Pipara & Co LLP

Audit Considerations Relating to an Entity Using a Service Organisation

Introduction

Scope of this SA
  1. This Standard on Auditing (SA) deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations. Specifically, it expands on how the user auditor applies SA 3151 and SA 3302 in obtaining an understanding of the user entity, including internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks.
  2. Many entities outsource aspects of their business to organisations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function. Many of the services provided by such organisations are integral to the entity’s business operations; however, not all those services are relevant to the audit.
  3. Services provided by a service organisation are relevant to the audit of a user entity’s financial statements when those services, and the controls over them, are part of the user entity’s information system, including related business processes, relevant to financial reporting. Although most controls at the service organisation are likely to relate to financial reporting, there may be other controls that may also be relevant to the audit, such as controls over the safeguarding of assets. A service organisation’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:
    1. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements;
    2. The procedures, within both information technology (IT) and manual systems, by which the user entity’s transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements;
    3. The related accounting records, either in electronic or manual form, supporting information and specific accounts in the user entity’s financial statements that are used to initiate, record, process and report the user entity’s transactions; this includes the correction of incorrect information and how information is transferred to the general ledger;
    4. SA 315, “Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment”.

2 SA 330, “The Auditor’s Responses to Assessed Risks”.

  1. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements;
  2. The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and
  3. Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments.
  1. The nature and extent of work to be performed by the user auditor regarding the services provided by a service organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.
  2. This SA does not apply to services provided by financial institutions that are limited to processing, for an entity’s account held at the financial institution, transactions that are specifically authorised by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker. In addition, this SA does not apply to the audit of transactions arising from proprietary financial interests in other entities, such as partnerships, corporations and joint ventures, when proprietary interests are accounted for and reported to interest holders.
Definitions
  1. For purposes of the SAs, the following terms have the meanings attributed below:
    1. Complementary user entity controls – Controls that the service organisation assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives, are identified in the description of its system.
    2. Report on the description and design of controls at a service organisation (referred to in this SA as a Type 1 report) – A report that comprises:
    1. A description, prepared by management of the service organisation, of the service organisation’s system, control objectives and related controls that have been designed and implemented as at a specified date; and
    2. A report by the service auditor with the objective of conveying reasonable assurance that includes the service auditor’s opinion on the description of the service organisation’s system, control objectives and related controls and the suitability of the design of the controls to achieve the specified control objectives.
  1. Report on the description, design, and operating effectiveness of controls at a service organisation (referred to in this SA as a Type 2 report) – A report that comprises:
    1. A description, prepared by management of the service organisation, of the service organisation’s system, control objectives and related controls, their design and implementation as at a specified date or throughout a specified period and, in some cases, their operating effectiveness throughout a specified period; and
    2. A report by the service auditor with the objective of conveying reasonable assurance that includes:
      1. The service auditor’s opinion on the description of the service organisation’s system, control objectives and related controls, the suitability of the design of the controls to achieve the specified control objectives, and the operating effectiveness of the controls; and
      2. A description of the service auditor’s tests of the controls and the results thereof.
  2. Service auditor – An auditor who, at the request of the service organisation, provides an assurance report on the controls of a service organisation.
  3. Service organisation – A third-party organisation (or segment of a third- party organisation) that provides services to user entities that are part of those entities’ information systems relevant to financial reporting.
  4. Service organisation’s system – The policies and procedures designed, implemented and maintained by the service organisation to provide user entities with the services covered by the service auditor’s report.
  5. Subservice organisation – A service organisation used by another service organisation to perform some of the services provided to user entities that are part of those user entities’ information systems relevant to financial reporting.
  6. User auditor – An auditor who audits and reports on the financial statements of a user entity.

User entity – An entity that uses a service organisation and whose financial statements are being audited.

Requirements
Obtaining an Understanding of the Services Provided by a Service Organisation, Including Internal Control
  1. When obtaining an understanding of the user entity in accordance with SA 315,3 the user auditor shall obtain an understanding of how a user entity uses the services of a service organisation in the user entity’s operations, including: (Ref: Para. A1-A2)
    1. The nature of the services provided by the service organisation and the significance of those services to the user entity, including the effect thereof on the user entity’s internal control; (Ref: Para. A3-A5)
    2. The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organisation; (Ref: Para. A6)
    3. The degree of interaction between the activities of the service organisation and those of the user entity; and (Ref: Para. A7)
    4. The nature of the relationship between the user entity and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation. (Ref: Para. A8-A11)
  2. When obtaining an understanding of internal control relevant to the audit in accordance with SA 315,4 the user auditor shall evaluate the design and implementation of relevant controls at the user entity that relate to the services provided by the service organisation, including those that are applied to the transactions processed by the service organisation. (Ref: Para. A12-A14)
  3. The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organisation and

3 SA 315, paragraph 11.

4 SA 315, paragraph 12.

their effect on the user entity’s internal control relevant to the audit has been obtained to provide a basis for the identification and assessment of risks of material misstatement.

  1. If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures: (Ref: Para. A15-A20)
    1. Obtaining a Type 1 or Type 2 report, if available;
    2. Contacting the service organisation, through the user entity, to obtain specific information;
    3. Visiting the service organisation and performing procedures that will provide the necessary information about the relevant controls at the service organisation; or
    4. Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organisation.
Using a Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the Service Organisation
  1. In determining the sufficiency and appropriateness of the audit evidence provided by a Type 1 or Type 2 report, the user auditor shall be satisfied as to: (Ref: Para. A21)
    1. The service auditor’s professional competence (except where the service auditor is a member of the Institute of Chartered Accountants of India) and independence from the service organisation; and
    2. The adequacy of the standards under which the Type 1 or Type 2 report was issued.
  2. If the user auditor plans to use a Type 1 or Type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organisation, the user auditor shall: (Ref: Para. A22- A23)
    1. Evaluate whether the description and design of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
    2. Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the user entity’s internal control relevant to the audit; and
    3. Determine whether complementary user entity controls identified by the

service organisation are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.

Please select any one region