This Auditing Standard deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations.  Specifically, it expands on how the user auditor applies ASA 315^[1] and ASA 330^[2] in obtaining an understanding of the user entity, including internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks. 

Many entities outsource aspects of their business to organisations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function.  Many of the services provided by such organisations are integral to the entity’s business operations; however, not all those services are relevant to the audit.

Services provided by a service organisation are relevant to the audit of a user entity’s financial report when those services, and the controls over them, are part of the user entity’s information system, including related business processes, relevant to financial reporting.  Although most controls at the service organisation are likely to relate to financial reporting, there may be other controls that may also be relevant to the audit, such as controls over the safeguarding of assets.  A service organisation’s services are part of a user entity’s information system, including related business processes, relevant to financial reporting if these services affect any of the following:

1. The classes of transactions in the user entity’s operations that are significant to the user entity’s financial report;
2. The procedures, within both information technology (IT) and manual systems, by which the user entity’s transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial report;
3. The related accounting records, either in electronic or manual form, supporting information and specific accounts in the user entity’s financial report that are used to initiate, record, process and report the user entity’s transactions; this includes the correction of incorrect information and how information is transferred to the general ledger;
4. How the user entity’s information system captures events and conditions, other than transactions, that are significant to the financial report;
5. The financial reporting process used to prepare the user entity’s financial report, including significant accounting estimates and disclosures; and
6. Controls surrounding journal entries, including non‑standard journal entries used to record non‑recurring, unusual transactions or adjustments.

The nature and extent of work to be performed by the user auditor regarding the services provided by a service organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.

This Auditing Standard does not apply to services provided by financial institutions that are limited to processing, for an entity’s account held at the financial institution, transactions that are specifically authorised by the entity, such as the processing of cheque account transactions by a bank or the processing of securities transactions by a broker.  In addition, this Auditing Standard does not apply to the audit of transactions arising from proprietary financial interests in other entities, such as partnerships, corporations and joint ventures, when proprietary interests are accounted for and reported to interest holders.

An auditor appointed to provide an opinion on an entity’s financial report may also have additional statutory or regulatory responsibilities, which may be affected by the entity’s use of a service organisation.  For example, sections 307(c) and 307(d) of the Corporations Act 2001(the Act) require the auditor to form an opinion on whether the entity has kept proper financial records, and other records and registers as required by that Act.

[Deleted by the AUASB.  Refer Aus 0.3]