AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANISATIONS

OVERVIEW

Objective

To set out the audit considerations where an entity uses a service organization
to undertake activities on its behalf.

SERVICE
ORGANIZATIONS Uses
Activities
Basic principles

AUDIT
PLANNING

Factors to consider

ACCOUNTING &
INTERNAL
CONTROL SYSTEM
Sources of information
Audit evidence

AUDITOR'S
REPORTS Basic principles

 Accountancy Tuition Centre (Overseas Courses) Ltd 2001 1101

 AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANISATIONS

1 SERVICE ORGANIZATIONS

1.1 Use by client entity

ISA 402 illustrates how an entity may use a service organization, for
example:

initiating, executing and recording transactions; and

processing related data.

A service organisation which is, for example, authorising transactions (not

merely recording them) must implement control policies and procedures.

Historically it has been common for smaller users of CISs to subscribe to a

computer bureau.

However, large CISs are now provided by third parties (eg facilities
management companies).

1.2 Activities

May be provided:

for a single entity – on a “dedicated” basis;

to a group of related or unrelated customers – on a shared basis.

Example of activities, other than those suggested by ISA 402 include:

information (or “data”) processing;

maintenance of accounting records;
facilities management;
safe custody of assets (eg investment).

1.3 Basic principles

To plan the audit and develop an effective audit approach (in accordance with ISA
300), the auditor should:

consider the effect of the service organisation on the entity’s accounting and
internal control systems;

ascertain the significance of the service organization’s activities and

relevance to the audit.

 Accountancy Tuition Centre (Overseas Courses) Ltd 2001 1102

 AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANISATIONS

Relevant activities include those which concern:

preparation of financial statements;

keeping significant elements of accounting records

assets, liabilities, transactions and events required to be recognised or

disclosed in the financial statements.

asset management;

finance functions.

In accordance with ISA 400, if the service organization’s activities are significant and
relevant, the auditor should obtain sufficient information:

to understand the accounting and internal control systems; and

to assess controls risk at:

– the maximum; or
– a lower level, assuming tests of control are to be carried out.

2 AUDIT PLANNING

2.1 Factors to be considered

Nature of services provided and relationship between client and service

organization.

Contractual terms.

Material financial statements assertions affected (eg in payroll application).

Extent to which client’s accounting and internal control systems interact with
service organization’s.

Clients internal controls (to ensure completeness, accuracy, validity).

Service organization’s capability and financial standing.

Information available in user and technical manuals.

Existence of third party reports about the operation and effectiveness of the
service organizations’ accounting and control systems.

 Accountancy Tuition Centre (Overseas Courses) Ltd 2001 1103

 AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANISATIONS

3 ACCOUNTING AND INTERNAL CONTROL SYSTEM

3.1 Sources of information

The client entity’s accounting and internal controls.

Third party reports from:

internal or external auditors;

regulatory agencies.

The service organization.

3.2 Audit evidence

The following procedures may support a less than high control risk assessment:

tests on relevant client controls;

obtaining third party reports;

rarely, visiting the service organization to undertake tests of control.

The nature, timing and extent of tests of control should provide sufficient appropriate
audit evidence to support the assessed level of control risk.

4 SERVICE ORGANIZATION AUDITOR’S REPORTS

4.1 Basic principles

In seeking to place reliance on the service organisation auditor’s report, the entity’s
auditor should consider:

the service organisation auditor’s professional competence;

the nature and content of the report including:

– scope of the service organisation auditor’s work; and

– usefulness and suitability or reports issued

The same principles apply whenever an auditor uses the work of others, as set out in:

ISA 600 Using the Work of Another Auditors **

ISA 610 Considering the Work if Internal Auditing (Session 12)
ISA 620 Using the Work of and Expert. (Session 19)

** This ISA, concerning group auditors, is outside the scope of Paper 2.6

 Accountancy Tuition Centre (Overseas Courses) Ltd 2001 1104

 AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANISATIONS

4.2 Content of Type A and Type B Reports

4.2.1 Type A – Suitability of design

A description of the accounting and internal control systems.

An opinion on:

accuracy of description
operational existence of controls
suitability of design to meet stated objectives.

4.2.2 Type B – Suitability of design and operating effectiveness

As for Type A plus an opinion on effective operation based on tests of controls.

Example 1

Suggest four factors which should be considered when assessing the extent to which a
Type B report supports a lower level of control risk.

Solution

The relevance of tests of controls to client’s transactions (and financial

statement assertions.

The nature of tests of control performed (eg observation of a test of control may be
less reliable than inspecting evidence of a control having been performed).

The extent of testing, particularly the period of time covered.

How much time has elapsed since the service organisation auditors work was
performed.

4.3 Auditor’s report on financial statements

A client auditor using a service organization auditor’s report should make no reference
to it in their auditor’s report on the financial statements.

 Accountancy Tuition Centre (Overseas Courses) Ltd 2001 1105

 AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANISATIONS

FOCUS

You should now be able to

illustrate the use of service organizations

describe the implications of the use of service organizations on inherent and

control risk assessments

describe conditions that must be met before reliance can be placed on the work of
others and the planning considerations in co-ordinating the work of others

explain the extent to which auditors are able to rely on the work of service organisations.

EXAMPLE SOLUTION

Solution 1 – Type B report

The relevance of tests of controls to client’s transactions (and financial

statement assertions.

The nature of tests of control performed (eg observation of a test of control may be
less reliable than inspecting evidence of a control having been performed).

The extent of testing, particularly the period of time covered.

How much time has elapsed since the service organisation auditors work was
performed.

 Accountancy Tuition Centre (Overseas Courses) Ltd 2001 1106