2381 Introduction to shared service centers audits

Jun-2018

OAG Guidance

Many of our clients have established Shared Service Centres (“SSCs”) or common information systems to process information that impacts the entity’s group financial statements and/or component and statutory reports. SSCs generally provide centralized services ranging from specific tasks (such as processing of accounts receivable or payable) to complete functions or business processes (such as treasury or information technology operations or the preparation of statutory financial statements). Data centres which run shared instances of applications are considered in this guidance as a type of SSC. SSCs often employ standardized processes, controls, and systems and key personnel and related accounting records are often located or maintained at the SSC rather than being geographically dispersed.

Guidance in this section is written in the context of OAG interoffice reporting and does not aim to address all considerations that may be relevant when communicating with and reporting to component auditor external to the Office.

Areas where audit evidence might be obtained at a SSC and shared cross-border include:

• tests of manual and automated controls, including information technology general controls;
• tests of monitoring controls or business performance reviews performed by personnel at the SSC;
• substantive analytical procedures; and/or
• detailed substantive audit procedures.

Sending multiple engagement teams to perform audit work at a SSC is likely to be neither efficient nor effective. A better approach is usually for the group engagement team to determine the nature and extent of audit evidence needed over the functions and processes at the SSC and to assign one audit team (the “SSC audit team”) to perform procedures designed to share audit evidence to achieve both group and all relevant component and statutory reporting objectives.

The SSC audit work needs to be considered as part of our audit planning, as various component auditors may seek to use this work for different purposes. For example, differences between group and component statutory reporting requirements need to be discussed and evaluated when component auditors plan to use the SSC audit work as part of the audit of statutory financial statements. Sharing audit evidence on a group audit may also cause issues due to differing territory laws and regulation. As a result, timely communication between the group, component and SSC engagement teams is essential and where these laws and regulations create potential barriers for sharing audit evidence, we also need to communicate with the entity, as appropriate.

The guidance provided herein is offered to promote efficiency, effectiveness, and consistency across our practice. The section below provides guidance on the planning and scoping, execution, reporting and communication involved in an effective and efficient audit of a SSC and needs to be read in conjunction with the guidance on group audits (OAG Audit 2300–2370) and other relevant sections of OAG Audit, as appropriate. In all instances, it is envisaged that the execution of the underlying work will be in accordance with OAG Annual Audit Manual.

In some cases, centralized services may be provided not by a specialized SSC, but rather by the group head office or one of the components (e.g., the group head office may implement group-wide controls, which will be tested by the group engagement team and used by one or more component auditors). In these situations, the guidance included in this section may also be applied to the work performed over such centralized services by the group engagement team or component auditors. In other words, in these situations the group or component engagement team would apply the guidance applicable to an SSC engagement team, as appropriate, and communicate with the group and other component engagement teams to facilitate effective and efficient sharing of audit evidence.