SA 402

AUDIT CONSIDERATION RELATING TO AN ENTITY USING A SERVICE ORGANISATION

Objectives

a) To obtain an understanding - nature and significance of the services provided by the service
organisation
their effect on the user's entity's internal control relevant to the audit sufficient to identify and
assess the risk of material misstatement(RMM)
b) To design and perform audit procedures responsive to those risks.

Considerations for the auditor

The auditor has to perform the following audit procedures-

1. Obtaining and understanding of the services provided by a service organisation

i. The nature of the services provided by the service organisation
and the significance of those services to the user entity,
including the effect thereof on the user entity’s internal control
ii. Nature and materiality of the transaction affected by the service organisation.
iii. The degree of interaction between the activities of the service organisation and
those of the user entity and
iv. The nature of the relationship between the user entity and the service
organisation, including the relevant contractual terms for the activities
undertaken by the service organisation.
Sources to obtain information regarding the service organisation
i. Usermanuals
ii. System overviews
iii. Technical manuals
iv. The contract of service level agreement between the user entity and the service
organisation
v. Report by service organisations, internal auditors for regulatory authorities on
control at the service organisation
vi. Reports by the service auditor, including management letter, if applicable.
vii. Knowledge obtained through the user auditor's experience with the service
organisation.
2. Understanding the control at the user entity relating to services provided by the service
organisation
• The user auditor shall evaluate the design and implementation of relevant controls at
the user entity,
• including those that are applied to the transaction processed by the service organisation
3. Further procedure when a sufficient understanding cannot be obtained from the user entity
Obtain that understanding form one or more of the following procedures:
• Obtaining a Type 1 or Type 2 report, if applicable;
• Contacting the service organisation, through the user entity, to obtain specific
information;
 • Visiting the service organisation and performing procedures; or
• using another order to perform procedure
4. Can user auditor make a reference to the work of the service auditor?
Unmodified Opinion- No reference
Modified Opinion- May make a reference; however, such reference does not diminish the user
auditor's responsibility for that opinion.