ISA 402 - AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING A SERVICE ORGANISATION Flashcards
ISA 402
ISA 402 - AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING A SERVICE ORGANISATION
Outsourcing is when an external specialist organization ( a.k.a SERVICE ORGANISATION) is used to carry out functions which would normally be performed within the entity.
The use of service organizations is both well established and on the increase, and is therefore of importance to auditors. But not all outsourced activities are relevant to the audit – running a canteen or maintaining a building for the client might not affect any figures in the F/S, apart from the payment of fees for the service, for example.
Outsourced services RELEVANT TO THE AUDIT:
- Preparation of payroll
- Preparation of payment vouchers
- Preparation of sales invoices
- Maintaining accounting records
- Credit control and factoring
- Investment activities
- Pensions
- Treasury
It is important to remember the fact that the client does not avoid responsibility for the F/S, or any part of them, by outsourcing any of its activities.
Nor does the client’s auditor avoid responsibility for the audit opinion, just because the records are held by another entity, even if it is half way across the world.
ISA 402
Specific MATTERS TO CONSIDER in planning
Is the area outsourced MATERIAL to client’s F/S?
NO - No need to audit
YES - If the outsourced service represents a significant transaction cycle, then more time will need to be set aside for the audit of that transaction.
1/ What & Where are the internal controls? Carry out TESTS OF CONTROL to confirm
WHO, the SO or the client:
- initiates the transactions
- checks the validity of transactions & authorizes the transactions
- Some ICs @ client’s - User Auditor to test these controls to confirm
- Some ICs @ SO - User Auditor to test these controls to confirm
2/ Will SO give access to User Auditor to do ToC?
YES - User Auditor to enter SO to do ToC
NO - User Auditor to request SO to provide Type 1 report OR Type 2 report
Type 1 reportcontains description & design of ICs at the SO.
Type 2 report contains contents of Type 1 report AND also includes the OPINION on the operating effectiveness of the ICs at the SO (including results of tests of control carried out by the Service Auditor)*
3/ What procedures are there at User Entity to ensure processing at SO is complete & accurate?
- ENQUIRE from management the relevant controls in place at User Entity over the reports received from SO like whether anyone checks the completeness & accuracy of processing.
4/ Where are the source documents? Carry out SUBSTANTIVE PROCEDURES - this is not covered by ISA 402!!!
WHO, the SO or the client maintains the source documents & updates & keeps the accounting records
This will help the auditor understand the extent to which the client is responsible for the transaction &/ or balances & also helps the auditor decide the extent of tests that can be carried out at the client company.
**Client’s external auditor to carry out substantive procedures **
- CARRY OUT substantive analytical reviews
on the FS item to identify material misstatements
- AGREE a sample of transactions from the report from the SO to source documents. If the source documents are at SO and the auditor cannot access them > this will be a LIMITATION OF SCOPE!. The Audit Report can be modified.
TYPE 1 & TYPE 2 REPORTS - the auditor need to check the reliability of the preparer!!!
1/ ISA 600 - Reliance on component auditor (EQEAM)
2/ ISA 610 - Reliance on internal auditor (DOTS - due professional care, organizational status, technical competence, scope of function)
3/ ISA 620 - Reliance on auditor expert (CCO-REQI - competence/ capability/ objectivity - reputation/ experience/ qualification/ independence)
4/ ISAE 3420 - Reliance on service auditor (Report will be based on the criteria in ISAE 3402 which is an ASSURANCE STANDARD - that itself shows that the report is credible).
ISA 402
ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANISATION - ISAE 3402
ISAE 3402
ISAE 3402 applies to the service auditor who is asked by the SO to produce a Service Auditor’s Report.
The SO decides whether the Service Auditor produces a Type I or Type II report
One of the most effective ways a Service Organization (SO) can communicate information about its controls is through a Service Auditor’s Report.
A Service auditor is a professional accountant in public practice who, at the request of the service organization, provides an assurance report on controls at a service organization
There are two types of Service Auditor’s Reports: **Type I **and Type II.
iSA 402
ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANISATION - ISAE 3402
Benefits to service organisations
Service organizations receive significant value from having a ISAE 3402 engagement performed.
BUILDS TRUST A Service Auditor’s Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives & control activities. A Service Auditor’s Report also helps a service organization build trust with its user organizations (i.e. customers).
PREVENTS STRAIN ON SO’s RESOURCES Without a current Service Auditor’s Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization’s resources.
ALL AUDITORS HAVE ACCESS TO SAME INFO - A Service Auditor’s Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements.
OPPORTUNITY FOR SO’s ICs TO BE IMPROVED - ISAE 3402 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. An ISAE 3402 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party. Very often this process results in the identification of opportunities for improvements in many operational areas.
