The use of a service organisation for the provision of investment management services by a user entity does not alter the overall objective of the audit of the user entity’s financial report, therefore it remains the responsibility of the user auditor to obtain sufficient appropriate audit evidence to support the auditor’s opinion. The requirements of the Auditing Standards relating to obtaining sufficient appropriate evidence on which to form an opinion are the same as would apply if the records and supporting documentation were maintained by the user entity.

ASA 402 provides requirements for the user auditor in obtaining an understanding of the user entity and its environment when the user entity uses the services of a service organisation and states that a type 1 or 2 report may be used to obtain that understanding, if the user auditor is unable to obtain a sufficient understanding from the user entity. The user auditor is required to determine whether the type 1 or 2 report provides sufficient appropriate audit evidence to support the user auditor’s understanding of the design and implementation of controls at the service organisation.^[17]

A type 1 report cannot be relied upon to reduce the level of substantive procedures conducted by the user auditor, as it does not provide any evidence of the operating effectiveness of the controls reported upon. Consequently, the usefulness of a type 1 report to a user auditor is limited to planning the audit, assessing the risk of material misstatement and designing further audit procedures.

When the user auditor’s risk assessment includes an expectation that controls at the service organisation are operating effectively, ASA 402 requires the user auditor to obtain evidence about the operating effectiveness of those controls, which may be obtained from a type 2 report.^[18] Type 2 reports are prepared for the purposes of multiple user entities, not specifically for the purposes of any individual user auditor, so the user auditor is required to determine the sufficiency and appropriateness of the audit evidence provided by that report in accordance with ASA 402.^[19]

Whilst the user auditor makes their own assessment of the relevance of the service auditor’s tests of controls to the assertions in the user entity’s financial report, when investment management services are provided, the user auditor can reasonably expect:

1. each of the control objectives specified in this Guidance Statement^[20] for the relevant investment management service/s to be addressed in the service organisation’s description of its system and assertion;
2. the related controls identified to be reported on by the service auditor; and
3. adequate justification to be provided by the service organisation for any control objectives for which no related controls are identified.

When the service organisation reports against the minimum control objectives provided in this Guidance Statement it assists the user auditor to:

• Compare directly the controls in place at different service organisations providing the same investment management services.
• Collate the results of the controls tested where multiple service organisations are used to provide the same service.
• Identify omissions in the user entity’s description of the system or gaps in the system of control over the relevant investment management services.

If the controls report is prepared by a service auditor practicing in another jurisdiction, the report may not address the minimum control objectives in this Guidance Statement for the investment management services provided. Nevertheless, the report may still provide useful audit evidence. In assessing the sufficiency and appropriateness of the evidence that the controls report provides, in addition to consideration of the matters required in ASA 402,^[21] the user auditor may use the minimum control objectives as a means of assessing the suitability of the control objectives used as criteria in the controls report provided.

When assessing the sufficiency and appropriateness of the evidence provided by a type 2 report, ASA 402^[22] requires the user auditor to evaluate the adequacy of the time period covered and the time elapsed since performance of the tests of controls. Whilst the longer the time elapsed since the performance of the tests, the less evidence the test may provide, it is necessary for the type 2 report to be available with sufficient time for the user auditor to use the evidence it contains prior to completion of the user entity’s audit. It may be necessary for the user auditor to conduct further procedures in response to a modified opinion or deviations reported in the results of the tests performed. Consequently, a type 2 report issued for a time period ending prior to the user entity’s period end may be more useful for the user auditor, even if the user auditor needs to obtain additional evidence about the operation of controls in the intervening period.

When the service organisation has used a subservice organisation in providing investment management services to the user entity and those services are excluded from the type 1 or 2 report, ASA 402 requires, if those services are relevant to the audit of the user entity, the user auditor to apply the requirements of ASA 402 with respect to the services of the subservice organisation.^[23]

If a type 2 report provides the user auditor with sufficient appropriate audit evidence as to the reliability of controls over the investment management services provided by the service organisation to the user entity, it will enable the user auditor to reduce the extent of substantive testing that might otherwise have been necessary with respect to the balances or transactions subject to those services.

A type 2 report is not necessary, if the user auditor concludes that the risk of material misstatement will not be affected by the controls at the service organisation or that it is more appropriate to gather the evidence required by alternative procedures. These alternative procedures may include obtaining a service auditor’s report on financial information.

In responding to the assessed risks of material misstatement, if sufficient appropriate audit evidence is not available from records held at the user entity, ASA 402 requires the user auditor to perform further audit procedures or use another auditor to perform those procedures at the service organisation.^[24] Whilst the user auditor may be able to rely on a type 2 report as audit evidence of the operating effectiveness of controls to mitigate identified risks of material misstatement, a type 2 report alone cannot provide sufficient appropriate audit evidence with respect to material balances or classes of transactions of the user entity. ASA 330 requires the user auditor to design and perform substantive procedures for each material class of transactions, account balance and disclosure.

Service organisations which provide investment management services may provide the user entity with a single financial statement regarding financial information of the user entity (“Statement”) periodically in accordance with either a general purpose framework or special purpose framework.^[25] Examples of a Statement include: a portfolio valuation report, a financial report or a component of a financial report. The requirements of the applicable financial reporting framework determine the form and content of the Statement. An unaudited Statement is an unverified source of evidence, which is a representation not independent from the user entity. If the financial report of the user entity has been prepared using unaudited financial information obtained from the service organisation, such information may not constitute sufficient appropriate audit evidence on which the user auditor could form an opinion.

The user auditor’s procedures at the user entity with respect to the balances and transactions relating to the services provided by the service organisation are usually limited to:

• A review of the contract or service level agreement between the user entity and the service organisation so as to understand the rights and obligations of each party.
• A review and evaluation of the monitoring controls exercised by the user entity over the service organisation.
• A review of representations given by the service organisation concerning the user entity’s balances or transactions.
• Verification of the receipt of income from the service organisation (if not re-invested).
• Analytical procedures on the financial information supplied by the service organisation.
• A review of the most recent audited financial report of the service organisation.

These procedures alone, or even in combination with a type 1 or 2 report on controls over the relevant investment management services, may not generate sufficient appropriate audit evidence.

The user auditor exercises professional judgement to determine whether the results of procedures conducted at the user entity as described in paragraph 33 of this Guidance Statement, considered alone or in combination with a type 1 or 2 report, provide sufficient appropriate evidence on which to form an audit opinion. If the user auditor requires further audit evidence, which the user auditor believes to be held at the service organisation, the user auditor either:

1. obtains a service auditor’s report on financial information; or
2. gains access to the records and other information relating to the user entity in the possession of the service organisation.

Individual circumstances determine whether a service auditor’s report on financial information is the more effective or efficient method of obtaining the audit evidence required by the user auditor. If the user auditor is able to specify whether the service auditor prepares a service auditor’s report on specified assertions or on a Statement, the user auditor must exercise professional judgement to make this determination in the particular circumstances of the engagement.

A service auditor’s report on a Statement, as defined in paragraph 7(b)(ii) of this Guidance Statement, may be the most effective way to obtain sufficient appropriate audit evidence for all assertions regarding the user entity’s balances or transactions contained in the Statement provided by the service organisation. This type of report may also be required by the user auditor if there is a potential or identified significant deficiency in the service organisation’s controls, or there are material errors identified in the service organisation’s reports.

The user auditor may be able to obtain sufficient appropriate audit evidence only for certain assertions relating to the user entity’s balances or transactions contained in the Statement from information available from the user entity's records and from audit procedures performed thereon by the user auditor. For the remaining assertions, a service auditor’s report on specified assertions, as defined in paragraph 7(b)(i) of this Guidance Statement, could provide the audit evidence required. This may include any of the assertions identified in ASA 315, which are:

1. for classes of transactions and events for the period under audit: occurrence, completeness, accuracy, cut-off and classification;
2. for account balances at the period end: existence, rights and obligations, completeness, valuation and allocation; and
3. for presentation and disclosure: occurrence and rights and obligations, completeness, classification and understandability, and accuracy and valuation.

In many circumstances, the use of a service auditor’s report on specified assertions in conjunction with a type 2 report provide the user auditor with sufficient appropriate audit evidence concerning the balances or transactions reported in the Statement.

In evaluating the audit evidence provided by a service auditor’s report on financial information, the user auditor considers:

1. the professional competence of the service auditor in the context of the assignment conducted;
2. the sufficiency and appropriateness of the evidence, whether on its own or in conjunction with a type 1 or 2 report, provided by the service auditor’s report on financial information regarding the assertions on which evidence is required;
3. the impact of any modification to the service auditor’s report on financial information on the sufficiency and appropriateness of the evidence provided by the report;
4. the effect of any uncorrected misstatements reported by the service auditor in an attachment to their report, as described in paragraph 89 of this Guidance Statement; and
5. the effect of any other matters, including significant deficiencies in internal control, significant findings from the audit, or fraud identified during the audit or reported by the service organisation to the user entity.

Paragraphs 84 to 85 of this Guidance Statement provide an appropriate basis for the service auditor to determine materiality for auditing specified assertions or a Statement. The user auditor, in determining performance materiality under Auditing Standard ASA 320^[26] for the classes of transactions, account balances or disclosures affected by the services of the service organisation, may determine that the performance materiality level which would be determined by the service auditor in applying this Guidance Statement is not suitable for the purposes of the audit of the user entity’s financial report. In these circumstances, the user auditor may request that an alternative benchmark and/or percentage is used by the service auditor to determine performance materiality. The manner in which such a request is ordinarily communicated is discussed in paragraphs 42 and 44 of this Guidance Statement.

The user auditor makes the user auditor’s own assessment of the materiality of any uncorrected misstatements communicated by the service auditor in the attachment, if any, to the service auditor’s report on financial information, as described in paragraph 89 of this Guidance Statement.

ASA 402 requires the user auditor to obtain an understanding of the nature of the relationship between the user entity and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation. The contract or service level agreement may specify whether:^[27]

1. a type 1 or 2 report on controls will be provided;
2. the user auditor will have access to the accounting records of the user entity maintained by the service organisation and other information relevant to the audit; and
3. the agreement allows for direct communication between the user auditor and service auditor.

If there is no direct relationship between the user auditor and the service auditor, communication is conducted through the user entity and service organisation. This is often the case when using a report on controls as there may be multiple user entities for which the report is provided. In considering the reliability of the information to be used as audit evidence,^[28] if a report on controls is provided indirectly through the user entity and service organisation, the user auditor remains alert to fraud risk factors in the context of establishing the report’s authenticity.

The user auditor may engage the service auditor directly, subject to relevant ethical and confidentiality considerations, to provide a report on financial information of the user entity maintained by the service organisation.^[29]

The user auditor’s engagement letter may provide for the user entity to obtain from the service organisation, where possible, a type 1 or 2 report, a service auditor’s report on financial information or agreement to direct communication between the user auditor and the service auditor.

The user auditor is required under the Australian Auditing Standards to communicate any of the following matters identified to those charged with governance of the user entity on a timely basis:

1. significant deficiencies in internal control identified during the audit;^[30]
2. significant findings from the audit;^[31]
3. uncorrected misstatements and the effect they, individually or in aggregate, may have on the opinion in the auditor’s report;^[32] and
4. fraud, identified or suspected, involving management, employees who have significant roles in internal control or others where the fraud results in a material misstatement, as well as any other matters related to fraud that are relevant to their responsibilities.^[33]

In determining whether there are any matters which the user auditor needs to report to those charged with governance of the user entity, as outlined in paragraph 45 of this Guidance Statement, with respect to the investment management services provided by the service organisation, the user auditor’s procedures may include:

• A review of documentation and correspondence at the user entity regarding oversight and monitoring of the performance of the contract and/or service level agreement by the service organisation.
• Enquiries of those charged with governance, management or others within the user entity regarding whether any matters reported to those charged with governance of the service organisation, which may affect one or more user entities, have been reported by the service organisation to the user entity.
• Identification of any deviations reported by the service auditor in the type 1 or 2 report and evaluation of whether those deviations represent significant deficiencies in the user entity’s internal control.
• Enquiries regarding the reasons for any modification to the service auditor’s type 1 or 2 report or report on financial information.
• Identification of any uncorrected misstatements reported by the service auditor, in an attachment to the service auditor’s report on financial information as described in paragraph 89 of this Guidance Statement.

If a type 1 or 2 controls report is available, ASA 402 requires the user auditor to enquire of management of the user entity whether the service organisation has reported to the user entity, or the user entity is aware of, any fraud, non-compliance with laws and regulations or uncorrected misstatements affecting the financial report of the user entity. These matters of governance interest may be communicated to the user entity by the service organisation, otherwise the service auditor is required to take appropriate action, which may include communication of such matters directly to the user entity. The service auditor may become aware of such matters as a result of the written representations which it is required to obtain from the service organisation. In addition, a service organisation may be required under the contract or service level agreement with the user entity to disclose matters, including those listed in paragraph 45 of this Guidance Statement, that may affect the user entity. The user auditor evaluates the effect of any matters reported on the nature, timing and extent of further audit procedures.^[34]

Where the user auditor does not have sufficient information regarding the matters of governance interest to fulfil the user auditor’s responsibility, as outlined in paragraph 45 of this Guidance Statement, the user auditor may request further information to be provided. Whilst this information may be provided by the service auditor, the request is ordinarily made through the user entity.

If the user auditor concludes that the user entity’s financial report contains material misstatements with respect to the services provided by the service organisation or that the user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit to form an opinion, Auditing Standard ASA 705 requires the user auditor to modify their opinion on the user entity’s financial report.^[35]

In accordance with ASA 402,^[36] when using a type 1 or 2 report on controls, and Auditing Standards ASA 600 and ASA 620,^[37] when using a service auditor’s report on financial information, the user auditor does not refer to the work of a service auditor in the user auditor’s report, unless required to do so by law or regulation or if it is relevant to understanding a modification to the user auditor’s opinion.