When obtaining an understanding of the user entity in accordance with ASA 315,^[3] the user auditor shall obtain an understanding of how a user entity uses the services of a service organisation in the user entity’s operations, including: (Ref: Para. A1‑A2)

1. The nature of the services provided by the service organisation and the significance of those services to the user entity, including the effect thereof on the user entity’s internal control;  (Ref: Para. A3‑A5)
2. The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organisation;  (Ref: Para. A6)
3. The degree of interaction between the activities of the service organisation and those of the user entity; and  (Ref: Para. A7)
4. The nature of the relationship between the user entity and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation.  (Ref: Para. A8‑A11)

When obtaining an understanding of the entity's system of internal control in accordance with ASA 315, the user auditor shall identify controls in the control activities component ^[4] at the user entity, from those that relate to the services provided by the service organisation, and evaluate their design and determine whether they have been implemented.^[5](Ref: Para. A12‑A14)

The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organisation and their effect on the user entity’s system of internal control has been obtained to provide an appropriate basis for the identification and assessment of the risks of material misstatement.

If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures:

1. Obtaining a type 1 or type 2 report, if available;
2. Contacting the service organisation, through the user entity, to obtain specific information;
3. Visiting the service organisation and performing procedures that will provide the necessary information about the relevant controls at the service organisation; or
4. Using another auditor to perform procedures that will provide the necessary information about controls at the service organisation.  (Ref: Para. A15‑A20)

Using a Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the Service Organisation

In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor shall be satisfied as to:

1. The service auditor’s professional competence and independence from the service organisation; and
2. The adequacy of the standards under which the type 1 or type 2 report was issued.  (Ref: Para. A21)

If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organisation, the user auditor shall:

1. Evaluate whether the description and design of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
2. Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the controls at the service organisation; and
3. Determine whether complementary user entity controls identified by the service organisation are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.  (Ref: Para. A22‑A23)

In responding to assessed risks in accordance with ASA 330, the user auditor shall:

1. Determine whether sufficient appropriate audit evidence concerning the relevant financial report assertions is available from records held at the user entity; and, if not,
2. Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor to perform those procedures at the service organisation on the user auditor’s behalf.  (Ref: Para. A24‑A28)

Tests of Controls

When the user auditor’s risk assessment includes an expectation that controls at the service organisation are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures:

1. Obtaining a type 2 report, if available;
2. Performing appropriate tests of controls at the service organisation; or
3. Using another auditor to perform tests of controls at the service organisation on behalf of the user auditor.  (Ref: Para. A29‑A30)

Using a Type 2 Report as Audit Evidence that Controls at the Service Organisation Are Operating Effectively

If, in accordance with paragraph 16(a) of this Auditing Standard, the user auditor plans to use a type 2 report as audit evidence that controls at the service organisation are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by:

1. Evaluating whether the description, design and operating effectiveness of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
2. Determining whether complementary user entity controls identified by the service organisation are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness;
3. Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; and
4. Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditor’s report, are relevant to the assertions in the user entity’s financial report and provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.  (Ref: Para. A31‑A39)

If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided by a subservice organisation and those services are relevant to the audit of the user entity’s financial report, the user auditor shall apply the requirements of this Auditing Standard with respect to the services provided by the subservice organisation. (Ref: Para. A40)

The user auditor shall enquire of management of the user entity whether the service organisation has reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non‑compliance with laws and regulations or uncorrected misstatements affecting the financial report of the user entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and user auditor’s report. (Ref: Para. A41)

The user auditor shall modify the opinion in the user auditor’s report in accordance with ASA 705^[6] if the user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit of the user entity’s financial report. (Ref: Para. A42)

The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditor’s report shall indicate that the reference does not diminish the user auditor’s responsibility for the audit opinion. (Ref: Para. A43)

If reference to the work of a service auditor is relevant to an understanding of a modification to the user auditor’s opinion, the user auditor’s report shall indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (Ref: Para. A44)