6042 Understanding of services provided by a service organization

Sep-2022

CAS Guidance

Information on the nature of the services provided by a service organization may be available from a wide variety of sources, such as (CAS 402.A1):

• User manuals
• System overviews
• Technical manuals
• The contract or service level agreement between the user entity and the service organization
• Reports by service organizations, the internal audit function or regulatory authorities on controls at the service organization
• Reports by the service auditor, including management letters, if available

Knowledge obtained through the user auditor’s experience with the service organization, for example through experience with other audit engagements, may also be helpful in obtaining an understanding of the nature of the services provided by the service organization. This may be particularly helpful if the services and controls at the service organization over those services are highly standardized (CAS 402.A2).

A user entity may use a service organization such as one that processes transactions and maintains related accountability, or records transactions and processes related data service organizations that provide such services include, for example (CAS 402.A3):

• Bank trust departments that invest and service assets for employee benefit plans or for others;
• Mortgage bankers that service mortgages for others; and
• Application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions.

Examples of service organization services that are relevant to the audit include (CAS 402.A4):

• Maintenance of the user entity’s accounting records
• Management of assets
• Initiating, recording or processing transactions as agent of the user entity

The nature and extent of work to be performed by the user auditor regarding the services provided by a service organization depend on the nature and significance of those services to the user entity and the relevance of those services to the audit (CAS 402.4).

CAS Guidance

Smaller entities may use external bookkeeping services ranging from the processing of certain transactions (for example, payment of payroll taxes) and maintenance of their accounting records to the preparation of their financial statements. The use of such a service organization for the preparation of its financial statements does not relieve management of the smaller entity and, where appropriate, those charged with governance of their responsibilities for the financial statements (CAS 402.A5).

CAS Guidance

A service organization may establish policies and procedures that affect the user entity’s internal control. These policies and procedures are at least in part physically and operationally separate from the user entity. The significance of the controls of the service organization to those of the user entity depends on the nature of the services provided by the service organization, including the nature and materiality of the transactions it processes for the user entity. In certain situations, the transactions processed and the accounts affected by the service organization may not appear to be material to the user entity’s financial statements, but the nature of the transactions processed may be significant and the user auditor may determine that an understanding of those controls is necessary in the circumstances (CAS 402.A6).

CAS Guidance

The significance of the controls of the service organization to those of the user entity also depends on the degree of interaction between its activities and those of the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects to implement effective controls over the processing performed by the service organization. For example, a high degree of interaction exists between the activities of the user entity and those at the service organization when the user entity authorizes transactions and the service organization processes and does the accounting for those transactions. In these circumstances, it may be practicable for the user entity to implement effective controls over those transactions. On the other hand, when the service organization initiates or initially records, processes, and does the accounting for the user entity’s transactions, there is a lower degree of interaction between the two organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement effective controls over these transactions at the user entity and may rely on controls at the service organization. (CAS 402.A7).

CAS Guidance

The contract or service level agreement between the user entity and the service organization may provide for matters such as (CAS 402.A8):

• The information to be provided to the user entity and responsibilities for initiating transactions relating to the activities undertaken by the service organization
• The application of requirements of regulatory bodies concerning the form of records to be maintained, or access to them
• The indemnification, if any, to be provided to the user entity in the event of a performance failure
• Whether the service organization will provide a report on its controls and, if so, whether such report would be a type 1 report or type 2 report
• Whether the user auditor has rights of access to the accounting records of the user entity maintained by the service organization and other information necessary for the conduct of the audit
• Whether the agreement allows for direct communication between the user auditor and service auditor

There is a direct relationship between the service organization and the user entity and between the service organization and the service auditor. These relationships do not necessarily create a direct relationship between the user auditor and the service auditor. When there is no direct relationship between the auditor and the service auditor, communications between the user auditor and the service auditor are usually conducted through the user entity and the service organization. A direct relationship may also be created between a user auditor and a service auditor, taking into account the relevant ethical and confidentiality considerations. A user auditor, for example, may use a service auditor to perform procedures on the user auditor’s behalf, such as (CAS 402.A9):

a) Tests of controls at the service organization

b) Substantive procedures on the user entity’s financial statement transactions and balances maintained by a service organization

CAS Guidance

The user entity may establish controls over the service organization’s services that may be tested by the user auditor and that may enable the user auditor to conclude that the user entity’s controls are operating effectively for some or all of the related assertions, regardless of the controls in place at the service organization. If a user entity, for example, uses a service organization to process its payroll transactions, the user entity may establish controls over the submission and receipt of payroll information that could prevent or detect material misstatements. These controls may include (CAS 402.A12):

• Comparing the data submitted to the service organization with reports of information received from the service organization after the data has been processed
• Recomputing a sample of the payroll amounts for clerical accuracy and reviewing the total amount of the payroll for reasonableness

In this situation, the user auditor may perform tests of the user entity’s controls over payroll processing that would provide a basis for the user auditor to conclude that the user entity’s controls are operating effectively for the assertions related to payroll transactions (CAS 402.A13).

As noted in CAS 315, in respect of some risks, the user auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the inaccurate or incomplete recording of routine and significant classes of transactions and account balances, the characteristics of which often permit highly automated processing with little or no manual intervention. Such automated processing characteristics may be particularly present when the user entity uses service organizations. In such cases, the user entity’s controls over such risks are relevant to the audit and the user auditor is required to obtain an understanding of, and to evaluate, such controls in accordance with paragraphs 9 and 10 of this CAS (CAS 402.A14).

CAS Guidance

The user auditor’s decision as to which procedure, individually or in combination, in paragraph 12 to undertake, in order to obtain the information necessary to provide a basis for the identification and assessment of the risks of material misstatement in relation to the user entity’s use of the service organization, may be influenced by such matters as (CAS 402.A15):

• The size of both the user entity and the service organization
• The complexity of the transactions at the user entity and the complexity of the services provided by the service organization
• The location of the service organization (for example, the user auditor may decide to use another auditor to perform procedures at the service organization on the auditor’s behalf if the service organization is in a remote location)
• Whether the procedure(s) is expected to effectively provide the user auditor with sufficient appropriate audit evidence; and
• The nature of the relationship between the user entity and the service organization

CAS Guidance

A service organization may engage a service auditor to report on the description and design of its controls (type 1 report) or on the description and design of its controls and their operating effectiveness (type 2 report). Type 1 or type 2 reports may be issued under International Standard on Assurance Engagements (ISAE) 3402 8 or under standards established by an authorized or recognized standards setting organization (which may identify them by different names, such as Type A or Type B reports) (CAS 402.A16).

The availability of a type 1 or type 2 report will generally depend on whether the contract between a service organization and a user entity includes the provision of such a report by the service organization. A service organization may also elect, for practical reasons, to make a type 1 or type 2 reports available to the user entities. However, in some cases, a type 1 or type 2 report may not be available to user entities (CAS 402.A17).

OAG Guidance

A service auditor’s report prepared under CSAE 3416 is capable of providing appropriate audit evidence under CAS 402 (CSAE 3416.1). Paragraph 8 of CSAE 3416 provides a framework for considering the objectives of the report.

CAS Guidance

A user entity may use a service organization that in turn uses a subservice organization to provide some of the services provided to a user entity that are part of the user entity’s information system relevant to financial reporting. The subservice organization may be a separate entity from the service organization or may be related to the service organization. A user auditor may need to consider controls at the subservice organization. In situations where one or more subservice organizations are used, the interaction between the activities of the user entity and those of the service organization is expanded to include the interaction between the user entity, the service organization and the subservice organizations. The degree of this interaction, as well as the nature and materiality of the transactions processed by the service organization and the subservice organizations are the most important factors for the user auditor to consider in determining the significance of the service organization’s and subservice organization’s controls to the user entity’s controls (CAS 402.A20)

If a service organization uses a subservice organization, the service auditor’s report may either include or exclude the subservice organization’s relevant control objectives and related controls in the service organization’s description of its system and in the scope of the service auditor’s engagement. These two methods of reporting are known as the inclusive method and the carve‑out method, respectively. If the type 1 or type 2 report excludes the controls at a subservice organization, and the services provided by the subservice organization are relevant to the audit of the user entity’s financial statements, the user auditor is required to apply the requirements of this CAS in respect of the subservice organization. The nature and extent of work to be performed by the user auditor regarding the services provided by a subservice organization depend on the nature and significance of those services to the user entity and the relevance of those services to the audit. The application of the requirement in paragraph 9 assists the user auditor in determining the effect of the subservice organization and the nature and extent of work to be performed (CAS 402.A40).

CAS Guidance

In some circumstances, a user entity may outsource one or more significant business units or functions, such as its entire tax planning and compliance functions, or finance and accounting, or the controllership function to one or more service organizations. As a report on controls at the service organization may not be available in these circumstances, visiting the service organization may be the most effective procedure for the user auditor to gain an understanding of controls at the service organization, as there is likely to be direct interaction of management of the user entity with management at the service organization (CAS 402.A18).

CAS Guidance

Another auditor may be used to perform procedures that will provide the necessary information about the relevant controls at the service organization related to services provided to the user entity. If a type 1 or type 2 report has been issued, the user auditor may use the service auditor to perform these procedures as the service auditor has an existing relationship with the service organization. The user auditor using the work of another auditors may find the guidance in CAS 600 useful as it relates to understanding another auditor (including that auditor’s independence and professional competence), involvement in the work of another auditor in planning the nature, timing and extent of such work, and in evaluating the sufficiency and appropriateness of the audit evidence obtained (CAS 402.A19).

CAS Guidance

A service organization may be required under the terms of the contract with user entities to disclose to affected user entities any fraud, non‑ compliance with laws and regulations or uncorrected misstatements attributable to the service organization’s management or employees. As required by paragraph 19, the user auditor makes inquiries of the user entity management regarding whether the service organization has reported any such matters and evaluates whether any matters reported by the service organization affect the nature, timing and extent of the user auditor’s further audit procedures. In certain circumstances, the user auditor may require additional information to perform this evaluation, and may request the user entity to contact the service organization to obtain the necessary information (CAS 402.A41).