Skip to main content
Australian Auditing Standards

ASA 402

Auditing Considerations Relating to an Entity Using a Service Organisation

Download Current PDF

Approval Date: 3 March 2020

Operative Date This Australian Auditing Standards is operative for financial reporting periods beginning on or after 15 December 2021

Download Current PDF

Approval Date: 3 March 2020

This Auditing Standard deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations. 

Compilation Details

Auditing Standard ASA 402 Auditing Considerations Relating to an Entity Using a Service Organisation (as Amended)

This compilation takes into account amendments made up to and including 3 March 2020 and was prepared on 10 November 2021 by the Auditing and Assurance Standards Board (AUASB).

This compilation is not a separate Auditing Standard made by the AUASB.  Instead, it is a representation of ASA 402 (October 2009) as amended by other Auditing Standards which are listed in the Table below.

Table of Standards

Standard

Date made

Operative Date

ASA 402            [A]

27 October 2009

Financial reporting periods commencing on or after 1 January 2010

ASA 2011‑1       [B]

27 June 2011

Financial reporting periods commencing on or after 1 July 2011

ASA 2013‑2       [C]

11 November 2013

Financial reporting periods commencing on or after 1 January 2014

ASA 2020-1       [D] 3 March 2020 Financial reporting periods commencing on or after 15 December 2021*

[A]       Federal Register of Legislation – registration number F2009L04082, 12 November 2009

[B]       Federal Register of Legislation – registration number F2011L01379, 30 June 2011

[C]       Federal Register of Legislation – registration number F2013L01939, 14 November 2013

[D]      Federal Register of Legislation – registration number F2020L00252, 13 March 2020

Table of Amendments

Paragraph affected

How affected

By … [paragraph]

A19

Amended

ASA 2011-1 [31]

A1

Amended

ASA 2013-2 [77]

1 and Footnote 1

Amended

ASA 2020-1 [109]

3

Amended

ASA 2020-1 [110]

7

Amended

ASA 2020-1 [111]

9
Footnote 3

Amended

ASA 2020-1 [112]

10 and Footnote 4

Amended

ASA 2020-1 [113]

10
Footnote 5

Addition

ASA 2020-1 [113]

Renumbering of footnotes

Amended

ASA 2020-1 [114]

11

Amended

ASA 2020-1 [115]

12

Amended

ASA 2020-1 [116]

14

Amended

ASA 2020-1 [117]

A14
Footnote 9

Amended

ASA 2020-1 [118]

A19

Amended

ASA 2020-1 [119]

A22

Amended

ASA 2020-1 [120]

A29

Amended

ASA 2020-1 [121]

A30

Amended

ASA 2020-1 [122]

A33

Amended

ASA 2020-1 [123]

A34

Amended

ASA 2020-1 [124]

A39

Amended

ASA 2020-1 [125]

 
*           Early adoption, in conjunction with ASA 315 Identifying and Assessing the Risks of Material Misstatement, permitted.

Preamble

Authority Statement

Auditing Standard ASA 402 Auditing Considerations Relating to an Entity Using a Service Organisation (as amended to 3 March 2020) is set out in paragraphs Aus 0.1 to A44.

This Auditing Standard is to be read in conjunction with ASA 101 Preamble to AUASB Standards, which sets out how AUASB Standards are to be understood, interpreted and applied.  This Auditing Standard is to be read also in conjunction with ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards.

Conformity with International Standards on Auditing

This Auditing Standard conforms with International Standard on Auditing ISA 402 Auditing Considerations Relating to an Entity Using a Service Organization issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard‑setting board of the International Federation of Accountants (IFAC).

Paragraphs that have been added to this Auditing Standard (and do not appear in the text of the equivalent ISA) are identified with the prefix “Aus”.

Compliance with this Auditing Standard enables compliance with ISA 402.

Auditing Standard ASA 402

The Auditing and Assurance Standards Board (AUASB) made Auditing Standard ASA 402 Auditing Considerations Relating to an Entity Using a Service Organisation pursuant to section 227B of the Australian Securities and Investments Commission Act 2001 and section 336 of the Corporations Act 2001, on 27 October 2009.

This compiled version of ASA 402 incorporates subsequent amendments contained in other Auditing Standards made by the AUASB up to and including 3 March 2020 (see Compilation Details).

Application

Aus 0.1

This Auditing Standard applies to:

  1. an audit of a financial report for a financial year, or an audit of a financial report for a half‑year, in accordance with the Corporations Act 2001; and
  2. an audit of a financial report, or a complete set of financial statements, for any other purpose.

Aus 0.2

This Auditing Standard also applies, as appropriate, to an audit of other historical financial information.

Operative Date

Aus 0.3

This Auditing Standard is operative for financial reporting periods commencing on or after 1 January 2010.  [Note: For operative dates of paragraphs changed or added by an Amending Standard, see Compilation Details.]

Introduction

Scope of this Auditing Standard

1

This Auditing Standard deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations.  Specifically, it expands on how the user auditor applies ASA 315[1] and ASA 330[2] in obtaining an understanding of the user entity, including the entity's system of internal control relevant to the preparation of the financial report, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks. 

2

Many entities outsource aspects of their business to organisations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function.  Many of the services provided by such organisations are integral to the entity’s business operations; however, not all those services are relevant to the audit.

3

Services provided by a service organisation are relevant to the audit of a user entity’s financial report when those services, and the controls over them, are part of the user entity’s information system, relevant to the preparation of the financial report. Most controls at the service organisation are likely to be part of the user entity’s information system relevant to the preparation of the financial report, or related controls, such as controls over the safeguarding of assets. A service organisation’s services are part of a user entity’s information system, if these services affect any of the following:

  1. How information relating to significant classes of transactions, account balances and disclosures flows through the user entity’s information system, whether manually or using IT, and whether obtained from within or outside the general ledger and subsidiary ledgers. This includes when the service organisation’s services affect how:
    1. Transactions of the user entity are initiated, and how information about them is recorded, processed, corrected as necessary, and incorporated in the general ledger and reported in the financial report; and
    2. Information about events or conditions, other than transactions, is captured, processed and disclosed by the user entity in the financial report.
  2. The accounting records, specific accounts in the user entity’s financial report and other supporting records relating to the flows of information in paragraph 3(a);
  3. The financial reporting process used to prepare the user entity’s financial report from the records described in paragraph 3(b), including as it relates to disclosures and to accounting estimates relating to significant classes of transactions, account balances and disclosures; and
  4. The entity’s IT environment relevant to (a) to (c) above.

4

The nature and extent of work to be performed by the user auditor regarding the services provided by a service organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.

5

This Auditing Standard does not apply to services provided by financial institutions that are limited to processing, for an entity’s account held at the financial institution, transactions that are specifically authorised by the entity, such as the processing of cheque account transactions by a bank or the processing of securities transactions by a broker.  In addition, this Auditing Standard does not apply to the audit of transactions arising from proprietary financial interests in other entities, such as partnerships, corporations and joint ventures, when proprietary interests are accounted for and reported to interest holders.

Aus 5.1

An auditor appointed to provide an opinion on an entity’s financial report may also have additional statutory or regulatory responsibilities, which may be affected by the entity’s use of a service organisation.  For example, sections 307(c) and 307(d) of the Corporations Act 2001(the Act) require the auditor to form an opinion on whether the entity has kept proper financial records, and other records and registers as required by that Act.

Effective Date

6

[Deleted by the AUASB.  Refer Aus 0.3]

1

See ASA 315 Identifying and Assessing the Risks of Material Misstatement.

2

See ASA 330 The Auditor’s Responses to Assessed Risks.

Objective

7

The objectives of the user auditor, when the user entity uses the services of a service organisation, are:

  1. To obtain an understanding of the nature and significance of the services provided by the service organisation and their effect on the user entity’s system of internal control, sufficient to provide an appropriate basis for the identification and assessment of the risks of material misstatement; and
  2. To design and perform audit procedures responsive to those risks.

Definitions

8

For the purposes of this Auditing Standard, the following terms have the meanings attributed below:

8(a)

Complementary user entity controls means controls that the service organisation assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives, are identified in the description of its system. 

8(b)

Report on the description and design of controls at a service organisation (referred to in this Auditing Standard as a type 1 report) means a report that comprises:

  1. A description, prepared by management of the service organisation, of the service organisation’s system, control objectives and related controls that have been designed and implemented as at a specified date; and
  2. A report by the service auditor with the objective of conveying reasonable assurance that includes the service auditor’s opinion on the description of the service organisation’s system, control objectives and related controls and the suitability of the design of the controls to achieve the specified control objectives.

8(c)

Report on the description, design, and operating effectiveness of controls at a service organisation (referred to in this Auditing Standard as a type 2 report) means a report that comprises:

  1. A description, prepared by management of the service organisation, of the service organisation’s system, control objectives and related controls, their design and implementation as at a specified date or throughout a specified period and, in some cases, their operating effectiveness throughout a specified period; and
  2. A report by the service auditor with the objective of conveying reasonable assurance that includes:
    1. The service auditor’s opinion on the description of the service organisation’s system, control objectives and related controls, the suitability of the design of the controls to achieve the specified control objectives, and the operating effectiveness of the controls; and
    2. A description of the service auditor’s tests of the controls and the results thereof.

8(d)

Service auditor means an auditor who, at the request of the service organisation, provides an assurance report on the controls of a service organisation. 

8(e)

Service organisation means a third‑party organisation (or segment of a third‑party organisation) that provides services to user entities that are part of those entities’ information systems relevant to financial reporting. 

8(f)

Service organisation’s system means the policies and procedures designed, implemented and maintained by the service organisation to provide user entities with the services covered by the service auditor’s report. 

8(g)

Subservice organisation means a service organisation used by another service organisation to perform some of the services provided to user entities that are part of those user entities’ information systems relevant to financial reporting.

8(h)

User auditor means an auditor who audits and reports on the financial report of a user entity. 

8(i)

User entity means an entity that uses a service organisation and whose financial report is being audited.

Requirements

Obtaining an Understanding of the Services Provided by a Service Organisation, Including Internal Control

9

When obtaining an understanding of the user entity in accordance with ASA 315,[3] the user auditor shall obtain an understanding of how a user entity uses the services of a service organisation in the user entity’s operations, including: (Ref: Para. A1‑A2)

  1. The nature of the services provided by the service organisation and the significance of those services to the user entity, including the effect thereof on the user entity’s internal control;  (Ref: Para. A3‑A5)
  2. The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organisation;  (Ref: Para. A6)
  3. The degree of interaction between the activities of the service organisation and those of the user entity; and  (Ref: Para. A7)
  4. The nature of the relationship between the user entity and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation.  (Ref: Para. A8‑A11)

10

When obtaining an understanding of the entity's system of internal control in accordance with ASA 315, the user auditor shall identify controls in the control activities component [4] at the user entity, from those that relate to the services provided by the service organisation, and evaluate their design and determine whether they have been implemented.[5](Ref: Para. A12‑A14)

11

The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organisation and their effect on the user entity’s system of internal control has been obtained to provide an appropriate basis for the identification and assessment of the risks of material misstatement.

12

If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures:

  1. Obtaining a type 1 or type 2 report, if available;
  2. Contacting the service organisation, through the user entity, to obtain specific information;
  3. Visiting the service organisation and performing procedures that will provide the necessary information about the relevant controls at the service organisation; or
  4. Using another auditor to perform procedures that will provide the necessary information about controls at the service organisation.  (Ref: Para. A15‑A20)

Using a Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the Service Organisation

13

In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor shall be satisfied as to:

  1. The service auditor’s professional competence and independence from the service organisation; and
  2. The adequacy of the standards under which the type 1 or type 2 report was issued.  (Ref: Para. A21)

14

If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organisation, the user auditor shall:

  1. Evaluate whether the description and design of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
  2. Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the controls at the service organisation; and
  3. Determine whether complementary user entity controls identified by the service organisation are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.  (Ref: Para. A22‑A23)

Responding to the Assessed Risks of Material Misstatement

15

In responding to assessed risks in accordance with ASA 330, the user auditor shall:

  1. Determine whether sufficient appropriate audit evidence concerning the relevant financial report assertions is available from records held at the user entity; and, if not,
  2. Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor to perform those procedures at the service organisation on the user auditor’s behalf.  (Ref: Para. A24‑A28)

Tests of Controls

16

When the user auditor’s risk assessment includes an expectation that controls at the service organisation are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures:

  1. Obtaining a type 2 report, if available;
  2. Performing appropriate tests of controls at the service organisation; or
  3. Using another auditor to perform tests of controls at the service organisation on behalf of the user auditor.  (Ref: Para. A29‑A30)

Using a Type 2 Report as Audit Evidence that Controls at the Service Organisation Are Operating Effectively

17

If, in accordance with paragraph 16(a) of this Auditing Standard, the user auditor plans to use a type 2 report as audit evidence that controls at the service organisation are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by:

  1. Evaluating whether the description, design and operating effectiveness of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
  2. Determining whether complementary user entity controls identified by the service organisation are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness;
  3. Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; and
  4. Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditor’s report, are relevant to the assertions in the user entity’s financial report and provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.  (Ref: Para. A31‑A39)

Type 1 and Type 2 Reports that Exclude the Services of a Subservice Organisation

18

If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided by a subservice organisation and those services are relevant to the audit of the user entity’s financial report, the user auditor shall apply the requirements of this Auditing Standard with respect to the services provided by the subservice organisation. (Ref: Para. A40)

Fraud, Non Compliance with Laws and Regulations and Uncorrected Misstatements in Relation to Activities at the Service Organisation

19

The user auditor shall enquire of management of the user entity whether the service organisation has reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non‑compliance with laws and regulations or uncorrected misstatements affecting the financial report of the user entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and user auditor’s report. (Ref: Para. A41)

Reporting by the User Auditor

20

The user auditor shall modify the opinion in the user auditor’s report in accordance with ASA 705[6] if the user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit of the user entity’s financial report. (Ref: Para. A42)

21

The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditor’s report shall indicate that the reference does not diminish the user auditor’s responsibility for the audit opinion. (Ref: Para. A43)

22

If reference to the work of a service auditor is relevant to an understanding of a modification to the user auditor’s opinion, the user auditor’s report shall indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (Ref: Para. A44)

3

See ASA 315, paragraph 19.

4

See ASA 315, paragraph 26(a).

5

See ASA 315, paragraph 26(d).

6

See ASA 705 Modifications to the Opinion in the Independent Auditor’s Report, paragraph 6.

Application and Other Explanatory Material

Obtaining an Understanding of the Services Provided by a Service Organisation, Including Internal Control

Sources of Information (Ref: Para. 9)

A1

Information on the nature of the services provided by a service organisation may be available from a wide variety of sources, such as:

  • User manuals.
  • System overviews.
  • Technical manuals.
  • The contract or service level agreement between the user entity and the service organisation. 
  • Reports by service organisations, the internal audit function or regulatory authorities on controls at the service organisation.
  • Reports by the service auditor, including management letters, if available.

A2

Knowledge obtained through the user auditor’s experience with the service organisation, for example through experience with other audit engagements, may also be helpful in obtaining an understanding of the nature of the services provided by the service organisation.  This may be particularly helpful if the services and controls at the service organisation over those services are highly standardised.

 

Nature of the Services Provided by the Service Organisation (Ref: Para. 9(a))

A3

A user entity may use a service organisation such as one that processes transactions and maintains related accountability, or records transactions and processes related data.  Service organisations that provide such services include, for example, bank trust departments that invest and service assets for employee benefit plans or for others; mortgage bankers that service mortgages for others; and application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions. 

A4

Examples of service organisation services that are relevant to the audit include:

  • Maintenance of the user entity’s accounting records.
  • Management of assets.
  • Initiating, recording or processing transactions as agent of the user entity.

Considerations Specific to Smaller Entities

 

A5

Smaller entities may use external bookkeeping services ranging from the processing of certain transactions (for example, payment of payroll taxes) and maintenance of their accounting records, to the preparation of their financial report.  The use of such a service organisation for the preparation of its financial report does not relieve management of the smaller entity and, where appropriate, those charged with governance of their responsibilities for the financial report.[7]

 

Nature and Materiality of Transactions Processed by the Service Organisation (Ref: Para. 9(b))

A6

A service organisation may establish policies and procedures that affect the user entity’s internal control.  These policies and procedures are at least in part physically and operationally separate from the user entity.  The significance of the controls of the service organisation to those of the user entity depends on the nature of the services provided by the service organisation, including the nature and materiality of the transactions it processes for the user entity.  In certain situations, the transactions processed and the accounts affected by the service organisation may not appear to be material to the user entity’s financial report, but the nature of the transactions processed may be significant and the user auditor may determine that an understanding of those controls is necessary in the circumstances. 

 

The Degree of Interaction between the Activities of the Service Organisation and the User Entity (Ref: Para. 9(c))

A7

The significance of the controls of the service organisation to those of the user entity also depends on the degree of interaction between its activities and those of the user entity.  The degree of interaction refers to the extent to which a user entity is able to and elects to implement effective controls over the processing performed by the service organisation.  For example, a high degree of interaction exists between the activities of the user entity and those at the service organisation when the user entity authorises transactions and the service organisation processes and does the accounting for those transactions.  In these circumstances, it may be practicable for the user entity to implement effective controls over those transactions.  On the other hand, when the service organisation initiates or initially records, processes, and does the accounting for the user entity’s transactions, there is a lower degree of interaction between the two organisations.  In these circumstances, the user entity may be unable to, or may elect not to, implement effective controls over these transactions at the user entity and may rely on controls at the service organisation.

 

Nature of the Relationship between the User Entity and the Service Organisation (Ref: Para. 9(d))

A8

The contract or service level agreement between the user entity and the service organisation may provide for matters such as:

  • The information to be provided to the user entity and responsibilities for initiating transactions relating to the activities undertaken by the service organisation;
  • The application of requirements of regulatory bodies concerning the form of records to be maintained, or access to them;
  • The indemnification, if any, to be provided to the user entity in the event of a performance failure;
  • Whether the service organisation will provide a report on its controls and, if so, whether such report would be a type 1 or type 2 report;
  • Whether the user auditor has rights of access to the accounting records of the user entity maintained by the service organisation and other information necessary for the conduct of the audit; and
  • Whether the agreement allows for direct communication between the user auditor and the service auditor. 

A9

There is a direct relationship between the service organisation and the user entity and between the service organisation and the service auditor.  These relationships do not necessarily create a direct relationship between the user auditor and the service auditor.  When there is no direct relationship between the user auditor and the service auditor, communications between the user auditor and the service auditor are usually conducted through the user entity and the service organisation.  A direct relationship may also be created between a user auditor and a service auditor, taking into account the relevant ethical and confidentiality considerations.  A user auditor, for example, may use a service auditor to perform procedures on the user auditor’s behalf, such as:

  1. Tests of controls at the service organisation; or
  2. Substantive procedures on the user entity’s financial report transactions and balances maintained by a service organisation.

Considerations Specific to Public Sector Entities

A10

Public sector auditors generally have broad rights of access established by legislation.  However, there may be situations where such rights of access are not available, for example when the service organisation is located in a different jurisdiction.  In such cases, a public sector auditor may need to obtain an understanding of the legislation applicable in the different jurisdiction to determine whether appropriate access rights can be obtained.  A public sector auditor may also obtain or ask the user entity to incorporate rights of access in any contractual arrangements between the user entity and the service organisation. 

 

A11

Public sector auditors may also use another auditor to perform tests of controls or substantive procedures in relation to compliance with law, regulation or other authority.

Understanding the Controls Relating to Services Provided by the Service Organisation (Ref: Para. 10)

A12

The user entity may establish controls over the service organisation’s services that may be tested by the user auditor and that may enable the user auditor to conclude that the user entity’s controls are operating effectively for some or all of the related assertions, regardless of the controls in place at the service organisation.  If a user entity, for example, uses a service organisation to process its payroll transactions, the user entity may establish controls over the submission and receipt of payroll information that could prevent or detect material misstatements.  These controls may include:

  • Comparing the data submitted to the service organisation with reports of information received from the service organisation after the data has been processed.
  • Recomputing a sample of the payroll amounts for clerical accuracy and reviewing the total amount of the payroll for reasonableness.

A13

In this situation, the user auditor may perform tests of the user entity’s controls over payroll processing that would provide a basis for the user auditor to conclude that the user entity’s controls are operating effectively for the assertions related to payroll transactions. 

 

A14

As noted in ASA 315,[8] in respect of some risks, the user auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures.  Such risks may relate to the inaccurate or incomplete recording of routine and significant classes of transactions and account balances, the characteristics of which often permit highly automated processing with little or no manual intervention.  Such automated processing characteristics may be particularly present when the user entity uses service organisations.  In such cases, the user entity’s controls over such risks are relevant to the audit and the user auditor is required to obtain an understanding of, and to evaluate, such controls in accordance with paragraphs 9 and 10 of this Auditing Standard.

 

Further Procedures When a Sufficient Understanding Cannot Be Obtained from the User Entity (Ref: Para. 12)

A15

The user auditor’s decision as to which procedure, individually or in combination, in paragraph 12 to undertake, in order to obtain the information necessary to provide a basis for the identification and assessment of the risks of material misstatement in relation to the user entity’s use of the service organisation, may be influenced by such matters as:

  • The size of both the user entity and the service organisation;
  • The complexity of the transactions at the user entity and the complexity of the services provided by the service organisation;
  • The location of the service organisation (for example, the user auditor may decide to use another auditor to perform procedures at the service organisation on the user auditor’s behalf if the service organisation is in a remote location);
  • Whether the procedure(s) is expected to effectively provide the user auditor with sufficient appropriate audit evidence; and
  • The nature of the relationship between the user entity and the service organisation. 

A16

[Deleted by the AUASB.  Refer Aus A16.1].[9]

Aus A16.1

A service organisation may engage a service auditor to report on the description and design of its controls (type 1 report) or on the description and design of its controls and their operating effectiveness (type 2 report).

A17

The availability of a type 1 or type 2 report will generally depend on whether the contract between a service organisation and a user entity includes the provision of such a report by the service organisation.  A service organisation may also elect, for practical reasons, to make a type 1 or type 2 report available to the user entities.  However, in some cases, a type 1 or type 2 report may not be available to user entities. 

 

A18

In some circumstances, a user entity may outsource one or more significant business units or functions, such as its entire tax planning and compliance functions, or finance and accounting or the control function to one or more service organisations.  As a report on controls at the service organisation may not be available in these circumstances, visiting the service organisation may be the most effective procedure for the user auditor to gain an understanding of controls at the service organisation, as there is likely to be direct interaction of management of the user entity with management at the service organisation. 

 

A19

Another auditor may be used to perform procedures that will provide the necessary information about the relevant controls at the service organisation related to services provided to the user entity.  If a type 1 or type 2 report has been issued, the user auditor may use the service auditor to perform these procedures as the service auditor has an existing relationship with the service organisation.  The user auditor, using the work of another auditor, may find the guidance in ASA 600[10] useful as it relates to understanding another auditor (including that auditor’s independence and professional competence), involvement in the work of another auditor in planning the nature, timing and extent of such work, and in evaluating the sufficiency and appropriateness of the audit evidence obtained. 

 

A20

A user entity may use a service organisation that in turn uses a subservice organisation to provide some of the services provided to a user entity that are part of the user entity’s information system relevant to financial reporting.  The subservice organisation may be a separate entity from the service organisation or may be related to the service organisation.  A user auditor may need to consider controls at the subservice organisation.  In situations where one or more subservice organisations are used, the interaction between the activities of the user entity and those of the service organisation is expanded to include the interaction between the user entity, the service organisation and the subservice organisations.  The degree of this interaction, as well as the nature and materiality of the transactions processed by the service organisation and the subservice organisations are the most important factors for the user auditor to consider in determining the significance of the service organisation’s and subservice organisation’s controls to the user entity’s controls.

 

Using a Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the Service Organisation (Ref: Para. 13‑14)

A21

The user auditor may make enquiries about the service auditor to the service auditor’s professional organisation or other practitioners and enquire whether the service auditor is subject to regulatory oversight.  The service auditor may be practicing in a jurisdiction where different standards are followed in respect of reports on controls at a service organisation, and the user auditor may obtain information about the standards used by the service auditor from the standard setting organisation

 

A22

​​​​​A type 1 or type 2 report, along with information about the user entity, may assist the user auditor in obtaining an understanding of:

  1. The aspects of controls at the service organisation that may affect the processing of the user entity’s transactions, including the use of subservice organisations;
  2. The flow of significant transactions through the service organisation to determine the points in the transaction flow where material misstatements in the user entity’s financial report could occur;
  3. The control objectives at the service organisation that are relevant to the user entity’s financial report assertions; and
  4. Whether controls at the service organisation are suitably designed and implemented to prevent or detect processing errors that could result in material misstatements in the user entity’s financial report.

A type 1 or type 2 report may assist the user auditor in obtaining a sufficient understanding to identify and assess the risks of material misstatement.  A type 1 report, however, does not provide any evidence of the operating effectiveness of the controls.

A23

A type 1 or type 2 report that is as of a date or for a period that is outside of the reporting period of a user entity may assist the user auditor in obtaining a preliminary understanding of the controls implemented at the service organisation if the report is supplemented by additional current information from other sources.  If the service organisation’s description of controls is as of a date or for a period that precedes the beginning of the period under audit, the user auditor may perform procedures to update the information in a type 1 or type 2 report, such as:

  • Discussing the changes at the service organisation with user entity personnel who would be in a position to know of such changes;
  • Reviewing current documentation and correspondence issued by the service organisation; or
  • Discussing the changes with service organisation personnel.

Responding to the Assessed Risks of Material Misstatement

(Ref: Para. 15)

A24

Whether the use of a service organisation increases a user entity’s risk of material misstatement depends on the nature of the services provided and the controls over these services; in some cases, the use of a service organisation may decrease a user entity’s risk of material misstatement, particularly if the user entity itself does not possess the expertise necessary to undertake particular activities, such as initiating, processing, and recording transactions, or does not have adequate resources (for example, an IT system). 

A25

When the service organisation maintains material elements of the accounting records of the user entity, direct access to those records may be necessary in order for the user auditor to obtain sufficient appropriate audit evidence relating to the operations of controls over those records or to substantiate transactions and balances recorded in them, or both.  Such access may involve either physical inspection of records at the service organisation’s premises or interrogation of records maintained electronically from the user entity or another location, or both.  Where direct access is achieved electronically, the user auditor may thereby obtain evidence as to the adequacy of controls operated by the service organisation over the completeness and integrity of the user entity’s data for which the service organisation is responsible. 

 

A26

In determining the nature and extent of audit evidence to be obtained in relation to balances representing assets held or transactions undertaken by a service organisation on behalf of the user entity, the following procedures may be considered by the user auditor:

  1. Inspecting records and documents held by the user entity: the reliability of this source of evidence is determined by the nature and extent of the accounting records and supporting documentation retained by the user entity.  In some cases, the user entity may not maintain independent detailed records or documentation of specific transactions undertaken on its behalf. 
  2. Inspecting records and documents held by the service organisation: the user auditor’s access to the records of the service organisation may be established as part of the contractual arrangements between the user entity and the service organisation.  The user auditor may also use another auditor, on its behalf, to gain access to the user entity’s records maintained by the service organisation.
  3. Obtaining confirmations of balances and transactions from the service organisation: where the user entity maintains independent records of balances and transactions, confirmation from the service organisation corroborating the user entity’s records may constitute reliable audit evidence concerning the existence of the transactions and assets concerned.  For example, when multiple service organisations are used, such as an investment manager and a custodian, and these service organisations maintain independent records, the user auditor may confirm balances with these organisations in order to compare this information with the independent records of the user entity.  If the user entity does not maintain independent records, information obtained in confirmations from the service organisation is merely a statement of what is reflected in the records maintained by the service organisation.  Therefore, such confirmations do not, taken alone, constitute reliable audit evidence.  In these circumstances, the user auditor may consider whether an alternative source of independent evidence can be identified.
  4. Performing analytical procedures on the records maintained by the user entity or on the reports received from the service organisation: the effectiveness of analytical procedures is likely to vary by assertion and will be affected by the extent and detail of information available.

A27

Another auditor may perform procedures that are substantive in nature for the benefit of user auditors.  Such an engagement may involve the performance, by another auditor, of procedures agreed upon by the user entity and its user auditor and by the service organisation and its service auditor.  The findings resulting from the procedures performed by another auditor are reviewed by the user auditor to determine whether they constitute sufficient appropriate audit evidence.  In addition, there may be requirements imposed by governmental authorities or through contractual arrangements whereby a service auditor performs designated procedures that are substantive in nature.  The results of the application of the required procedures to balances and transactions processed by the service organisation may be used by user auditors as part of the evidence necessary to support their audit opinions.  In these circumstances, it may be useful for the user auditor and the service auditor to agree, prior to the performance of the procedures, to the audit documentation or access to audit documentation that will be provided to the user auditor.

A28

In certain circumstances, in particular when a user entity outsources some or all of its finance function to a service organisation, the user auditor may face a situation where a significant portion of the audit evidence resides at the service organisation.  Substantive procedures may need to be performed at the service organisation by the user auditor or another auditor on its behalf.  A service auditor may provide a type 2 report and, in addition, may perform substantive procedures on behalf of the user auditor.  The involvement of another auditor does not alter the user auditor’s responsibility to obtain sufficient appropriate audit evidence to afford a reasonable basis to support the user auditor’s opinion.  Accordingly, the user auditor’s consideration of whether sufficient appropriate audit evidence has been obtained and whether the user auditor needs to perform further substantive procedures includes the user auditor’s involvement with, or evidence of, the direction, supervision and performance of the substantive procedures performed by another auditor. 

Tests of Controls (Ref: Para. 16)

A29

The user auditor is required by ASA 330[11] to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of controls in certain circumstances.  In the context of a service organisation, this requirement applies when:

  1. The user auditor’s assessment of risks of material misstatement includes an expectation that the controls at the service organisation are operating effectively (that is, the user auditor intends to rely on the operating effectiveness of controls at the service organisation in determining the nature, timing and extent of substantive procedures); or
  2. Substantive procedures alone, or in combination with tests of the operating effectiveness of controls at the user entity, cannot provide sufficient appropriate audit evidence at the assertion level.

A30

If a type 2 report is not available, a user auditor may contact the service organisation, through the user entity, to request that a service auditor be engaged to provide a type 2 report that includes tests of the operating effectiveness of the controls or the user auditor may use another auditor to perform procedures at the service organisation that test the operating effectiveness of those controls.  A user auditor may also visit the service organisation and perform tests of controls if the service organisation agrees to it.  The user auditor’s risk assessments are based on the combined evidence provided by the work of another auditor and the user auditor’s own procedures.

 

Using a Type 2 Report as Audit Evidence that Controls at the Service Organisation Are Operating Effectively (Ref: Para. 17

A31

A type 2 report may be intended to satisfy the needs of several different user auditors; therefore tests of controls and results described in the service auditor’s report may not be relevant to assertions that are significant in the user entity’s financial report.  The relevant tests of controls and results are evaluated to determine that the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment.  In doing so, the user auditor may consider the following factors:

  1. The time period covered by the tests of controls and the time elapsed since the performance of the tests of controls;
  2. The scope of the service auditor’s work and the services and processes covered, the controls tested and tests that were performed, and the way in which tested controls relate to the user entity’s controls; and
  3. The results of those tests of controls and the service auditor’s opinion on the operating effectiveness of the controls.

A32

For certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less audit evidence the test may provide.  In comparing the period covered by the type 2 report to the user entity’s financial reporting period, the user auditor may conclude that the type 2 report offers less audit evidence if there is little overlap between the period covered by the type 2 report and the period for which the user auditor intends to rely on the report.  When this is the case, a type 2 report covering a preceding or subsequent period may provide additional audit evidence.  In other cases, the user auditor may determine it is necessary to perform, or use another auditor to perform, tests of controls at the service organisation in order to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls.

 

A33

It may also be necessary for the user auditor to obtain additional evidence about significant changes to the controls at the service organisation outside of the period covered by the type 2 report or determine additional audit procedures to be performed.  Relevant factors in determining what additional audit evidence to obtain about controls at the service organisation that were operating outside of the period covered by the service auditor’s report may include:

  • The significance of the assessed risks of material misstatement at the assertion level;
  • The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel;
  • The degree to which audit evidence about the operating effectiveness of those controls was obtained;
  • The length of the remaining period;
  • The extent to which the user auditor intends to reduce further substantive procedures based on the reliance on controls; and
  • The effectiveness of the control environment and the user entity's process to monitor the system of internal control.

A34

Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the user entity’s process to monitor the system of internal control.

A35

If the service auditor’s testing period is completely outside the user entity’s financial reporting period, the user auditor will be unable to rely on such tests for the user auditor to conclude that the user entity’s controls are operating effectively because they do not provide current audit period evidence of the effectiveness of the controls, unless other procedures are performed. 

A36

In certain circumstances, a service provided by the service organisation may be designed with the assumption that certain controls will be implemented by the user entity.  For example, the service may be designed with the assumption that the user entity will have controls in place for authorising transactions before they are sent to the service organisation for processing.  In such a situation, the service organisation’s description of controls may include a description of those complementary user entity controls.  The user auditor considers whether those complementary user entity controls are relevant to the service provided to the user entity. 

 

A37

If the user auditor believes that the service auditor’s report may not provide sufficient appropriate audit evidence, for example, if a service auditor’s report does not contain a description of the service auditor’s tests of controls and results thereon, the user auditor may supplement the understanding of the service auditor’s procedures and conclusions by contacting the service organisation, through the user entity, to request a discussion with the service auditor about the scope and results of the service auditor’s work.  Also, if the user auditor believes it is necessary, the user auditor may contact the service organisation, through the user entity, to request that the service auditor perform procedures at the service organisation.  Alternatively, the user auditor, or another auditor at the request of the user auditor, may perform such procedures.

 

A38

The service auditor’s type 2 report identifies results of tests, including exceptions and other information that could affect the user auditor’s conclusions.  Exceptions noted by the service auditor or a modified opinion in the service auditor’s type 2 report do not automatically mean that the service auditor’s type 2 report will not be useful for the audit of the user entity’s financial report in assessing the risks of material misstatement.  Rather, the exceptions and the matter giving rise to a modified opinion in the service auditor’s type 2 report are considered in the user auditor’s assessment of the testing of controls performed by the service auditor.  In considering the exceptions and matters giving rise to a modified opinion, the user auditor may discuss such matters with the service auditor.  Such communication is dependent upon the user entity contacting the service organisation, and obtaining the service organisation’s approval for the communication to take place.

 

Communication of deficiencies in internal control identified during the audit

A39

The user auditor is required to communicate in writing significant deficiencies identified during the audit to both management and those charged with governance on a timely basis.[12]  The user auditor is also required to communicate to management at an appropriate level of responsibility on a timely basis other deficiencies in internal control identified during the audit that, in the user auditor’s professional judgement, are of sufficient importance to merit management’s attention.[13]  Matters that the user auditor may identify during the audit and may communicate to management and those charged with governance of the user entity include:

  • Any controls within the entity's process to monitor the system of internal control that could be implemented by the user entity, including those identified as a result of obtaining a type 1 or type 2 report;
  • Instances where complementary user entity controls are noted in the type 1 or type 2 report and are not implemented at the user entity; and
  • Controls that may be needed at the service organisation that do not appear to have been implemented or that are not specifically covered by a type 2 report.

Type 1 and Type 2 Reports that Exclude the Services of a Subservice Organisation

(Ref: Para. 18)

A40

If a service organisation uses a subservice organisation, the service auditor’s report may either include or exclude the subservice organisation’s relevant control objectives and related controls in the service organisation’s description of its system and in the scope of the service auditor’s engagement.  These two methods of reporting are known as the inclusive method and the carve‑out method, respectively.  If the type 1 or type 2 report excludes the controls at a subservice organisation, and the services provided by the subservice organisation are relevant to the audit of the user entity’s financial report, the user auditor is required to apply the requirements of this Auditing Standard in respect of the subservice organisation.  The nature and extent of work to be performed by the user auditor regarding the services provided by a subservice organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.  The application of the requirement in paragraph 9 assists the user auditor in determining the effect of the subservice organisation and the nature and extent of work to be performed.

 

Fraud, Non Compliance with Laws and Regulations and Uncorrected Misstatements in Relation to Activities at the Service Organisation

(Ref: Para. 19)

A41

A service organisation may be required under the terms of the contract with user entities to disclose to affected user entities any fraud, non‑compliance with laws and regulations or uncorrected misstatements attributable to the service organisation’s management or employees.  As required by paragraph 19, the user auditor makes enquiries of the user entity management regarding whether the service organisation has reported any such matters and evaluates whether any matters reported by the service organisation affect the nature, timing and extent of the user auditor’s further audit procedures.  In certain circumstances, the user auditor may require additional information to perform this evaluation, and may request the user entity to contact the service organisation to obtain the necessary information.

 

Reporting by the User Auditor

(Ref: Para. 20)

A42

When a user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit of the user entity’s financial report, a limitation on the scope of the audit exists.  This may be the case when:

  • The user auditor is unable to obtain a sufficient understanding of the services provided by the service organisation and does not have a basis for the identification and assessment of the risks of material misstatement;
  • A user auditor’s risk assessment includes an expectation that controls at the service organisation are operating effectively and the user auditor is unable to obtain sufficient appropriate audit evidence about the operating effectiveness of these controls; or
  • Sufficient appropriate audit evidence is only available from records held at the service organisation, and the user auditor is unable to obtain direct access to these records. 

Whether the user auditor expresses a qualified opinion or disclaims an opinion depends on the user auditor’s conclusion as to whether the possible effects on the financial report are material or pervasive. 

Reference to the Work of a Service Auditor (Ref: Para. 21‑22)

A43

In some cases, law or regulation may require a reference to the work of a service auditor in the user auditor’s report, for example, for the purposes of transparency in the public sector.  In such circumstances, the user auditor may need the consent of the service auditor before making such a reference.

 

A44

The fact that a user entity uses a service organisation does not alter the user auditor’s responsibility under the Australian Auditing Standards to obtain sufficient appropriate audit evidence to afford a reasonable basis to support the user auditor’s opinion.  Therefore, the user auditor does not make reference to the service auditor’s report as a basis, in part, for the user auditor’s opinion on the user entity’s financial report.  However, when the user auditor expresses a modified opinion because of a modified opinion in a service auditor’s report, the user auditor is not precluded from referring to the service auditor’s report if such reference assists in explaining the reason for the user auditor’s modified opinion.  In such circumstances, the user auditor may need the consent of the service auditor before making such a reference. 

7

See ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards, paragraphs 4 and A2-A3.

8

See ASA 315, paragraph 26(a)(iii).

9

[Footnote deleted by the AUASB. Refer Aus A16.1]

10

See ASA 600 Special Considerations—Audits of a Group Financial Report (Including the Work of Component Auditors), paragraphs 2 and 19.

11

See ASA 330, paragraph 8.

12

See ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, paragraphs 9-10.

13

See ASA 265, paragraph 10.

Top of Page