Statement on Auditing Standards-SA 402

Statement on Auditing Standards-SA 402

Scope and objectives

The Auditing standards provide guidance on the auditor’s responsibility to obtain sufficient appropriate audit evidence in these cases, by applying SA 315 and SA 330.

SA 402 specifies that the services provided by a service organization are relevant to the audit of the user entity’s financial statements if they affect certain aspects of the user entity’s information system, including classes of transactions, procedures for initiating and processing transactions, accounting records, and controls around journal entries. The extent of work required by the auditor will depend on the significance of these services to the user entity.

The SA 402 also defines terms such as complementary user entity controls, which are controls that the service organization assumes, will be implemented by the user entity, and report on the description and design of controls at a service organization, which is a report that provides an opinion on the description and design of controls implemented by the service organization.

Finally, SA 402 does not apply to services provided by financial institutions for specific authorized transactions, or to proprietary financial interests in other entities when these interests are accounted for and reported to interest holders.

Overall, they provide guidance on how auditors should approach the task of auditing financial statements when a company has outsourced certain tasks to a service organization.

Obtaining an Understanding of the Services Provided by a Service Organisation, Including Internal Control

The auditing standards provide guidance on how an auditor should obtain an understanding of the services provided by a service organization that is used by a user entity (i.e., the organization being audited) in its operations. This understanding is important because the service organization’s services may affect the user entity’s internal control and financial reporting processes. The guidance is organized into several key considerations:

  • Nature of services: The user auditor should obtain information on the nature of the services provided by the service organization. This information can come from various sources, such as user manuals, system overviews, technical manuals, contracts or service level agreements, and reports by service organizations, internal auditors, or regulatory authorities. The user auditor’s experience with the service organization may also be helpful.
  • Materiality: The user auditor should consider the nature and materiality of the transactions or accounts affected by the service organization. Even if the transactions or accounts processed by the service organization appear immaterial to the user entity’s financial statements, the nature of the transactions may be significant and require understanding of the service organization’s controls.
  • Interaction with user entity: The degree of interaction between the service organization’s activities and those of the user entity affects the significance of the service organization’s controls to the user entity’s internal control. A high degree of interaction exists when the user entity authorizes transactions and the service organization processes and does the accounting for those transactions. In contrast, a lower degree of interaction exists when the service organization initiates or initially records, processes, and does the accounting for the user entity’s transactions.
  • Contractual terms: The user auditor should consider the nature of the relationship between the user entity and the service organization, including the relevant contractual terms for the activities undertaken by the service organization. The contract or service level agreement may provide for matters such as the information to be provided to the user entity, responsibilities for initiating transactions, requirements of regulatory bodies, indemnification in the event of a performance failure, and rights of access to accounting records.
  • Communication: The user auditor should recognize that there is a direct relationship between the service organization and the user entity and between the service organization and the service auditor. However, there is not necessarily a direct relationship between the user auditor and the service auditor. When there is no direct relationship between the user auditor and the service auditor, communications between the user auditor and the service auditor are usually conducted through the user entity and the service organization.

Further Procedures When a Sufficient Understanding Cannot Be Obtained from the User Entity

The user auditor can obtain the necessary understanding from one or more of the following procedures:

Obtaining a Type 1 or Type 2 report: A service organization may engage a service auditor to report on the description and design of its controls (Type 1 report) or on the description and design of its controls and their operating effectiveness (Type 2 report).

Contacting the service organization: The user auditor may contact the service organization, through the user entity, to obtain specific information.

Visiting the service organization: Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization.

Using another auditor: Another auditor may be used to perform procedures that will provide the necessary information about the relevant controls at the service organization.

The user auditor’s decision as to which procedure to use may be influenced by various factors such as the size and complexity of both the user entity and the service organization, the location of the service organization, whether the procedure is expected to effectively provide the user auditor with sufficient appropriate audit evidence, and the nature of the relationship between the user entity and the service organization.

SA 402 also explains that in some circumstances, a user entity may outsource significant business units or functions, and in such cases, visiting the service organization may be the most effective procedure for the user auditor to gain an understanding of controls at the service organization, as there is likely to be direct interaction of management of the user entity with management at the service organization. If a Type 1 or Type 2 report has been issued, the user auditor may use the service auditor to perform these procedures as the service auditor has an existing relationship with the service organization. The text also explains that the user auditor may need to consider controls at the sub-service organization if a service organization uses a sub-service organization to provide some of the services provided to a user entity that are part of the user entity’s information system relevant to financial reporting.

Using a Type 1 or Type 2 Report to Support the User Auditor Understands of the Service Organisation

It describes the requirements for using Type 1 or Type 2 reports to support the user auditor’s understanding of the service organization’s controls. In particular, the text explains that the user auditor must be satisfied as to the service auditor’s professional competence and independence, as well as the adequacy of the standards under which the report was issued.

If the user auditor plans to use a Type 1 or Type 2 report as audit evidence, the user auditor must obtain an understanding of the aspects of controls at the service organization that may affect the processing of the user entity’s transactions. This includes understanding the flow of significant transactions through the service organization to determine where material misstatements could occur, as well as the control objectives that are relevant to the user entity’s financial statement assertions.

The Type 1 or Type 2 report can assist the user auditor in obtaining a sufficient understanding to identify and assess the risks of material misstatement. However, the Type 1 report does not provide any evidence of the operating effectiveness of the relevant controls. If the Type 1 or Type 2 report is outside the reporting period of the user entity, the user auditor may need to supplement it with additional current information from other sources.

Finally, they explain that the user auditor must evaluate whether the description and design of controls at the service organization is appropriate for the user auditor’s purposes, evaluate the sufficiency and appropriateness of the evidence provided by the report, and determine whether complementary user entity controls identified by the service organization are relevant to the user entity.

Responding to the Assessed Risks of Material Misstatement

The auditor’s response to assessed risks of material misstatement in accordance with SA 330 (the standard on audit risk assessment). It explains that the use of a service organization by a user entity may increase or decrease the risk of material misstatement depending on the nature of the services provided and the controls over those services. In some cases, using a service organization may decrease the user entity’s risk of material misstatement, particularly if the user entity lacks the necessary expertise or resources to undertake specific activities.

When the service organization maintains material elements of the user entity’s accounting records, the user auditor may need direct access to those records to obtain sufficient appropriate audit evidence relating to the operations of controls over those records or to substantiate transactions and balances recorded in them. The user auditor may inspect records and documents held by the user entity or by the service organization, obtain confirmations of balances and transactions from the service organization, or perform analytical procedures on the records maintained by the user entity or on the reports received from the service organization.

In certain circumstances, the user entity may outsource some or all of its finance function to a service organization, and the user auditor may need to perform substantive procedures at the service organization or have another auditor perform them on its behalf. The user auditor’s responsibility is to obtain sufficient appropriate audit evidence to support its opinion, and it may need to perform further audit procedures if sufficient appropriate audit evidence is not available from records held at the user entity or use another auditor to perform those procedures at the service organization on its behalf.

Tests of Controls

The requirements and procedures for obtaining audit evidence about the operating effectiveness of controls at a service organization. Service organizations are third-party entities that provide services that are relevant to the financial statements of user entities (organizations that use the services provided by service organizations). When user auditors (auditors of user entities) assess the risks of material misstatement in the user entities’ financial statements, they may consider the effectiveness of controls at the service organizations in reducing those risks. In such cases, user auditors need to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls.

The user auditor can obtain audit evidence about the operating effectiveness of controls at the service organization through three procedures: obtaining a Type 2 report (a report prepared by the service auditor that includes tests of controls and results for a period of time), performing appropriate tests of controls at the service organization, or using another auditor to perform tests of controls at the service organization.

If the user auditor plans to rely on a Type 2 report as audit evidence, they need to determine whether the report provides sufficient appropriate audit evidence about the effectiveness of the controls to support their risk assessment. The user auditor may need to consider various factors, such as the time period covered by the report, the scope of the service auditor’s work, and the results of the tests of controls.

In some cases, the user auditor may need to obtain additional audit evidence about the controls at the service organization. For example, if the service auditor’s testing period is outside the user entity’s financial reporting period, the user auditor may need to perform additional tests of controls or extend the testing period to obtain sufficient appropriate audit evidence.

The requirements and procedures for obtaining audit evidence about the operating effectiveness of controls at a service organization, which is relevant when the user auditor’s risk assessment includes an expectation that controls at the service organization are operating effectively. The user auditor can obtain audit evidence through various procedures, and they need to ensure that the evidence obtained is sufficient and appropriate to support their risk assessment.

Fraud, Non-Compliance with Laws and Regulations and Uncorrected Misstatements in Relation to Activities at the Service Organisation

The responsibilities of a user auditor when it comes to fraud, non-compliance with laws and regulations, and uncorrected misstatements related to a service organization. The user auditor is required to ask the management of the user entity if the service organization has reported or if they are aware of any such issues that may affect the financial statements of the user entity.

Based on the response from the management, the user auditor needs to evaluate the impact of these matters on the nature, timing, and extent of their audit procedures. This evaluation may affect the user auditor’s conclusions and report.

In some cases, the service organization may be contractually obligated to report any such matters to the affected user entities. The user auditor should inquire with the user entity management to determine if the service organization has reported any such matters and evaluate the impact of these reported matters on the audit procedures. If additional information is required, the user auditor may request the user entity to contact the service organization to obtain the necessary information.

Reporting by the User Auditor

The reporting requirements for the user auditor in relation to the services provided by a service organization.

If the user auditor is unable to obtain sufficient appropriate audit evidence related to the services provided by the service organization, the user auditor must modify their opinion in accordance with SA 705(Revised)5. This may happen in cases where the user auditor is unable to understand the services provided, assess the risks of material misstatement, or obtain sufficient evidence about the effectiveness of controls at the service organization.

The user auditor is not required to refer to the work of a service auditor in their report unless required by law or regulation. If such a reference is required, the user auditor must indicate that the reference does not diminish their responsibility for the audit opinion. However, if the user auditor expresses a modified opinion because of a modified opinion in a service auditor’s report, they may refer to that report to explain the reason for their modified opinion. In such cases, the user auditor may need the consent of the service auditor before making the reference.

Overall, the user auditor is responsible for obtaining sufficient appropriate audit evidence to support their opinion on the user entity’s financial statements, regardless of whether a service organization is used.

Audit Considerations Relating to an Entity Using a Service Organization

In ISA 402 provides guidelines for auditors when a company uses a service organization to perform certain functions? They note that while the standard was initially intended for use by public sector auditors with broad access rights, it now applies to all entities, regardless of their form, nature, or size. The standard requires the user auditor to assess the service auditor’s professional competence and independence from the service organization to obtain sufficient and appropriate audit evidence and report on it. The corresponding paragraphs of SA 402 also require the same assessment of professional competence, except when the service auditor is also a member of the Institute of Chartered Accountants of India. In summary, it clarifies that the application of ISA 402 is now generic and applies to all entities, and highlights the importance of assessing the service auditor’s professional competence and independence

Quiz: Audit Considerations Relating to an Entity Using a Service Organization

1. Which auditing standards provide guidance on obtaining sufficient appropriate audit evidence in cases where a company uses a service organization?

a) SA 402 and SA 315

b) SA 330 and SA 402

c) SA 315 and SA 330

d) SA 402 and SA 330

Answer: d)

2. According to SA 402, when are services provided by a service organization considered relevant to the audit of a user entity’s financial statements?

a) When they affect the user entity’s internal control

b) When they involve proprietary financial interests

c) When they are provided by financial institutions

d) When they are specifically authorized transactions

Answer: a)

3. What are complementary user entity controls?

a) Controls implemented by the service organization

b) Controls assumed to be implemented by the user entity

c) Controls related to journal entries

d) Controls implemented by financial institutions

Answer: b)

4. How can a user auditor obtain an understanding of the services provided by a service organization?

a) Through user manuals and system overviews

b) Through service auditor’s reports only

c) Through internal auditors’ reports only

d) Through contracts and service level agreements only

Answer: d)

5. Which of the following factors may influence the user auditor’s decision on which procedure to use when a sufficient understanding cannot be obtained from the user entity?

a) Size and complexity of the user entity and the service organization

b) Location of the service organization

c) Effectiveness of the procedure in providing sufficient audit evidence

d) All of the above

Answer: d)

6. Which procedure can be used by the user auditor to obtain an understanding of the operating effectiveness of controls at a service organization?

a) Obtaining a Type 1 report

b) Performing tests of controls at the service organization

c) Using another auditor to perform tests of controls

d) All of the above

Answer: d)

7. What should the user auditor consider when relying on a Type 2 report as audit evidence?

a) Time period covered by the report

b) Scope of the service auditor’s work

c) Results of tests of controls

d) All of the above

Answer: d)

8. When is the user auditor required to modify their opinion in relation to the services provided by a service organization?

a) When there is a direct relationship between the user auditor and the service auditor

b) When there is no direct relationship between the user auditor and the service auditor

c) When sufficient appropriate audit evidence cannot be obtained

d) When the user auditor is unable to assess the risks of material misstatement

Answer: c)

9. What is the user auditor’s responsibility regarding fraud, non-compliance with laws and regulations, and uncorrected misstatements related to a service organization?

a) To report them directly to the service organization

b) To inquire with the user entity management and evaluate their impact on the audit procedures

c) To rely solely on the service auditor’s report

d) To perform additional tests of controls at the service organization

Answer: b)

10. Does the application of ISA 402 apply to all entities, regardless of their form, nature, or size?

a) Yes

b) No

Answer: a)

Additional question:

11. What is the purpose of obtaining an understanding of the services provided by a service organization in the context of an audit?

a) To assess the service organization’s financial performance

b) To evaluate the service organization’s internal control systems

c) To determine the impact of the services on the user entity’s financial reporting processes

d) To identify potential conflicts of interest between the user entity and the service organization

Answer: c)

12. When assessing the materiality of transactions or accounts affected by a service organization, what should the user auditor consider?

a) The nature of the transactions processed by the service organization

b) The financial resources of the service organization

c) The reputation of the service organization in the industry

d)The geographical location of the service organization

Answer: a)

13. How does the degree of interaction between a user entity and a service organization affect the significance of the service organization’s controls to the user entity’s internal control?

a) A high degree of interaction decreases the significance of the controls.

b) A low degree of interaction increases the significance of the controls.

c) The degree of interaction has no impact on the significance of the controls.

d) The degree of interaction determines the need for complementary user entity controls.

Answer: b)

14. What is the role of contractual terms between a user entity and a service organization in the audit process?

a) Contractual terms define the user entity’s responsibilities for initiating transactions.

b) Contractual terms determine the service organization’s financial compensation.

c) Contractual terms establish the user entity’s access rights to accounting records.

d) Contractual terms influence the user auditor’s understanding of the service organization’s controls.

Answer: d)

15. How can the user auditor establish communication with the service auditor in cases where there is no direct relationship between them?

a) Through direct correspondence between the user auditor and the service auditor.

b) Through the user entity and the service organization as intermediaries.

c) Through the regulatory authorities overseeing the service organization.

d) Through the user entity’s internal auditors acting as intermediaries.

Answer: b)

16. What procedures can the user auditor employ when a sufficient understanding of the services provided by the service organization cannot be obtained from the user entity?

a) Obtain a Type 1 or Type 2 report from the service organization.

b) Contact the service organization directly without involving the user entity.

c) Visit the service organization to conduct on-site inspections and procedures.

d) Engage another auditor to perform additional audit procedures at the service organization.

Answer: a)

17. When may visiting the service organization be the most effective procedure for the user auditor to gain an understanding of controls at the service organization?

a) When the service organization uses a sub-service organization.

b) When the service organization is a financial institution.

c) When the user entity has outsourced significant business units or functions.

d) When the service organization’s controls are already documented in a Type 1 report.

Answer: c)

18. What should the user auditor evaluate when using a Type 1 or Type 2 report as audit evidence?

a) The service auditor’s professional competence and independence.

b) The accuracy of the financial statements prepared by the service organization.

c) The user entity’s compliance with contractual terms.

d) The user entity’s communication with the service organization.

Answer: a)

19. In what circumstances might the user auditor need to perform substantive procedures at the service organization or engage another auditor to do so?

a) When the user entity lacks the necessary expertise or resources.

b) When the service organization has reported fraud or non-compliance.

c) When the service auditor’s report covers a period outside the reporting period.

d) When the user entity has outsourced its entire finance function.

Answer: a)

20. What reporting requirements does the user auditor have in relation to the services provided by a service organization?

a) The user auditor must refer to the work of the service auditor in their report.

b) The user auditor must obtain the service auditor’s consent before making any references.

c) The user auditor must modify their opinion if they are unable to obtain sufficient audit evidence.

d) The user auditor must report any uncorrected misstatements identified at the service organization.

Answer:c)

Statement on Auditing Standards – SA 210

Statement on Auditing Standards – SA 220

Statement on Auditing Standards – SA 230

Statement on Auditing Standards – SA 240

Statement on Auditing Standards – SA 250

Statement on Auditing Standards – SA 260

Statement on Auditing Standards – SA 265

Statement on Auditing Standards – SA 299

Statement on Auditing Standards – SA 300

 Statement on Auditing Standards – SA 315

Statement on Auditing Standards – SA 320

Statement on Auditing Standards – SA 330

Statement on Auditing Standards – SA 402

Statement on Auditing Standards – SA 450

Statement On Auditing Standards – SA 500

Statement on Auditing Standards – SA 501

Statement on Auditing Standards – SA 505

Statement on Auditing Standards – SA 510

Statement on Auditing Standards – SA 520

Statement on Auditing Standards – SA 530

Statement on Auditing Standards – SA 540

Statement on Auditing Standards – SA 560

Statement on Auditing Standards – SA 570

Statement on Auditing Standards – SA 580

Statement on Auditing Standards – SA 600

Statement on Auditing Standards – SA 610

Statement on Auditing Standards – SA 620

Statement on Auditing Standards – SA 700

Statement on Auditing Standards – SA 701

Statement on Auditing Standards – SA 705

Statement on Auditing Standards – SA 706

 Statement on Auditing Standards – SA 710

Statement on Auditing Standards – SA 720

Statement on Auditing Standards – SA 800

Statement on Auditing Standards – SA 805

Statement on Auditing Standards – SA 810

Statement on Auditing Standards – SAE 3400

Statement on Auditing Standards – SAE 3402

Statement on Auditing Standards – SRE 2400

Statement on Auditing Standards – SRE 2410

Statement on Auditing Standards – SRS 4400

Statement on Auditing Standards – SRS 4410

Audit trail in software requirements

Standard on Quality Control

Statement on developmental and regulatory policies