Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

6041 Use of service organizations
Sep-2022

In This Section

Purpose of service organizations

Definitions

Using service organizations—summary

Use of specialist in accounting and auditing

Documentation Guidance

Service organization top‑down approach

CAS Objective

The objectives of the user auditor when the user entity uses the services of a service organization, are (CAS 402.7):

(a) (a) To obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s system of internal control, sufficient to provide an appropriate basis for the identification and assessment of the risks of material misstatement; and

(b) To design and perform audit procedures responsive to those risks

Purpose of service organizations

CAS Guidance

Many entities outsource aspects of their business to organizations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function. Many of the services provided by such organizations are integral to the entity’s business operations; however, not all those services are relevant to the audit. (CAS 402.2)

Services provided by a service organization are relevant to the audit of the user entity’s financial statements when those services, and the controls over them, are part of the user entity’s information system relevant to the preparation of the financial statements. Most controls at the service organization are likely to be part of the user entity’s information system relevant to the preparation of the financial statements, or related controls, such as controls over the safeguarding of assets. A service organization’s services are part of the user entity’s information system if these services affect any of the following (CAS 402.3):

(a) How information relating to significant classes of transactions, account balances and disclosures flows through the user entity’s information system, whether manually or using IT, and whether obtained from within or outside the general ledger and subsidiary ledgers. This includes when the service organization’s services affect how:

  1. Transactions of the user entity are initiated, and how information about them is recorded, processed, corrected as necessary, and incorporated in the general ledger and reported in the financial statements; and
  2. Information about events or conditions, other than transactions, is captured, processed and disclosed by the user entity in the financial statements.

(b) The accounting records, specific accounts in the entity’s financial statements and other supporting records relating to the flows of information in paragraph 3(a);

(c) The financial reporting process used to prepare the user entity’s financial statements from the records described in paragraph 3(b), including as it relates to disclosures and to accounting estimates relating to significant classes of transactions, account balances and disclosures; and

(d) The entity’s IT environment relevant to (a) to (c) above.

This CAS does not apply to services provided by financial institutions that are limited to processing, for an entity’s account held at the financial institution, transactions that are specifically authorized by the entity, such as the processing of checking account transactions by a bank or the processing of securities transactions by a broker. In addition, this CAS does not apply to the audit of transactions arising from proprietary financial interests in other entities, such as partnerships, corporations and joint ventures, when proprietary interests are accounted for and reported to interest holders. (CAS 402.5)

Definitions

CAS Guidance

For purposes of the CASs, the following terms have the meanings attributed below (CAS 402.8):

(a) Complementary user entity controls—Controls that the service organization assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives, are identified in the description of its system.

(b) Report on the description and design of controls at a service organization (referred to in this CAS as a type 1 report)—A report that comprises:

(i) A description, prepared by management of the service organization, of the service organization’s system, control objectives and related controls that have been designed and implemented as at a specified date; and

(ii) A report by the service auditor with the objective of conveying reasonable assurance that includes the service auditor’s opinion on the description of the service organization’s system, control objectives and related controls and the suitability of the design of the controls to achieve the specified control objectives.

(c) Report on the description, design, and operating effectiveness of controls at a service organization (referred to in this CAS as a type 2 report)—A report that comprises:

(i) A description, prepared by management of the service organization, of the service organization’s system, control objectives and related controls, their design and implementation as at a specified date or throughout a specified period and, in some cases, their operating effectiveness throughout a specified period; and

(ii) A report by the service auditor with the objective of conveying reasonable assurance that includes:

  1. The service auditor’s opinion on the description of the service organization’s system, control objectives and related controls, the suitability of the design of the controls to achieve the specified control objectives, and the operating effectiveness of the controls; and
  2. A description of the service auditor’s tests of the controls and the results thereof.

(d) Service auditor—An auditor who, at the request of the service organization, provides an assurance report on the controls of a service organization.

(e) Service organization—A third-party organization (or segment of a third-party organization) that provides services to user entities that are part of those entities’ information systems relevant to financial reporting.

(f) Service organization’s system—The policies and procedures designed, implemented and maintained by the service organization to provide user entities with the services covered by the service auditor’s report.

(g) Subservice organization—A service organization used by another service organization to perform some of the services provided to user entities that are part of those user entities’ information systems relevant to financial reporting.

(h) User auditor—An auditor who audits and reports on the financial statements of a user entity.

(i) User entity—An entity that uses a service organization and whose financial statements are being audited.

Using service organizations—summary

OAG Guidance

The following flowchart serves as an overview of the audit approach using a service organization:

Note that in case the testing of controls does not provide sufficient audit evidence, additional substantive procedures have to be performed; this is the case when controls addressing the relevant assertions are not working correctly or are not implemented.

Use of specialist in accounting and auditing

OAG Guidance

The consideration of the entity’s use of a service organization, including the decision whether or not to obtain a service auditor’s report, the evaluation of the service auditor’s report (if obtained), and the inclusion of applicable procedures in the audit program, is the responsibility of the team manager and an IT audit specialist, where involved, in consultation with the engagement leader. Depending on the experience of the team consider using an IT audit specialist as he has the appropriate skill sets when understanding the entity’s use of service organizations. We may wish to consider the need for further support from a specialist in accounting or auditing if the level of risk associated with the use of the service organization is high, e.g., consider consulting with the Internal Specialist for Fraud. Equally, the complexity of the relationship between the entity and the service organization may require consultation with Legal Services to evaluate the implications of the arrangements.

Documentation Guidance

OAG Guidance

What you have to do
Planning Activities

In responding to assessed risks of material misstatement, determine whether sufficient audit evidence concerning the relevant financial assertions is available from records held at the entity; and, if not, perform further audit procedures to obtain sufficient appropriate audit evidence.

  • If further sufficient appropriate audit evidence is determined to be obtained from service organizations, perform the procedure. “Plan use of service organization—[Insert name of service organization]”. Obtain an understanding of the services provided by a service organization including the internal control located in the program indicated above and document the understanding of the impact of the service organization’s activities at the entity.
  • See OAG Audit 6042 for further guidance on an understanding of services provided by a service organization.
Controls
  • If it is determined that service organization activities are relevant to our risk assessment, identify the controls performed at the service organization and document them in the procedure “Obtain evidence regarding controls operated at service organization(s)”. This documentation should include an evaluation of the design and implementation of these controls.
Gather Evidence

Perform the appropriate control procedure depending on how the service organization is used by the entity; see procedures “Plan use of service organization—[Insert name of service organization]” and “Obtain evidence regarding controls operated at service organization(s)”:

type 1 report

  • A type 1 report does not address operating effectiveness of controls over time; instead it has information (about service organization’s controls) to plan the audit and to design effective tests of controls and substantive tests at the entity.
  • The type 1 report will likely be rarely used and if it is used, we would have to identify the relevant controls and document our control testing over the controls performed at the service organization. For example, type 1 reports provide a description of the services organization’s systems, control objectives, and related controls that have been designed and implemented as of a specific date. By obtaining this report we are able to gain an understanding of the service organization, but if we plan to place reliance on the controls, we will have to test operating effectiveness of those controls at the service organization through our own procedures or through the use of another auditor. In these cases, we document our work and results within the procedure “Plan use of service organization—[Insert name of service organization].”

type 2 report

  • If a type 2 report is obtained from the service organization’s auditor, the procedures “Plan use of service organization—[Insert name of service organization]” and “Obtain evidence regarding controls operated at service organization(s)” include procedures to evaluate that report (e.g., is the time period covered by the tests of controls appropriate for the engagement team’s purposes).
  • Document the results of the controls testing needed as evidence performed at the service organization.
  • Identify all assertions addressed by the control(s).

Complementary user controls

  • For complementary user controls that exist at the user entity to meet the control objectives of the controls performed at the service organization where we need evidence, document testing results of complementary entity controls.
  • See OAG Audit 6043 for guidance on audit evidence obtained at service organizations.
Service organization top‑down approach

OAG Guidance

Apply a top‑down, risk-based approach to addressing service organization activities, focusing only on what matters to our audit, not necessarily anything or everything that the service organization/service auditor has provided in a report. A type 2 or other service auditor report is merely a source of information and evidence. That evidence needs to be considered in its appropriate context. For example:

  • The mere existence of a service auditor report on service organization controls does not mean those controls are automatically relevant for purposes of the entity audit. Similarly, some, but not all, evidence provided in a service auditor report may be relevant to our audit. This may be the case when:
    • the entity’s own controls (e.g., entity-level controls or controls over the service organization’s activities) are sufficient to mitigate the risks of material misstatement inherent in the service organization’s activities;
    • the report addresses control activities that are contractually important to the entity but perhaps not relevant to our audit in terms of testing operating effectiveness (e.g., IT backup and recovery procedures); and
    • we are performing an audit and have planned our substantive tests based on our understanding of controls at the service organization, perhaps without a need to consider the operating effectiveness of such controls.
  • An unqualified opinion by the service auditor on the effectiveness of the controls is not necessarily conclusive for our purposes, nor is a qualified opinion necessarily detrimental. When service organization controls are relevant to our audit, we need to read and understand the full content of the report. There may be testing exceptions that did not result in a qualified service auditor’s opinion that may still be consequential to our audit, and there may be service auditor opinion qualifications on matters that are not relevant to our audit. We are to evaluate testing exceptions identified in a service auditor’s report for controls we consider relevant to our audit in the same manner we would evaluate testing exceptions identified by our own independent procedures, regardless of whether or not the service auditor’s opinion has been modified.

The service auditor’s report may not provide sufficient evidence to support our assessed level of control risk, depending on our judgments about the service auditor’s reputation, competence and independence, the time period covered by the tests of controls, the scope of examination and applications covered, the controls tested, the way in which the tested controls relate to the entity’s controls, the results of the tests of controls, and the service auditor’s opinion on the operating effectiveness of controls. For example, controls that operate at a subservice organization may not be covered by the service auditor’s report (e.g., they are “carved out”). Also, when a report is produced for multiple user entities, it is possible that the specific tests of controls performed by the service auditor do not provide sufficient evidence about the operating effectiveness of controls that address the financial statement assertions we are auditing. Further, if we believe a control is relevant and we see, for example, an inquiry only test described in the report, we may conclude that the report does not provide sufficient evidence for our purposes in regard to that control. If the service auditor’s report does not provide sufficient evidence to support our planned level of controls reliance, consider performing additional tests of controls at the service organization or revising the planned controls reliance.

In most cases, the service auditor delivers a “restricted use” report (i.e., a report that is intended only for specified parties) to the service organization and, based on a contractual arrangement, the service organization then provides the report to management of the user organization. We obtain the CSAE 3416 report either directly from the service organization or through management of our client (the user organization). Sharing of a service auditor’s report among engagement teams not party to the distribution of the service auditor’s report without contractual permission would not be appropriate due to the restricted nature of the report distribution and our confidentiality obligations to our clients.

See OAG Audit 6043 for further details on the considerations when using a service auditor’s report.