OVERVIEW
Objective
¾
To set out the audit considerations where an entity uses a service organisation to undertake activities on its behalf.AUDIT PLANNING
SERVICE ORGANISATIONS
RISK ASSESSMENT
SERVICE ORGANISATION
REPORT
¾ Understanding the service
organisation
¾ Use by client entity
¾ Basic principles
¾ Assessing risk
¾ Audit evidence
¾ Basic principles
1
SERVICE ORGANISATIONS
1.1
Use by client entity
¾
A service organisation is an external entity that provides financial and other services to other entities. Such organisations may provide their services to many (related or unrelated) entities or as a dedicated service provider just to one entity.¾
Of direct interest to auditors (as part of their assessing the business, controls and risk of material misstatements within the financial statements) will be service organisations that provide, for example, the following services to a client: Payroll
Maintenance of accounting records and/or preparation of financial statements Data entry and information processing generally
Preparation of invoices Facilities management Asset management services
Credit control, credit risk analysis and factoring Leasing arrangements
Execution, discretionary trading and custodial services
¾
Particular CIS applications include: Internet service provider (ISP), web hosting and extranet (ie dependent on the ISP
to provide specific commerce business related services, rather than just normal e-mail).
Application service provider (ASP), site housing and web-based accounting (ie
dependent on ASP and external CIS for core financial and data processing).
¾
As well as just processing and recording data, the service provider may also initiate and execute transactions, eg credit authorisation, payment authorisation, ie they establish and execute policies and procedures that impact upon an entity’s accounting functions and controls.1.2
Basic principles
¾
ISA 402 Audit Considerations Relating to Entities Using Service Organisations provides the standards and guidance to be used by the auditor where a client uses a serviceorganisation.
¾
ISA 402 requires the auditor: consider the effect of the service organisation on the entity’s accounting and
internal control systems; and
ascertain the significance of the service organisation’s activities and relevance to the
audit.
¾
If the involvement of the service organisation is considered significant by the auditor, they must assess the risk of material misstatement within the financial statements by understanding the service organisation’s business, its environment and controls.¾
If appropriate, the auditor may also decide to rely on the controls of the serviceorganisation and consider testing their effectiveness.
2
AUDIT PLANNING
2.1
Understanding the service organisation, its environment and
controls.
¾
Specific factors to be considered when assessing the risk of material misstatement through understanding the service organisation, its environment and controls include: Nature of services provided and relationship between client and service
organisation.
Contractual terms (as above, plus for example – responsibilities, activities
undertaken, maintenance and ownership of data, rights of access to data by the client and auditor (eg if denied to the auditor, how can they audit such data?), application of appropriate laws and regulations by the service organisation (eg operating licences, data protection, maintaining proper books and records), non-performance criteria, dispute resolution).
Controls operated by the client over the processes of the service provider (e.g. over
transactions processed and to ensure completeness, accuracy, validity).
Controls to monitor the activities of the service provider and how reliant such
controls are on the service provider’s controls (includes risk assessment process and control activities).
Service organisation’s reputation, capability and financial standing (eg possible
going concern implications).
Material financial statements assertions affected (e.g. in payroll application). The extent to which assets dealt with by the service provider are susceptible to loss
or misappropriation.
Information about the service provider available in user and technical manuals. Existence of third party reports about the operation and effectiveness of the service
3
RISK ASSESSMENT
3.1
Assessing risk
¾
Much of the detail noted above (Section 2) will provide the auditor with sufficient knowledge to be able to assess business risks related to the service provider that may lead to financial statement risk of the client.¾
From their understanding of the controls over the service provider (and processes) in operation at the client, the auditor may decide that appropriate (sufficient) audit assurance can be obtained without further work on controls at the service provider, eg: where appropriate records of assets and transactions dealt with by the service
organisation are kept by the client; and
where reconciliations (eg control totals) and reviews of data sent to and received
from the service provider are regularly carried out.
¾
However, where sufficient audit assurance cannot be obtained just from the controls in operation at the client, the controls operated by the service organisation (eg CIS general and application controls) and the extent to which the client’s accounting and internal control systems interact with those of the service organisation, must be understood and assessed.Example 1
Classify the following examples of outsourced accounting functions as “high”, “medium” or “low” risk.
¾
Low risk functions require little judgement, are non-complex, relate to discrete functions and outsourcing can be relatively easily rearranged. Sufficient audit assurance can usually be obtained through controls in operation at the client.¾
High risk functions are relative costly to insource once outsourced, require effective controls, business knowledge and carry a high cost ofperformance failure. Sufficient audit assurance cannot usually be obtained without considering controls in operation at the service provider.
¾
Medium risk functions include those which relate to discrete functions but require some business knowledge.Solution
Processing salary payments Low/Medium/High
Preparation of budgets and control reports Low/Medium/High Leasing arrangements (e.g. of vehicles) Low/Medium/High Accounting records of a retail business Low/Medium/High
Invoice preparation Low/Medium/High
E-commerce including web housing through an ISP Low/Medium/High
3.2
Audit evidence
¾
Under ISA 315, the auditor must obtain an understanding of the design of internal controls and whether or not they have been implemented. If the auditor decides to obtain audit assurance from internal controls, the effectiveness of those controls must be also tested. This will mean that: the auditor will either visit the service organisation to carry out an assessment of
the internal controls, carry out tests of control effectiveness and related substantive procedures; or
obtain assurance reports from the service provider’s external auditor on the internal
controls as they relate to the relevant transactions, assets and liabilities of the client. In some cases, reports from the service provider’s internal audit department may also be obtained.
¾
In most cases the auditor will seek to rely on the work performed by the serviceorganisation’s external (and internal) auditors. Note however that this may not always provide the auditor with sufficient evidence to reduce risk to an acceptable level, eg where the entire accounting and finance function is outsourced or the entity utilises an external ASP and web hosting. In such cases, the auditor will need to make
arrangements with the entity to be able to visit and test on-site at the service organisation.
4
SERVICE ORGANISATION ASSURANCE REPORT
¾
Under ISA 402, the assurance report requested of the service organisation auditor ordinarily takes one of two forms – Type A or Type B. Note that these reports are assurance reports and not audit reports. They are not concerned with the service entity’s financial statements, but deal with providing assurance on specific controls related to the processes carried out for the client. The work carried out by the service entity’s auditor in order to give the assurance report is not within the syllabus and will not be examined.4.1
Basic principles
¾
In seeking to place reliance on the service organisation’s auditor’s assurance report, the entity’s auditor should consider: the service organisation’s auditor’s professional competence;
the nature and content of the report including the scope of the service organisation
¾
The same principles apply whenever an auditor uses the work of others, as set out in: ISA 600 Using the Work of Another Auditor (Relates to group audits and is not
examinable)
ISA 610 Considering the Work if Internal Auditing. (See Session 33) ISA 620 Using the Work of an Expert. (See Session 18)
4.2
Content of Type A and Type B Reports
4.2.1
Type A — Report on the design and implementation of internal control
¾
A description of the service organisation’s internal control systems, usually prepared by the organisation’s management.¾
An opinion by the auditor on: the accuracy of the description;
the suitability of design to meet stated objectives; and whether or not the controls have been implemented.
¾
This report only provides the auditor with an understanding of the design of internal controls and whether or not they have been implemented. It does not provide any assurance on the effectiveness of operation of the controls. If the auditor wishes to place reliance on the effectiveness of operation of controls, they must request a Type B report.4.2.2
Type B — Report on the design, implementation and operating effectiveness of
internal control
¾
As for Type A plus an opinion on the operating effectiveness of the controls based on tests of such controls. Details of the tests carried out and the results would be appended to the report.¾
The auditor must consider that the controls tested by the service provider’s auditor are relevant and adequate in relation to the transactions, balances, disclosures andassertions of the entity. In particular, care must be taken to ensure that the controls tested cover the accounting period of the entity, rather than that of the service provider.
Example 2
Solution
¾
¾
¾
¾
4.3
Substantive procedures
¾
If the entity’s auditor requires substantive procedures to be carried out at the service organisation, then such procedures are usually treated as an “agreed upon procedure” between the service organisation and their auditors, with an appropriate report being provided by the service organisation auditors. Again, the detail of this procedure is outside the scope of the syllabus.4.4
Auditor’s report on the financial statements
¾
In most jurisdictions, an entity’s auditor is solely responsible for their audit opinion. No reference to third party opinions or work (eg the service organisation’s auditor’s Type A or B report) would normally be referred to within the audit report.¾
As the auditor places reliance on the third party opinion in reaching their own opinion, the detail and work done on the third party opinion must be fully documented.FOCUS
You should now be able to:
EXAMPLE SOLUTION
Solution 1 — Risks of outsourced accounting functions
Low/Medium/High
¾
Processing salary payments Low¾
Credit control Medium¾
Data entry Low¾
Maintenance of accounting records andpreparation of budgets and control reports High
¾
Leasing arrangements (e.g. of vehicles) Medium¾
Accounting records of a retail business High¾
Invoice preparation Low¾
E-commerce including web housing through an ISP HighSolution 2 — Type B report
¾
The relevance of tests of controls to client’s transactions (and financial statement assertions).¾
The nature of tests of control performed (e.g. observation of a test of control may be less reliable than inspecting evidence of a control having been performed).¾
The extent of testing, particularly the period of time covered.