This Auditing Standard deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organisations.  Specifically, it expands on how the user auditor applies ASA 315^[1] and ASA 330^[2] in obtaining an understanding of the user entity, including the entity's system of internal control relevant to the preparation of the financial report, sufficient to identify and assess the risks of material misstatement and in designing and performing further audit procedures responsive to those risks. 

Many entities outsource aspects of their business to organisations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function.  Many of the services provided by such organisations are integral to the entity’s business operations; however, not all those services are relevant to the audit.

Services provided by a service organisation are relevant to the audit of a user entity’s financial report when those services, and the controls over them, are part of the user entity’s information system, relevant to the preparation of the financial report. Most controls at the service organisation are likely to be part of the user entity’s information system relevant to the preparation of the financial report, or related controls, such as controls over the safeguarding of assets. A service organisation’s services are part of a user entity’s information system, if these services affect any of the following:

1. How information relating to significant classes of transactions, account balances and disclosures flows through the user entity’s information system, whether manually or using IT, and whether obtained from within or outside the general ledger and subsidiary ledgers. This includes when the service organisation’s services affect how:
   1. Transactions of the user entity are initiated, and how information about them is recorded, processed, corrected as necessary, and incorporated in the general ledger and reported in the financial report; and
   2. Information about events or conditions, other than transactions, is captured, processed and disclosed by the user entity in the financial report.
2. The accounting records, specific accounts in the user entity’s financial report and other supporting records relating to the flows of information in paragraph 3(a);
3. The financial reporting process used to prepare the user entity’s financial report from the records described in paragraph 3(b), including as it relates to disclosures and to accounting estimates relating to significant classes of transactions, account balances and disclosures; and
4. The entity’s IT environment relevant to (a) to (c) above.

The nature and extent of work to be performed by the user auditor regarding the services provided by a service organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.

This Auditing Standard does not apply to services provided by financial institutions that are limited to processing, for an entity’s account held at the financial institution, transactions that are specifically authorised by the entity, such as the processing of cheque account transactions by a bank or the processing of securities transactions by a broker.  In addition, this Auditing Standard does not apply to the audit of transactions arising from proprietary financial interests in other entities, such as partnerships, corporations and joint ventures, when proprietary interests are accounted for and reported to interest holders.

An auditor appointed to provide an opinion on an entity’s financial report may also have additional statutory or regulatory responsibilities, which may be affected by the entity’s use of a service organisation.  For example, sections 307(c) and 307(d) of the Corporations Act 2001(the Act) require the auditor to form an opinion on whether the entity has kept proper financial records, and other records and registers as required by that Act.

[Deleted by the AUASB.  Refer Aus 0.3]