Audit of an entity using a service organization

 

Many entities outsource aspects of their business to organizations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function.

Services provided by a service organization are relevant to the audit of a user entity’s financial statements when those services, and the controls over them, are part of the user entity’s information system, including related business processes, relevant to financial reporting.

A service organization’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

(a)    The classes of transactions in the user entity’s operations that are significant to the user entity’s financial statements.

(b)   The procedures, within both information technology (IT) and manual systems, by which the user entity’s transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements.

(c)   The related accounting records, either in electronic or manual form, supporting information and specific accounts in the user entity’s financial statements that are used to initiate, record, process and report the user entity’s transactions.

(d)   How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial statements.

(e)   The financial reporting process used to prepare the user entity’s financial statements, including significant accounting estimates and disclosures; and

(f)   Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments.

Examples of service organization services that are relevant to the audit include:

● Maintenance of the user entity’s accounting records.

● Management of assets.

 ● Initiating, recording or processing transactions as agent of the user entity.

When the user entity uses the services of a service organization the user auditor should:

Service organization – A third-party organization (or segment of a third-party organization) that provides services to user entities that are part of those entities’ information systems relevant to financial reporting.

Service organization’s system – The policies and procedures designed, implemented and maintained by the service organization to provide user entities with the services covered by the service auditor’s report.

User auditor is an auditor who audits and reports on the financial statements of a user entity.

User entity is an entity that uses a service organization and whose financial statements are being audited.

To obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control means to understand how a user entity uses the services of a service organization in its operations, including:

·        Nature of the Services Provided by the Service Organization

·        Nature and Materiality of Transactions Processed by the Service Organization

·        The Degree of Interaction between the Activities of the Service Organization and the User Entity

·        Nature of the Relationship between the User Entity and the Service Organization

To understand how a user entity uses the services of a service organization in its operations auditors may use the following sources of information:

(a)   User manuals.

(b)   System overviews.

(c)    Technical manuals.

(d)   The contract or service level agreement between the user entity and the service organization.

(e)    Reports by service organizations, the internal audit function or regulatory authorities on controls at the service organization.

(f)     Reports by the service auditor, including management letters, if available.

The user auditor must determine whether a sufficient understanding of the nature and significance of the services provided by the service organization has been obtained to provide a basis for the identification and assessment of risks of material misstatement.

If the user auditor is unable to obtain a sufficient understanding from the user entity one or more of the following procedures are  performed:

(a) Obtaining a type 1 or type 2 report, if available.

(b) Contacting the service organization, through the user entity, to obtain specific information.

(c) Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization; or

(d) Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization.

Type 1 report - Report on the description and design of controls at a service organization. It includes:

  •   A description, prepared by management of the service organization, of the service organization’s system, control objectives and related controls as at a specified date; and
  •  A report by the service auditor which includes the service auditor’s opinion on the description of the service organization’s system, control objectives and related controls and the suitability of the design of the controls.

Type 2 report - Report on the description, design, and operating effectiveness of controls at a service organization.  It includes:

  •   A description, prepared by management of the service organization, of the service organization’s system, control objectives and related controls, their design and implementation as at a specified date and their operating effectiveness throughout a specified period; and
  •   A report by the service auditor with the objective of conveying reasonable assurance that includes:

(a)  The service auditor’s opinion on the description of the service organization’s system, control objectives and related controls, and the operating effectiveness of the controls.

(b)  A description of the service auditor’s tests of the controls and their results.

 If the user auditor is going to use a Type 1 or Type 2 reports to support the understanding of the service organization the user auditor must be satisfied with:

(a)    The service auditor’s professional competence and independence from the service organization; and

(b)    The adequacy of the standards under which the type 1 or type 2 report was issued.

(c)    The description and design of controls at the service organization is at a date or for a period that is appropriate for the user auditor’s purposes.

(d)   The sufficiency and appropriateness of the evidence provided by the report.

Responding to the Assessed Risks of Material Misstatement

In responding to assessed risks, the user auditor must:

(a)  Determine whether sufficient appropriate audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and, if not

(b) Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor to perform those procedures at the service organization.

Tests of Controls

The user auditor is required to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls in the following situations:

·        The user auditor’s assessment of risks of material misstatement includes an expectation that the controls at the service organization are operating effectively;

·      Substantive procedures alone, or in combination with tests of the operating effectiveness of controls at the user entity, cannot provide sufficient appropriate audit evidence at the assertion level.

When the user auditor’s risk assessment includes an expectation that controls at the service organization are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures:

(a) Obtaining a type 2 report, if available.

(b) Performing appropriate tests of controls at the service organization; or

(c) Using another auditor to perform tests of controls at the service organization on behalf of the user auditor.

IF the user auditor plans to use a type 2 report as audit evidence that controls at the service organization are operating effectively, the user auditor will determine:

·        whether the description, design and operating effectiveness of controls at the service organization is at a date that is appropriate for the user auditor’s purposes;

·       the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls.

·        whether the tests of controls performed are relevant to the assertions in the user entity’s financial statements and provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.

·        whether complementary user entity controls identified by the service organization are relevant to the user entity and whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness.

The user auditor does not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion unless required by law or regulation to do so.

ISA 402

Comments

Post a Comment

Popular posts from this blog

Why do auditors use assertions?

Image
  Assertions are representations by management that are embodied in the financial statements and used by the auditor to consider the different types of potential misstatements that may occur. Assertions may fall into the following categories: Assertions about classes of transactions and events, and related disclosures, for the period under audit : ·         Occurrence —transactions and events that have been recorded or disclosed have occurred, and such transactions and events are related to the company. ·         Completeness —all transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included.   ·         Accuracy —amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described. ·         Cutoff— transactions and events have been recorded in the correct a
Read more

Audit report

Image
  Audit report is a document  obtained as a result of  an audit of financial statements and attached to the financial statements. This report is needed to convey the opinion expressed by the auditors to the shareholders (or other parties as required by the engagement) on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework.  Matters to be considered when forming the audit opinion on the financial statements To form an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting fram ework the auditor shall consider the following matters: ·        Whether sufficient appropriate audit evidence has been obtained. ·        Whether uncorrected misstatements are material, individually or in aggregate. ·       The qualitative aspects of the entity’s accounting practice, including indicators of possible bias in management’s judgments.
Read more