
a service organisation, are:
(a) To obtain an understanding of the nature and significance of the
services provided by the service organisation and their effect on the user
entitys internal control relevant to the audit, sufficient to identify and assess the
risks of material misstatement; and
(b) To design and perform audit procedures responsive to those
risks.
Definitions
8. For purposes of the SAs, the following terms have the meanings attributed
below:
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 5
(a) Complementary user entity controls Controls that the service
organisation assumes, in the design of its service, will be implemented by user
entities, and which, if necessary to achieve control objectives, are identified in
the description of its system.
(b) Report on the description and design of controls at a service
organisation (referred to in this SA as a Type 1 report) A report that
comprises:
(i) A description, prepared by management of the service
organisation, of the service organisations system, control objectives and
related controls that have been designed and implemented as at a specified
date; and
(ii) A report by the service auditor with the objective of
conveying reasonable assurance that includes the service auditors opinion on
the description of the service organisations system, control objectives and
related controls and the suitability of the design of the controls to achieve the
specified control objectives.
(c) Report on the description, design, and operating effectiveness
of controls at a service organisation (referred to in this SA as a Type 2 report)
A report that comprises:
(i) A description, prepared by management of the service
organisation, of the service organisations system, control objectives and
related controls, their design and implementation as at a specified date or
throughout a specified period and, in some cases, their operating
effectiveness throughout a specified period; and
(ii) A report by the service auditor with the objective of
conveying reasonable assurance that includes:
a. The service auditors opinion on the description of
the service organisations system, control objectives and related controls, the
suitability of the design of the controls to achieve the specified control
objectives, and the operating effectiveness of the controls; and
b. A description of the service auditors tests of the
controls and the results thereof.
(d) Service auditor An auditor who, at the request of the service
organisation, provides an assurance report on the controls of a service
organisation.
(e) Service organisation A third-party organisation (or segment of
a third-party organisation) that provides services to user entities that are part of
Hundbook of Audltlng Pronouncements-l.A
5A 402 6
those entities information systems relevant to financial reporting.
(f) Service organisations system The policies and procedures
designed, implemented and maintained by the service organisation to provide
user entities with the services covered by the service auditors report.
(g) Subservice organisation A service organisation used by
another service organisation to perform some of the services provided to user
entities that are part of those user entities information systems relevant to
financial reporting.
(h) User auditor An auditor who audits and reports on the
financial statements of a user entity.
(i) User entity An entity that uses a service organisation and
whose financial statements are being audited.
Requirements
Obtaining an Understanding of the Services Provided by a Service
Organisation, Including Internal Control
9. When obtaining an understanding of the user entity in accordance with SA
315,
5
the user auditor shall obtain an understanding of how a user entity uses the
services of a service organisation in the user entitys operations, including: (Ref:
Para. A1-A2)
(a) The nature of the services provided by the service organisation
and the significance of those services to the user entity, including the effect
thereof on the user entitys internal control; (Ref: Para. A3-A5)
(b) The nature and materiality of the transactions processed or
accounts or financial reporting processes affected by the service organisation;
(Ref: Para. A6)
(c) The degree of interaction between the activities of the service
organisation and those of the user entity; and (Ref: Para. A7)
(d) The nature of the relationship between the user entity and the
service organisation, including the relevant contractual terms for the activities
undertaken by the service organisation. (Ref: Para. A8-A11)
10. When obtaining an understanding of internal control relevant to the audit in
accordance with SA 315,
6
the user auditor shall evaluate the design and
5
SA315, paragraph11.
6
SA315, paragraph12.
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 7
implementation of relevant controls at the user entity that relate to the services
provided by the service organisation, including those that are applied to the
transactions processed by the service organisation. (Ref: Para. A12-A14)
11. The user auditor shall determine whether a sufficient understanding of the
nature and significance of the services provided by the service organisation and
their effect on the user entitys internal control relevant to the audit has been
obtained to provide a basis for the identification and assessment of risks of
material misstatement.
12. If the user auditor is unable to obtain a sufficient understanding from the
user entity, the user auditor shall obtain that understanding from one or more of
the following procedures: (Ref: Para. A15-A20)
(a) Obtaining a Type 1 or Type 2 report, if available;
(b) Contacting the service organisation, through the user entity, to
obtain specific information;
(c) Visiting the service organisation and performing procedures that
will provide the necessary information about the relevant controls at the service
organisation; or
(d) Using another auditor to perform procedures that will provide
the necessary information about the relevant controls at the service
organisation.
Using a Type 1 or Type 2 Report to Support the User Auditors
Understanding of the Service Organisation
13. In determining the sufficiency and appropriateness of the audit evidence
provided by a Type 1 or Type 2 report, the user auditor shall be satisfied as to:
(Ref: Para. A21)
(a) The service auditors professional competence (except where
the service auditor is a member of the Institute of Chartered Accountants of
India) and independence from the service organisation; and
(b) The adequacy of the standards under which the Type 1 or Type
2 report was issued.
14. If the user auditor plans to use a Type 1 or Type 2 report as audit evidence
to support the user auditors understanding about the design and implementation
of controls at the service organisation, the user auditor shall: (Ref: Para. A22-
A23)
(a) Evaluate whether the description and design of controls at the
service organisation is at a date or for a period that is appropriate for the user
Hundbook of Audltlng Pronouncements-l.A
5A 402 8
auditors purposes;
(b) Evaluate the sufficiency and appropriateness of the evidence
provided by the report for the understanding of the user entitys internal control
relevant to the audit; and
(c) Determine whether complementary user entity controls
identified by the service organisation are relevant to the user entity and, if so,
obtain an understanding of whether the user entity has designed and
implementedsuch controls.
Responding to the Assessed Risks of Material Misstatement
15. In responding to assessed risks in accordance with SA 330 , the user
auditor shall: (Ref: Para. A24-A28)
(a) Determine whether sufficient appropriate audit evidence
concerning the relevant financial statement assertions is available from records
held at the user entity; and, if not,
(b) Perform further audit procedures to obtain sufficient appropriate
audit evidence or use another auditor to perform those procedures at the
serviceorganisation on the user auditors behalf.
Tests of Controls
16. When the user auditors risk assessment includes an expectation that
controls at the service organisation are operating effectively, the user auditor
shall obtain audit evidence about the operating effectiveness of those controls
from one or more of the following procedures: (Ref: Para. A29-A30)
(a) Obtaining a Type 2 report, if available;
(b) Performing appropriate tests of controls at the service
organisation; or
(c) Using another auditor to perform tests of controls at the service
organisation on behalf of the user auditor.
Using a Type 2 Report as Audit Evidence that Controls at the Service
Organisation Are Operating Effectively
17. If, in accordance with paragraph 16(a), the user auditor plans to use a Type
2 report as audit evidence that controls at the service organisation are operating
effectively, the user auditor shall determine whether the service auditors report
provides sufficient appropriate audit evidence about the effectiveness of the
controls to support the user auditors risk assessment by: (Ref: Para. A31-A39)
(a) Evaluating whether the description, design and operating
effectiveness of controls at the service organisation is at a date or for a period
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 9
that is appropriate for the user auditors purposes;
(b) Determining whether complementary user entity controls
identified by the service organisation are relevant to the user entity and, if so,
obtaining an understanding of whether the user entity has designed and
implemented such controls and, if so, testing their operating effectiveness;
(c) Evaluating the adequacy of the time period covered by the tests
of controls and the time elapsed since the performance of the tests of controls;
and
(d) Evaluating whether the tests of controls performed by the
service auditor and the results thereof, as described in the service auditors
report, are relevant to the assertions in the user entitys financial statements
and provide sufficient appropriate audit evidence to support the user auditors
risk assessment.
Type 1 and Type 2 Reports that Exclude the Services of a Subservice
Organisation
18. If the user auditor plans to use a Type 1 or a Type 2 report that excludes
the services provided by a subservice organisation and those services are
relevant to the audit of the user entitys financial statements, the user auditor
shall apply the requirements of this SA with respect to the services provided by
the subservice organisation. (Ref: Para. A40)
Fraud, Non-Compliance with Laws and Regulations and Uncorrected
Misstatements in Relation to Activities at the Service Organisation
19. The user auditor shall inquire of management of the user entity whether
the service organisation has reported to the user entity, or whether the user
entity is otherwise aware of, any fraud, non-compliance with laws and
regulations or uncorrected misstatements affecting the financial statements
of the user entity. The user auditor shall evaluate how such matters affect the
nature, timing and extent of the user auditors further audit procedures,
including the effect on the user auditors conclusions and user auditors
report. (Ref: Para. A41)
Reporting by the User Auditor
20. The user auditor shall modify the opinion in the user auditors report in
accordance with SA 705
7
if the user auditor is unable to obtain sufficient
appropriate audit evidence regarding the services provided by the service
organisation relevant to the audit of the user entitys financial statements.
7
SA 705, Modificationstothe Opinion in the Independent Auditors Report, paragraph 6.
Hundbook of Audltlng Pronouncements-l.A
5A 402 10
(Ref: Para. A42)
21. The user auditor shall not refer to the work of a service auditor in the
user auditors report containing an unmodified opinion unless required by law
or regulation to do so. If such reference is required by law or regulation, the
user auditors report shall indicate that the reference does not diminish the
user auditors responsibility for the audit opinion. (Ref: Para. A43)
22. If reference to the work of a service auditor is relevant to an understanding
of a modification to the user auditors opinion, the user auditors report shall
indicate that such reference does not diminish the user auditors responsibility for
that opinion. (Ref: Para. A44)
***
Application and Other Explanatory Material
Obtaining an Understanding of the Services Provided by a Service
Organisation, Including Internal Control
Sources of Information(Ref: Para. 9)
A1. Information on the nature of the services provided by a service organisation
may be available from a wide variety of sources, such as:
User manuals.
System overviews.
Technical manuals.
The contract or service level agreement between the user entity and the service
organisation.
Reports by service organisations, internal auditors or regulatory authorities on
controls at the service organisation.
Reports by the service auditor, including management letters, if available.
A2. Knowledge obtained through the user auditors experience with the service
organisation, for example through experience with other audit engagements, may
also be helpful in obtaining an understanding of the nature of the services provided
by the service organisation. This may be particularly helpful if the services and
controls at the service organisation over those services are highly standardised.
Nature of the Services Provided by the Service Organisation (Ref: Para.
9(a))
A3. A user entity may use a service organisation such as one that processes
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 11
transactions and maintains related accountability, or records transactions and
processes related data. Service organisations that provide such services include,
for example, bank trust departments that invest and service assets for employee
benefit plans or for others; mortgage bankers that service mortgages for others;
and application service providers that provide packaged software applications
and a technology environment that enables customers to process financial and
operational transactions.
A4. Examples of service organisation services that are relevant to the audit
include:
Maintenance of the user entitys accounting records.
Management of assets.
Initiating, recording or processing transactions as agent of the user entity.
Considerations Specific to Smaller Entities
A5. Smaller entities may use external bookkeeping services ranging from
the processing of certain transactions (e.g., payment of payroll taxes) and
maintenance of their accounting records to the preparation of their financial
statements. The use of such a service organisation for the preparation of its
financial statements does not relieve management of the smaller entity and,
where appropriate, those charged with governance of their responsibilities for
the financial statements.
8
Nature and Materiality of Transactions Processed by the Service
Organisation(Ref: Para. 9(b))
A6. A service organisation may establish policies and procedures that affect
the user entitys internal control. These policies and procedures are at least
in part physically and operationally separate from the user entity. The
significance of the controls of the service organisation to those of the user
entity depends on the nature of the services provided by the service
organisation, including the nature and materiality of the transactions it
processes for the user entity. In certain situations, the transactions
processed and the accounts affected by the service organisation may not
appear to be material to the user entitys financial statements, but the nature
of the transactions processed may be significant and the user auditor may
determine that an understanding of those controls is necessary in the
circumstances.
The Degree of Interaction between the Activities of the Service
8
SA 200, paragraph 4 and A2-A3.
Hundbook of Audltlng Pronouncements-l.A
5A 402 12
Organisation and the User Entity(Ref: Para. 9(c))
A7. The significance of the controls of the service organisation to those of
the user entity also depends on the degree of interaction between its
activities and those of the user entity. The degree of interaction refers to the
extent to which a user entity is able to and elects to implement effective
controls over the processing performed by the service organisation. For
example, a high degree of interaction exists between the activities of the user
entity and those at the service organisation when the user entity authorises
transactions and the service organisation processes and does the accounting
for those transactions. In these circumstances, it may be practicable for the
user entity to implement effective controls over those transactions. On the
other hand, when the service organisation initiates or initially records,
processes, and does the accounting for the user entitys transactions, there
is a lower degree of interaction between the two organisations. In these
circumstances, the user entity may be unable to, or may elect not to,
implement effective controls over these transactions at the user entity and
may rely on controls at the service organisation.
Nature of the Relationship between the User Entity and the Service
Organisation(Ref: Para. 9(d))
A8. The contract or service level agreement between the user entity and the
service organisation may provide for matters such as:
The information to be provided to the user entity and responsibilities for
initiating transactions relating to the activities undertaken by the service
organisation;
The application of requirements of regulatory bodies concerning the form of
records to be maintained, or access to them;
The indemnification, if any, to be provided to the user entity in the event of
a performance failure;
Whether the service organisation will provide a report on its controls and, if
so, whether such report would be a Type 1 or Type 2 report;
Whether the user auditor has rights of access to the accounting records of
the user entity maintained by the service organisation and other information
necessary for the conduct of the audit; and
Whether the agreement allows for direct communication between the user
auditor and the service auditor.
A9. There is a direct relationship between the service organisation and the
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 13
user entity and between the service organisation and the service auditor.
These relationships do not necessarily create a direct relationship between
the user auditor and the service auditor. When there is no direct relationship
between the user auditor and the service auditor, communications between
the user auditor and the service auditor are usually conducted through the
user entity and the service organisation. A direct relationship may also be
created between a user auditor and a service auditor, taking into account the
relevant ethical and confidentiality considerations. A user auditor, for
example, may use a service auditor to perform procedures on the user
auditors behalf, such as:
(a) Tests of controls at the service organisation; or
(b) Substantive procedures on the user entitys financial statement transactions
and balances maintained by a service organisation.
A10. Auditors generally have broad rights of access established by legislation.
However, there may be situations where such rights of access are not available,
for example when the service organisation is located in a different jurisdiction. In
such situations, the auditor may need to obtain an understanding of the
legislation applicable in the different jurisdiction to determine whether appropriate
access rights can be obtained. In such cases, the auditor may also obtain or ask
the user entity to incorporate rights of access in any contractual arrangements
between the user entity and the service organisation.
A11. In the above context, the auditors may also use another auditor to perform
tests of controls or substantive procedures in relation to compliance with law,
regulation or other authority.
Understanding the Controls relating to Services provided by the Service
Organisation(Ref: Para. 10)
A12. The user entity may establish controls over the service organisations
services that may be tested by the user auditor and that may enable the user
auditor to conclude that the user entitys controls are operating effectively for
some or all of the related assertions, regardless of the controls in place at the
service organisation. If a user entity, for example, uses a service organisation to
process its payroll transactions, the user entity may establish controls over the
submission and receipt of payroll information that could prevent or detect
material misstatements. These controls may include:
Comparing the data submitted to the service organisation with reports of
information received from the service organisation after the data has been
processed.
Hundbook of Audltlng Pronouncements-l.A
5A 402 14
Recomputing a sample of the payroll amounts for clerical accuracy and
reviewing the total amount of the payroll for reasonableness.
A13. In this situation, the user auditor may perform tests of the user entitys
controls over payroll processing that would provide a basis for the user auditor to
conclude that the user entitys controls are operating effectively for the assertions
related to payroll transactions.
A14. As noted in SA 315,
9
in respect of some risks, the user auditor may
judge that it is not possible or practicable to obtain sufficient appropriate
audit evidence only from substantive procedures. Such risks may relate to
the inaccurate or incomplete recording of routine and significant classes of
transactions and account balances, the characteristics of which often permit
highly automated processing with little or no manual intervention. Such
automated processing characteristics may be particularly present when the
user entity uses service organisations. In such cases, the user entitys
controls over such risks are relevant to the audit and the user auditor is
required to obtain an understanding of, and to evaluate, such controls in
accordance with paragraphs 9 and 10 of this SA.
Further Procedures When a Sufficient Understanding Cannot Be
Obtained from the User Entity(Ref: Para. 12)
A15. The user auditors decision as to which procedure, individually or in
combination, in paragraph 12 to undertake, in order to obtain the information
necessary to provide a basis for the identification and assessment of the
risks of material misstatement in relation to the user entitys use of the
service organisation, may be influenced by such matters as:
The size of both the user entity and the service organisation;
The complexity of the transactions at the user entity and the complexity of
the services provided by the service organisation;
The location of the service organisation (for example, the user auditor may
decide to use another auditor to perform procedures at the service
organisation on the user auditors behalf if the service organisation is in a
remote location);
Whether the procedure(s) is expected to effectively provide the user auditor
with sufficient appropriate audit evidence; and
The nature of the relationship between the user entity and the service
organisation.
9
SA315, paragraph30.
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 15
A16. A service organisation may engage a service auditor to report on the
description and design of its controls (Type 1 report) or on the description
and design of its controls and their operating effectiveness (Type 2 report).
Type 1 or Type 2 reports may be issued under Standard on Assurance
Engagements (SAE) 3402
10
or under standards established by an authorised
or recognised standards setting organisation (which may identify them by
different names, such as Type A or Type B reports).
A17. The availability of a Type 1 or Type 2 report will generally depend on
whether the contract between a service organisation and a user entity includes
the provision of such a report by the service organisation. A service organisation
may also elect, for practical reasons, to make a Type 1 or Type 2 report available
to the user entities. However, in some cases, a Type 1 or Type 2 report may not
be available to user entities.
A18. In some circumstances, a user entity may outsource one or more significant
business units or functions, such as its entire tax planning and compliance
functions, or finance and accounting or the controllership function to one or more
service organisations. As a report on controls at the service organisation may not
be available in these circumstances, visiting the service organisation may be the
most effective procedure for the user auditor to gain an understanding of controls
at the service organisation, as there is likely to be direct interaction of
management of the user entity with management at the service organisation.
A19. Another auditor may be used to perform procedures that will provide the
necessary information about the relevant controls at the service organisation. If a
Type 1 or Type 2 report has been issued, the user auditor may use the service
auditor to perform these procedures as the service auditor has an existing
relationship with the service organisation. The user auditor using the work of
another auditor may find the guidance in SA 600
11
useful as it relates to
understanding another auditor (including that auditors independence and
professional competence
12
), involvement in the work of another auditor in
planning the nature, extent and timing of such work, and in evaluating the
sufficiency and appropriateness of the audit evidence obtained.
A20. A user entity may use a service organisation that in turn uses a sub-
service organisation to provide some of the services provided to a user entity
that are part of the user entitys information system relevant to financial
reporting. The sub-service organisation may be a separate entity from the
service organisation or may be related to the service organisation. A user
10
SAE 3402, AssuranceReports onControls at aServiceOrganisation.
11
SA 600, Using the Work of Another Auditor.
12
Except where such other auditor is a member of the Institute of Chartered Accountants of India.
Hundbook of Audltlng Pronouncements-l.A
5A 402 16
auditor may need to consider controls at the sub-service organisation. In
situations where one or more sub-service organisations are used, the
interaction between the activities of the user entity and those of the service
organisation is expanded to include the interaction between the user entity,
the service organisation and the sub-service organisations. The degree of
this interaction, as well as the nature and materiality of the transactions
processed by the service organisation and the sub-service organisations are
the most important factors for the user auditor to consider in determining the
significance of the service organisations and sub-service organisations
controls to the user entitys controls.
Using a Type 1 or Type 2 Report to Support the User Auditors
Understanding of the Service Organisation(Ref: Para. 13-14)
A21. The user auditor may make inquiries about the service auditor to the
service auditors professional organisation or other practitioners and inquire
whether the service auditor is subject to regulatory oversight. The service
auditor may be practicing in a jurisdiction where different standards are
followed in respect of reports on controls at a service organisation, and the
user auditor may obtain information about the standards used by the service
auditor from the standard setting organisation.
A22. A Type 1 or Type 2 report, along with information about the user entity,
may assist the user auditor in obtaining an understanding of:
(a) The aspects of controls at the service organisation that may
affect the processing of the user entitys transactions, including the use of
subservice organisations;
(b) The flow of significant transactions through the service
organisation to determine the points in the transaction flow where material
misstatements in the user entitys financial statements could occur;
(c) The control objectives at the service organisation that are
relevant to the user entitys financial statement assertions; and
(d) Whether controls at the service organisation are suitably
designed and implemented to prevent or detect processing errors that could
result in material misstatements in the user entitys financial statements.
A Type 1 or Type 2 report may assist the user auditor in obtaining a sufficient
understanding to identify and assess the risks of material misstatement. A type
1 report, however, does not provide any evidence of the operating
effectiveness of the relevant controls.
A23. A Type 1 or Type 2 report that is as of a date or for a period that is
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 17
outside of the reporting period of a user entity may assist the user auditor in
obtaining a preliminary understanding of the controls implemented at the
service organisation if the report is supplemented by additional current
information from other sources. If the service organisations description of
controls is as of a date or for a period that precedes the beginning of the
period under audit, the user auditor may perform procedures to update the
information in a Type 1 or Type 2 report, such as:
Discussing the changes at the service organisation with user entity personnel
who would be in a position to know of such changes;
Reviewing current documentation and correspondence issued by the service
organisation; or
Discussing the changes with service organisation personnel.
Responding tothe Assessed Risks of Material Misstatement(Ref: Para. 15)
A24. Whether the use of a service organisation increases a user entitys risk of
material misstatement depends on the nature of the services provided and the
controls over these services; in some cases, the use of a service organisation
may decrease a user entitys risk of material misstatement, particularly if the user
entity itself does not possess the expertise necessary to undertake particular
activities, such as initiating, processing, and recording transactions, or does not
have adequate resources (e.g., an IT system).
A25. When the service organisation maintains material elements of the
accounting records of the user entity, direct access to those records may be
necessary in order for the user auditor to obtain sufficient appropriate audit
evidence relating to the operations of controls over those records or to
substantiate transactions and balances recorded in them, or both. Such access
may involve either physical inspection of records at the service organisations
premises or interrogation of records maintained electronically from the user entity
or another location, or both. Where direct access is achieved electronically, the
user auditor may thereby obtain evidence as to the adequacy of controls
operated by the service organisation over the completeness and integrity of the
user entitys data for which the service organisation is responsible.
A26. In determining the nature and extent of audit evidence to be obtained in
relation to balances representing assets held or transactions undertaken by a
service organisation on behalf of the user entity, the following procedures may
be considered by the user auditor:
(a) Inspecting records and documents held by the user entity: the
reliability of this source of evidence is determined by the nature and extent of
Hundbook of Audltlng Pronouncements-l.A
5A 402 18
the accounting records and supporting documentation retained by the user
entity. In some cases, the user entity may not maintain independent detailed
records or documentation of specific transactions undertaken on its behalf.
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 19
(b) Inspecting records and documents held by the service
organisation: the user auditors access to the records of the service
organisation may be established as part of the contractual arrangements
between the user entity and the service organisation. The user auditor may also
use another auditor, on its behalf, to gain access to the user entitys records
maintained by the service organisation.
(c) Obtaining confirmations of balances and transactions from the
service organisation: where the user entity maintains independent records of
balances and transactions, confirmation from the service organisation
corroborating the user entitys records may constitute reliable audit evidence
concerning the existence of the transactions and assets concerned. For
example, when multiple service organisations are used, such as an investment
manager and a custodian, and these service organisations maintain
independent records, the user auditor may confirm balances with these
organisations in order to compare this information with the independent records
of the user entity.
If the user entity does not maintain independent records, information
obtained in confirmations from the service organisation is merely a
statement of what is reflected in the records maintained by the service
organisation. Therefore, such confirmations do not, taken alone, constitute
reliable audit evidence. In these circumstances, the user auditor may
consider whether an alternative source of independent evidence can be
identified.
(d) Performing analytical procedures on the records maintained by
the user entity or on the reports received from the service organisation: the
effectiveness of analytical procedures is likely to vary by assertion and will be
affected by the extent and detail of information available.
A27. Another auditor may perform procedures that are substantive in nature for
the benefit of user auditors. Such an engagement may involve the performance,
by another auditor, of procedures agreed upon by the user entity and its user
auditor and by the service organisation and its service auditor. The findings
resulting from the procedures performed by another auditor are reviewed by the
user auditor to determine whether they constitute sufficient appropriate audit
evidence. In addition, there may be requirements imposed by governmental
authorities or through contractual arrangements whereby a service auditor
performs designated procedures that are substantive in nature. The results of the
application of the required procedures to balances and transactions processed
by the service organisation may be used by user auditors as part of the evidence
necessary to support their audit opinions. In these circumstances, it may be
Hundbook of Audltlng Pronouncements-l.A
5A 402 20
useful for the user auditor and the service auditor to agree, prior to the
performance of the procedures, to the audit documentation or access to audit
documentation that will be provided to the user auditor.
A28. In certain circumstances, in particular when a user entity outsources some
or all of its finance function to a service organisation, the user auditor may face a
situation where a significant portion of the audit evidence resides at the service
organisation. Substantive procedures may need to be performed at the service
organisation by the user auditor or another auditor on its behalf. A service auditor
may provide a Type 2 report and, in addition, may perform substantive
procedures on behalf of the user auditor. The involvement of another auditor
does not alter the user auditors responsibility to obtain sufficient appropriate
audit evidence to afford a reasonable basis to support the user auditors opinion.
Accordingly, the user auditors consideration of whether sufficient appropriate
audit evidence has been obtained and whether the user auditor needs to perform
further substantive procedures includes the user auditors involvement with, or
evidence of, the direction, supervision and performance of the substantive
procedures performed by another auditor.
Tests of Controls (Ref: Para. 16)
A29. The user auditor is required by SA 330
13
to design and perform tests of
controls to obtain sufficient appropriate audit evidence as to the operating
effectiveness of relevant controls in certain circumstances. In the context of a
service organisation, this requirement applies when:
(a) The user auditors assessment of risks of material misstatement
includes an expectation that the controls at the service organisation are
operating effectively (i.e., the user auditor intends to rely on the operating
effectiveness of controls at the service organisation in determining the nature,
timing and extent of substantive procedures); or
(b) Substantive procedures alone, or in combination with tests of
the operating effectiveness of controls at the user entity, cannot provide
sufficient appropriate audit evidence at the assertion level.
A30. If a Type 2 report is not available, a user auditor may contact the service
organisation, through the user entity, to request that a service auditor be
engaged to provide a Type 2 report that includes tests of the operating
effectiveness of the relevant controls or the user auditor may use another auditor
to perform procedures at the service organisation that test the operating
effectiveness of those controls. A user auditor may also visit the service
13
SA330, paragraph8.
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 21
organisation and perform tests of relevant controls if the service organisation
agrees to it. The user auditors risk assessments are based on the combined
evidence provided by the work of another auditor and the user auditors own
procedures.
Using a Type 2 Report as Audit Evidence that Controls at the Service
Organisation Are Operating Effectively(Ref: Para. 17)
A31. A Type 2 report may be intended to satisfy the needs of several different
user auditors; therefore tests of controls and results described in the service
auditors report may not be relevant to assertions that are significant in the user
entitys financial statements. The relevant tests of controls and results are
evaluated to determine that the service auditors report provides sufficient
appropriate audit evidence about the effectiveness of the controls to support the
user auditors risk assessment. In doing so, the user auditor may consider the
following factors:
(a) The time period covered by the tests of controls and the time
elapsed since the performance of the tests of controls;
(b) The scope of the service auditors work and the services and
processes covered, the controls tested and tests that were performed, and the
way in which tested controls relate to the user entitys controls; and
(c) The results of those tests of controls and the service auditors
opinion on the operating effectiveness of the controls.
A32. For certain assertions, the shorter the period covered by a specific test and
the longer the time elapsed since the performance of the test, the less audit
evidence the test may provide. In comparing the period covered by the Type 2
report to the user entitys financial reporting period, the user auditor may
conclude that the Type 2 report offers less audit evidence if there is little overlap
between the period covered by the Type 2 report and the period for which the
user auditor intends to rely on the report. When this is the case, a Type 2 report
covering a preceding or subsequent period may provide additional audit
evidence. In other cases, the user auditor may determine it is necessary to
perform, or use another auditor to perform, tests of controls at the service
organisation in order to obtain sufficient appropriate audit evidence about the
operating effectiveness of those controls.
A33. It may also be necessary for the user auditor to obtain additional evidence
about significant changes to the relevant controls at the service organisation
outside of the period covered by the Type 2 report or determine additional audit
procedures to be performed. Relevant factors in determining what additional
audit evidence to obtain about controls at the service organisation that were
Hundbook of Audltlng Pronouncements-l.A
5A 402 22
operating outside of the period covered by the service auditors report may
include:
The significance of the assessed risks of material misstatement at the assertion
level;
The specific controls that were tested during the interim period, and significant
changes to them since they were tested, including changes in the information
system, processes, and personnel;
The degree to which audit evidence about the operating effectiveness of those
controls was obtained;
The length of the remaining period;
The extent to which the user auditor intends to reduce further substantive
procedures based on thereliance on controls; and
The effectiveness of the control environment and monitoring of controls at the
user entity.
A34. Additional audit evidence may be obtained, for example, by extending tests
of controls over the remaining period or testing the user entitys monitoring of
controls.
A35. If the service auditors testing period is completely outside the user
entitys financial reporting period, the user auditor will be unable to rely on
such tests for the user auditor to conclude that the user entitys controls are
operating effectively because they do not provide current audit period
evidence of the effectiveness of the controls, unless other procedures are
performed.
A36. In certain circumstances, a service provided by the service organisation
may be designed with the assumption that certain controls will be
implemented by the user entity. For example, the service may be designed
with the assumption that the user entity will have controls in place for
authorising transactions before they are sent to the service organisation for
processing. In such a situation, the service organisations description of
controls may include a description of those complementary user entity
controls. The user auditor considers whether those complementary user
entity controls are relevant to the service provided to the user entity.
A37. If the user auditor believes that the service auditors report may not
provide sufficient appropriate audit evidence, for example, if a service
auditors report does not contain a description of the service auditors tests of
controls and results thereon, the user auditor may supplement the
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 23
understanding of the service auditors procedures and conclusions by
contacting the service organisation, through the user entity, to request a
discussion with the service auditor about the scope and results of the service
auditors work. Also, if the user auditor believes it is necessary, the user
auditor may contact the service organisation, through the user entity, to
request that the service auditor perform procedures at the service
organisation. Alternatively, the user auditor, or another auditor at the request
of the user auditor, may perform such procedures.
A38. The service auditors Type 2 report identifies results of tests,
including exceptions and other information that could affect the user auditors
conclusions. Exceptions noted by the service auditor or a modified opinion in
the service auditors Type 2 report do not automatically mean that the service
auditors Type 2 report will not be useful for the audit of the user entitys
financial statements in assessing the risks of material misstatement. Rather,
the exceptions and the matter giving rise to a modified opinion in the service
auditors Type 2 report are considered in the user auditors assessment of
the testing of controls performed by the service auditor. In considering the
exceptions and matters giving rise to a modified opinion, the user auditor
may discuss such matters with the service auditor. Such communication is
dependent upon the user entity contacting the service organisation, and
obtaining the service organisations approval for the communication to take
place.
Communication of Deficiencies in Internal Control identified during the Audit
A39. The user auditor is required to communicate in writing significant
deficiencies identified during the audit to both management and those
charged with governance on a timely basis.
14
The user auditor is also
required to communicate to management at an appropriate level of
responsibility on a timely basis other deficiencies in internal control identified
during the audit that, in the user auditors professional judgment, are of
sufficient importance to merit managements attention.
15
Matters that the user
auditor may identify during the audit and may communicate to management
and those charged with governance of the user entity include:
Any monitoring of controls that could be implemented by the user entity,
including those identified as a result of obtaining a Type 1 or Type 2 report;
Instances where complementary user entity controls are noted in the Type 1 or
14
SA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management, paragraph 9 and 10.
15
SA 265, paragraph 9.
Hundbook of Audltlng Pronouncements-l.A
5A 402 24
Type 2 report and are not implemented at the user entity; and
Controls that may be needed at the service organisation that do not appear to
have been implemented or that are not specifically covered by a Type 2 report.
Type 1 and Type 2 Reports that Exclude the Services of a Subservice
Organisation(Ref: Para. 18)
A40. If a service organisation uses a subservice organisation, the service
auditors report may either include or exclude the subservice organisations
relevant control objectives and related controls in the service organisations
description of its system and in the scope of the service auditors
engagement. These two methods of reporting are known as the inclusive
method and the carve-out method, respectively. If the Type 1 or Type 2
report excludes the controls at a subservice organisation, and the services
provided by the subservice organisation are relevant to the audit of the
user entitys financial statements, the user auditor is required to apply the
requirements of this SA in respect of the subservice organisation. The
nature and extent of work to be performed by the user auditor regarding the
services provided by a subservice organisation depend on the nature and
significance of those services to the user entity and the relevance of those
services to the audit. The application of the requirement in paragraph 9
assists the user auditor in determining the effect of the subservice
organisation and the nature and extent of work to be performed.
Fraud, Non-Compliance with Laws and Regulations and Uncorrected
Misstatements in Relation to Activities at the Service Organisation
(Ref: Para. 19)
A41. A service organisation may be required under the terms of the
contract with user entities to disclose to affected user entities any fraud,
non-compliance with laws and regulations or uncorrected misstatements
attributable to the service organisations management or employees. As
required by paragraph 19, the user auditor makes inquiries of the user
entity management regarding whether the service organisation has
reported any such matters and evaluates whether any matters reported by
the service organisation affect the nature, timing and extent of the user
auditors further audit procedures. In certain circumstances, the user
auditor may require additional information to perform this evaluation, and
may request the user entity to contact the service organisation to obtain the
necessary information.
Reporting by the User Auditor(Ref: Para. 20)
A42. When a user auditor is unable to obtain sufficient appropriate audit
Audlt Conslderutlons ReIutlng to un Lntlt
5A 402 25
evidence regarding the services provided by the service organisation relevant to
the audit of the user entitys financial statements, a limitation on the scope of the
audit exists. Thismay be the case when:
The user auditor is unable to obtain a sufficient understanding of the services
provided by the service organisation and does not have a basis for the
identification and assessment of the risks of material misstatement;
A user auditors risk assessment includes an expectation that controls at the
service organisation are operating effectively and the user auditor is unable to
obtain sufficient appropriate audit evidence about the operating effectiveness of
these controls; or
Sufficient appropriate audit evidence is only available from records held at the
service organisation, and the user auditor is unable to obtain direct access to
these records.
Whether the user auditor expresses a qualified opinion or disclaims an opinion
depends onthe user auditors conclusion as to whether the possible effects on the
financial statements are material or pervasive.
Reference to the Work of a Service Auditor (Ref: Para. 21-22)
A43. In some cases, law or regulation may require a reference to the work of a
service auditor in the user auditors report, for example, for the purposes of
transparency in the public sector. In such circumstances, the user auditor may
need the consent of the service auditor before making such a reference.
A44. The fact that a user entity uses a service organisation does not alter the
user auditors responsibility under SAs to obtain sufficient appropriate audit
evidence to afford a reasonable basis to support the user auditors opinion.
Therefore, the user auditor does not make reference to the service auditors
report as a basis, in part, for the user auditors opinion on the user entitys
financial statements. However, when the user auditor expresses a modified
opinion because of a modified opinion in a service auditors report, the user
auditor is not precluded from referring to the service auditors report if such
reference assists in explaining the reason for the user auditors modified opinion.
In such circumstances, the user auditor may need the consent of the service
auditor before making such a reference.
Material Modifications to ISA 402, Audit Considerations
Relating to an Entity Using a Service Organisation
1. Paragraphs A10 and A11 of ISA 402 deal with the application of the
requirements of ISA 402 to public sector auditors who have broad rights of
access established by legislation. Since as mentioned in the Preface to the
Hundbook of Audltlng Pronouncements-l.A
5A 402 26
Standards on Quality Control, Auditing, Review, Other Assurance and
Related Services, the Standards issued by the Auditing and Assurance
Standards Board, apply equally to all entities, irrespective of their form,
nature and size, a specific reference to applicability of the Standard to public
sector entities has been deleted.
However, since the situation envisaged in paragraphs A10 and A11 may be
possible even in case of auditors of non-public sector entities, the spirit of
paragraphs A10 and A11 has been retained and made generic.
2. Paragraph 13 (a) and paragraph A19 of ISA 402 deal with assessment of
the service auditors professional competence and independence from the
service organisation for obtaining sufficient and appropriate audit evidence
and for reporting purposes. The corresponding paragraphs of SA 402 also
require such assessment of professional competence except where the
service auditor is also a member of the Institute of Chartered Accountants of
India.