6042 Understanding of services provided by a service organization
Sep-2022

Obtain an understanding of services performed by service organizations

CAS Requirement

When obtaining an understanding of the user entity in accordance with CAS 315, the user auditor shall obtain an understanding of how a user entity uses the services of a service organization in the user entity’s operations, including: (CAS 402.9)

(a) The nature of the services provided by the service organization and the significance of those services to the user entity, including the effect thereof on the user entity’s internal control

(b) The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organization

(c) The degree of interaction between the activities of the service organization and those of the user entity; and

(d) The nature of the relationship between the user entity and the service organization, including the relevant contractual terms for the activities undertaken by the service organization

The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s system of internal control has been obtained to provide an appropriate basis for the identification and assessment of the risks of material misstatement (CAS 402.11).

CAS Guidance

Information on the nature of the services provided by a service organization may be available from a wide variety of sources, such as (CAS 402.A1):

  • User manuals
  • System overviews
  • Technical manuals
  • The contract or service level agreement between the user entity and the service organization
  • Reports by service organizations, the internal audit function or regulatory authorities on controls at the service organization
  • Reports by the service auditor, including management letters, if available

Knowledge obtained through the user auditor’s experience with the service organization, for example through experience with other audit engagements, may also be helpful in obtaining an understanding of the nature of the services provided by the service organization. This may be particularly helpful if the services and controls at the service organization over those services are highly standardized (CAS 402.A2).

A user entity may use a service organization such as one that processes transactions and maintains related accountability, or records transactions and processes related data service organizations that provide such services include, for example (CAS 402.A3):

  • Bank trust departments that invest and service assets for employee benefit plans or for others;
  • Mortgage bankers that service mortgages for others; and
  • Application service providers that provide packaged software applications and a technology environment that enables customers to process financial and operational transactions.

Examples of service organization services that are relevant to the audit include (CAS 402.A4):

  • Maintenance of the user entity’s accounting records
  • Management of assets
  • Initiating, recording or processing transactions as agent of the user entity

The nature and extent of work to be performed by the user auditor regarding the services provided by a service organization depend on the nature and significance of those services to the user entity and the relevance of those services to the audit (CAS 402.4).

OAG Guidance

If an entity uses a service organization, certain controls at the service organization may be relevant to the entity’s ability to record, process, summarize, and report financial data consistent with the assertions embodied in the entity’s financial statements. The use of a service organization does not reduce or eliminate the entity’s responsibility to maintain effective internal control over financial reporting for its processes. The entity needs to understand the effectiveness both of the processes that are outsourced and the control environment of its service organizations. More specifically, the entity needs to obtain an understanding about financially significant processes relating to:

  • how information flows through the entity’s information system including:
    • how transactions are initiated, recorded, processed, corrected as necessary, incorporated in its accounting records, consolidated and reported in the financial statements
    • how information about events and conditions, other than transactions, is captured, processed and disclosed in the financial statements;
  • the accounting records, specific accounts in the financial statements and other supporting records relating to the flows of information in the information system;
  • how the financial reporting process is used to prepare the entity’s financial statements, including disclosures; and
  • the entity’s resources, including the IT environment, relevant to how information flows through the entity’s information system and the financial reporting process.

We need to obtain an understanding of the portion of the entity’s system of internal control over financial reporting (i.e. the initiating, recording, processing, and reporting of its transactions) performed at the service organization and the interaction of controls at the service organization with controls at the entity.

See OAG Audit 5024 for guidance on relevant industry, regulatory and other external factors.

Considerations specific to smaller entities

CAS Guidance

Smaller entities may use external bookkeeping services ranging from the processing of certain transactions (for example, payment of payroll taxes) and maintenance of their accounting records to the preparation of their financial statements. The use of such a service organization for the preparation of its financial statements does not relieve management of the smaller entity and, where appropriate, those charged with governance of their responsibilities for the financial statements (CAS 402.A5).

Nature and materiality:

CAS Guidance

A service organization may establish policies and procedures that affect the user entity’s internal control. These policies and procedures are at least in part physically and operationally separate from the user entity. The significance of the controls of the service organization to those of the user entity depends on the nature of the services provided by the service organization, including the nature and materiality of the transactions it processes for the user entity. In certain situations, the transactions processed and the accounts affected by the service organization may not appear to be material to the user entity’s financial statements, but the nature of the transactions processed may be significant and the user auditor may determine that an understanding of those controls is necessary in the circumstances (CAS 402.A6).

OAG Guidance

In determining the significance of the controls at the service organization to the audit, consider factors such as:

  • the risk of material misstatement associated with the assertions affected by the controls of the service organization, including whether the activities involve assets that are susceptible to loss or misappropriation;
  • whether the services are highly standardized and used extensively by many entities or unique and used only by a few (e.g., outsourcing the treasury function involves a considerably greater degree of risk than straightforward custody of investments);
  • the extent to which the user organization’s controls interact with the controls of the service organization;
  • the terms of the contract between the user organization and the service organization, and the degree to which authority is delegated to the service organization (e.g. their respective responsibilities and the extent of the service organization’s discretion to initiate transactions and make decisions);
  • the service organization’s capabilities, including its:
    • Record of performance
    • Insurance coverage
    • Financial stability
    • Reputation for integrity
  • our prior experience with the service organization; and
  • the extent of auditable data in the entity’s possession.
Degree of entity interaction with the service organization

CAS Guidance

The significance of the controls of the service organization to those of the user entity also depends on the degree of interaction between its activities and those of the user entity. The degree of interaction refers to the extent to which a user entity is able to and elects to implement effective controls over the processing performed by the service organization. For example, a high degree of interaction exists between the activities of the user entity and those at the service organization when the user entity authorizes transactions and the service organization processes and does the accounting for those transactions. In these circumstances, it may be practicable for the user entity to implement effective controls over those transactions. On the other hand, when the service organization initiates or initially records, processes, and does the accounting for the user entity’s transactions, there is a lower degree of interaction between the two organizations. In these circumstances, the user entity may be unable to, or may elect not to, implement effective controls over these transactions at the user entity and may rely on controls at the service organization. (CAS 402.A7).

Service organization and entity relationships

CAS Guidance

The contract or service level agreement between the user entity and the service organization may provide for matters such as (CAS 402.A8):

  • The information to be provided to the user entity and responsibilities for initiating transactions relating to the activities undertaken by the service organization
  • The application of requirements of regulatory bodies concerning the form of records to be maintained, or access to them
  • The indemnification, if any, to be provided to the user entity in the event of a performance failure
  • Whether the service organization will provide a report on its controls and, if so, whether such report would be a type 1 report or type 2 report
  • Whether the user auditor has rights of access to the accounting records of the user entity maintained by the service organization and other information necessary for the conduct of the audit
  • Whether the agreement allows for direct communication between the user auditor and service auditor

There is a direct relationship between the service organization and the user entity and between the service organization and the service auditor. These relationships do not necessarily create a direct relationship between the user auditor and the service auditor. When there is no direct relationship between the auditor and the service auditor, communications between the user auditor and the service auditor are usually conducted through the user entity and the service organization. A direct relationship may also be created between a user auditor and a service auditor, taking into account the relevant ethical and confidentiality considerations. A user auditor, for example, may use a service auditor to perform procedures on the user auditor’s behalf, such as (CAS 402.A9):

a) Tests of controls at the service organization

b) Substantive procedures on the user entity’s financial statement transactions and balances maintained by a service organization

OAG Guidance

Consider the following relationship diagram:

Flow Chart

Exhibit—text version

This flow chart shows the relationships among an entity, its auditor, the service organizations it uses, such as a mortgage banker or an external bookkeeper, and the service auditor—someone who has audited the service organization.

The entity is at the centre of the chart and is connected by a solid line to the auditor, showing a direct relationship. The entity is also shown to have a direct relationship with the service organization. There is another direct relationship between the service organization and the service auditor. The service auditor is connected by a dotted line to the auditor, indicating an indirect relationship.

View actual size

Typically the entity owns the relationships with the service organization, as there is a contractual agreement for activities undertaken. On rare occasions we may have communication with the service auditor at the request of the entity. Such situations may include:

  • qualification in a service organization report, and
  • performance of update testing

If the entity requests that we have a direct relationship with the service auditor, consider using a standard letter of instruction specifying procedures we are requesting of them.

Evaluating the relevance of the service organization’s control to the entity

CAS Requirement

When obtaining an understanding of the entity’s system of internal control in accordance with CAS 315, the user auditor shall identify controls in the control activities component at the user entity, from those that relate to the services provided by the service organization, including those that are applied to the transactions processed by the service organization, and evaluate their design and determine whether they have been implemented (CAS 402.10).

CAS Guidance

The user entity may establish controls over the service organization’s services that may be tested by the user auditor and that may enable the user auditor to conclude that the user entity’s controls are operating effectively for some or all of the related assertions, regardless of the controls in place at the service organization. If a user entity, for example, uses a service organization to process its payroll transactions, the user entity may establish controls over the submission and receipt of payroll information that could prevent or detect material misstatements. These controls may include (CAS 402.A12):

  • Comparing the data submitted to the service organization with reports of information received from the service organization after the data has been processed
  • Recomputing a sample of the payroll amounts for clerical accuracy and reviewing the total amount of the payroll for reasonableness

In this situation, the user auditor may perform tests of the user entity’s controls over payroll processing that would provide a basis for the user auditor to conclude that the user entity’s controls are operating effectively for the assertions related to payroll transactions (CAS 402.A13).

As noted in CAS 315, in respect of some risks, the user auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the inaccurate or incomplete recording of routine and significant classes of transactions and account balances, the characteristics of which often permit highly automated processing with little or no manual intervention. Such automated processing characteristics may be particularly present when the user entity uses service organizations. In such cases, the user entity’s controls over such risks are relevant to the audit and the user auditor is required to obtain an understanding of, and to evaluate, such controls in accordance with paragraphs 9 and 10 of this CAS (CAS 402.A14).

OAG Guidance

See OAG Audit 4024 for guidance on where substantive procedures alone do not provide sufficient appropriate audit evidence.

In addition to the consideration of complementary user entity controls, depending on the level of relevance and risk of the controls at the service organization, we may need to understand the service organization’s control environment. See OAG Audit 5032 for guidance on the entity’s control environment.

Methods to obtain an understanding of service organization controls

CAS Requirement

If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures (CAS 402.12):

(a) Obtaining a type 1 or type 2 report, if available;

(b) Contacting the service organization, through the user entity, to obtain specific information;

(c) Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization; or

(d) Using another auditor to perform procedures that will provide the necessary information about controls at the service organization.

CAS Guidance

The user auditor’s decision as to which procedure, individually or in combination, in paragraph 12 to undertake, in order to obtain the information necessary to provide a basis for the identification and assessment of the risks of material misstatement in relation to the user entity’s use of the service organization, may be influenced by such matters as (CAS 402.A15):

  • The size of both the user entity and the service organization
  • The complexity of the transactions at the user entity and the complexity of the services provided by the service organization
  • The location of the service organization (for example, the user auditor may decide to use another auditor to perform procedures at the service organization on the auditor’s behalf if the service organization is in a remote location)
  • Whether the procedure(s) is expected to effectively provide the user auditor with sufficient appropriate audit evidence; and
  • The nature of the relationship between the user entity and the service organization
Using a type 1 or type 2 service auditor’s report

CAS Requirement

If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures (CAS 402.12):

  • (a) Obtaining a type 1 or type 2 report, if available;
  • (b) Contacting the service organization, through the user entity, to obtain specific information;
  • (c) Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization; or
  • (d) Using another auditor to perform procedures that will provide the necessary information about controls at the service organization.

CAS Guidance

A service organization may engage a service auditor to report on the description and design of its controls (type 1 report) or on the description and design of its controls and their operating effectiveness (type 2 report). Type 1 or type 2 reports may be issued under International Standard on Assurance Engagements (ISAE) 3402 8 or under standards established by an authorized or recognized standards setting organization (which may identify them by different names, such as Type A or Type B reports) (CAS 402.A16).

The availability of a type 1 or type 2 report will generally depend on whether the contract between a service organization and a user entity includes the provision of such a report by the service organization. A service organization may also elect, for practical reasons, to make a type 1 or type 2 reports available to the user entities. However, in some cases, a type 1 or type 2 report may not be available to user entities (CAS 402.A17).

OAG Guidance

A service auditor’s report prepared under CSAE 3416 is capable of providing appropriate audit evidence under CAS 402 (CSAE 3416.1). Paragraph 8 of CSAE 3416 provides a framework for considering the objectives of the report.

Subservice Organizations in a Service Auditor’s Report

CAS Requirement

If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided by a subservice organization and those services are relevant to the audit of the user entity’s financial statements, the user auditor shall apply the requirements of this CAS with respect to the services provided by the subservice organization (CAS 402.18).

CAS Guidance

A user entity may use a service organization that in turn uses a subservice organization to provide some of the services provided to a user entity that are part of the user entity’s information system relevant to financial reporting. The subservice organization may be a separate entity from the service organization or may be related to the service organization. A user auditor may need to consider controls at the subservice organization. In situations where one or more subservice organizations are used, the interaction between the activities of the user entity and those of the service organization is expanded to include the interaction between the user entity, the service organization and the subservice organizations. The degree of this interaction, as well as the nature and materiality of the transactions processed by the service organization and the subservice organizations are the most important factors for the user auditor to consider in determining the significance of the service organization’s and subservice organization’s controls to the user entity’s controls (CAS 402.A20)

If a service organization uses a subservice organization, the service auditor’s report may either include or exclude the subservice organization’s relevant control objectives and related controls in the service organization’s description of its system and in the scope of the service auditor’s engagement. These two methods of reporting are known as the inclusive method and the carve‑out method, respectively. If the type 1 or type 2 report excludes the controls at a subservice organization, and the services provided by the subservice organization are relevant to the audit of the user entity’s financial statements, the user auditor is required to apply the requirements of this CAS in respect of the subservice organization. The nature and extent of work to be performed by the user auditor regarding the services provided by a subservice organization depend on the nature and significance of those services to the user entity and the relevance of those services to the audit. The application of the requirement in paragraph 9 assists the user auditor in determining the effect of the subservice organization and the nature and extent of work to be performed (CAS 402.A40).

OAG Guidance

Instances of subservice organizations providing services for the service organization are typically rare. Examples may include:

  • when an entity outsources their fund management activities, the fund manager may separately outsource the custodial activities to a subservice organization; and
  • when an entity outsources their payroll processing activities, the payroll provider may separately outsource the IT activities to a subservice organization.
Contacting and/or visiting service organization

CAS Guidance

In some circumstances, a user entity may outsource one or more significant business units or functions, such as its entire tax planning and compliance functions, or finance and accounting, or the controllership function to one or more service organizations. As a report on controls at the service organization may not be available in these circumstances, visiting the service organization may be the most effective procedure for the user auditor to gain an understanding of controls at the service organization, as there is likely to be direct interaction of management of the user entity with management at the service organization (CAS 402.A18).

Use of another auditor

CAS Guidance

Another auditor may be used to perform procedures that will provide the necessary information about the relevant controls at the service organization related to services provided to the user entity. If a type 1 or type 2 report has been issued, the user auditor may use the service auditor to perform these procedures as the service auditor has an existing relationship with the service organization. The user auditor using the work of another auditors may find the guidance in CAS 600 useful as it relates to understanding another auditor (including that auditor’s independence and professional competence), involvement in the work of another auditor in planning the nature, timing and extent of such work, and in evaluating the sufficiency and appropriateness of the audit evidence obtained (CAS 402.A19).

OAG Guidance

There may be situations, even when a type 1 or type 2 report has been issued, where we will need additional procedures to be performed at the service organization, and we may be able to use the service auditor or another auditor to perform such procedures. Such situations may include:

  • Only a type 1 report has been issued and we need evidence about the operating effectiveness of controls operating at the service organization.
  • Further understanding of a complex process is needed for our audit procedures.
  • Control objectives in the type 1 or type 2 report do not adequately address the risks of material misstatement in relation to the user entity’s financial statements.

See OAG Audit 2372 for guidance on special considerations when using the work of another auditor.

Typically the entity owns the relationships with the service organization, as there is a contractual agreement for activities undertaken.

If the entity requests that we ask another auditor to perform procedures to understand controls performed at the service organization, consider using a standard letter of instruction specifying procedures we are requesting of them.

Fraud, non‑compliance with laws and regulations or uncorrected misstatements

CAS Requirement

The user auditor shall inquire of management of the user entity whether the service organization has reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non‑compliance with laws and regulations or uncorrected misstatements affecting the financial statements of the user entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and user auditor’s report (CAS 402.19).

CAS Guidance

A service organization may be required under the terms of the contract with user entities to disclose to affected user entities any fraud, non‑ compliance with laws and regulations or uncorrected misstatements attributable to the service organization’s management or employees. As required by paragraph 19, the user auditor makes inquiries of the user entity management regarding whether the service organization has reported any such matters and evaluates whether any matters reported by the service organization affect the nature, timing and extent of the user auditor’s further audit procedures. In certain circumstances, the user auditor may require additional information to perform this evaluation, and may request the user entity to contact the service organization to obtain the necessary information (CAS 402.A41).

OAG Guidance

Refer to OAG Audit 5504 for further information on the types of inquiries we are expected to address to management and others within the entity.

Guidance specific to Legislative Auditors:

OAG Guidance

When understanding the nature and significance of the services provided by the service organization, the auditor considers our reporting objective on compliance with authorities. Therefore, the audit work includes the assessment of the risk of non‑compliance related to the activities performed by the service organization and the understanding of the controls put in place to mitigate the risk. The auditor executes the appropriate procedures in order to obtain the needed evidence that the user entity still complies with authorities even if activities are performed by a service organization. For further guidance on these procedures, see the guidance above and at OAG Audit 6053.