6043 Service organization audit evidence

Sep-2022

CAS Guidance

The user auditor may make inquiries about the service auditor to the service auditor’s professional organization or other practitioners and inquire whether the service auditor is subject to regulatory oversight. The service auditor may be practicing in a jurisdiction where different standards are followed in respect of reports on controls at a service organization, and the user auditor may obtain information about the standards used by the service auditor from the standards setting organization (CAS 402.A21).

CAS Guidance

Whether the use of a service organization increases a user entity’s risk of material misstatement depends on the nature of the services provided and the controls over these services; in some cases, the use of a service organization may decrease the user entity’s risk of material misstatement, particularly if the user entity itself does not possess the expertise necessary to undertake particular activities, such as initiating, processing, and recording transactions, or does not have adequate resources (for example, an IT system) (CAS 402.A24).

When the service organization maintains material elements of the accounting records of the user entity, direct access to those records may be necessary in order for the user auditor to obtain sufficient appropriate audit evidence relating to the operations of controls over those records or to substantiate transactions and balances recorded in them, or both. Such access may involve either physical inspection of records at the service organization’s premises or interrogation of records maintained electronically from the user entity or another location, or both. Where direct access is achieved electronically, the user auditor may thereby obtain evidence as to the adequacy of controls operated by the service organization over the completeness and integrity of the user entity’s data for which the service organization is responsible (CAS 402.A25).

In determining the nature and extent of audit evidence to be obtained in relation to balances representing assets held or transactions undertaken by a service organization on behalf of the user entity, the following procedures may be considered by the user auditor (CAS 402.A26):

(a) Inspecting records and documents held by the user entity: the reliability of this source of evidence is determined by the nature and extent of the accounting records and supporting documentation retained by the user entity. In some cases, the user entity may not maintain independent detailed records or documentation of specific transactions undertaken on its behalf.

(b) Inspecting records and documents held by the service organization: the user auditor’s access to the records of the service organization may be established as part of the contractual arrangements between the user entity and the service organization. The user auditor may also use another auditor, on its behalf, to gain access to the user entity’s records maintained by the service organization.

(c) Obtaining confirmations of balances and transactions from the service organization: where the user entity maintains independent records of balances and transactions, confirmation from the service organization corroborating the user entity’s records may constitute reliable audit evidence concerning the existence of the transactions and assets concerned. For example, when multiple service organizations are used, such as an investment manager and a custodian, and these service organizations maintain independent records, the user auditor may confirm balances with these organizations in order to compare this information with the independent records of the user entity.

If the user entity does not maintain independent records, information obtained in confirmations from the service organization is merely a statement of what is reflected in the records maintained by the service organization. Therefore, such confirmations do not, taken alone, constitute reliable audit evidence. In these circumstances, the user auditor may consider whether an alternative source of independent evidence can be identified.

(d) Performing analytical procedures on the records maintained by the user entity or on the reports received from the service organization: the effectiveness of analytical procedures is likely to vary by assertion and will be affected by the extent and detail of information available.

Another auditor may perform procedures that are substantive in nature for the benefit of user auditors. Such an engagement may involve the performance, by another auditor, of procedures agreed upon by the user entity and its user auditor and by the service organization and its service auditor. The findings resulting from the procedures performed by another auditor are reviewed by the user auditor to determine whether they constitute sufficient appropriate audit evidence. In addition, there may be requirements imposed by governmental authorities or through contractual arrangements whereby a service auditor performs designated procedures that are substantive in nature. The results of the application of the required procedures to balances and transactions processed by the service organization may be used by user auditors as part of the evidence necessary to support their audit opinions. In these circumstances, it may be useful for the user auditor and the service auditor to agree, prior to the performance of the procedures, to the audit documentation or access to audit documentation that will be provided to the user auditor (CAS 402.A27).

In certain circumstances, in particular when a user entity outsources some or all of its finance function to a service organization, the user auditor may face a situation where a significant portion of the audit evidence resides at the service organization. Substantive procedures may need to be performed at the service organization by the user auditor or another auditor on its behalf. A service auditor may provide a type 2 report and, in addition, may perform substantive procedures on behalf of the user auditor. The involvement of another auditor does not alter the user auditor’s responsibility to obtain sufficient appropriate audit evidence to afford a reasonable basis to support the user auditor’s opinion. Accordingly, the user auditor’s consideration of whether sufficient appropriate audit evidence has been obtained and whether the user auditor needs to perform further substantive procedures includes the user auditor’s involvement with, or evidence of, the direction, supervision and performance of the substantive procedures performed by another auditor (CAS 402.A28).

CAS Guidance

The user auditor is required by CAS 330 to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of controls in certain circumstances. In the context of a service organization, this requirement applies when (CAS 402.A29):

(a) The user auditor’s assessment of risks of material misstatement includes an expectation that the controls at the service organization are operating effectively (that is, the user auditor intends to rely on the operating effectiveness of controls at the service organization in determining the nature, timing and extent of substantive procedures); or

(b) Substantive procedures alone, or in combination with tests of the operating effectiveness of controls at the user entity, cannot provide sufficient appropriate audit evidence at the assertion level.

If a type 2 report is not available, a user auditor may contact the service organization, through the user entity, to request that a service auditor be engaged to provide a type 2 report that includes tests of the operating effectiveness of the controls or the user auditor may use another auditor to perform procedures at the service organization that test the operating effectiveness of those controls. A user auditor may also visit the service organization and perform tests of controls if the service organization agrees to it. The user auditor’s risk assessments are based on the combined evidence provided by the work of another auditor and the user auditor’s own procedures (CAS 402.A30).

CAS Guidance

A type 2 report may be intended to satisfy the needs of several different user auditors; therefore tests of controls and results described in the service auditor’s report may not be relevant to assertions that are significant in the user entity’s financial statements. The relevant tests of controls and results are evaluated to determine that the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment. In doing so, the user auditor may consider the following factors (CAS 402.A31):

(a) The time period covered by the tests of controls and the time elapsed since the performance of the tests of controls

(b) The scope of the service auditor’s work and the services and processes covered, the controls tested and tests that were performed, and the way in which tested controls relate to the user entity’s controls

(c) The results of those tests of controls and the service auditor’s opinion on the operating effectiveness of the controls

For certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less audit evidence the test may provide. In comparing the period covered by the type 2 report to the user entity’s financial reporting period, the user auditor may conclude that the type 2 report offers less audit evidence if there is little overlap between the period covered by the type 2 report and the period for which the user auditor intends to rely on the report. When this is the case, a type 2 report covering a preceding or subsequent period may provide additional audit evidence. In other cases, the user auditor may determine it is necessary to perform, or use another auditor to perform, tests of controls at the service organization in order to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls (CAS 402.A32).

It may also be necessary for the user auditor to obtain additional evidence about significant changes to the controls at the service organization outside of the period covered by the type 2 report or determine additional audit procedures to be performed. Relevant factors in determining what additional audit evidence to obtain about controls at the service organization that were operating outside of the period covered by the service auditor’s report may include (CAS 402.A33):

• The significance of the assessed risks of material misstatement at the assertion level;
• The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel;
• The degree to which audit evidence about the operating effectiveness of those controls was obtained;
• The length of the remaining period;
• The extent to which the user auditor intends to reduce further substantive procedures based on the reliance on controls; and
• The effectiveness of the control environment and the user entity’s process to monitor the system of internal control.

Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the user entity’s process to monitor the system of internal control (CAS 402.A34).

If the service auditor’s testing period is completely outside the user entity’s financial reporting period, the user auditor will be unable to rely on such tests for the user auditor to conclude that the user entity’s controls are operating effectively because they do not provide current audit period evidence of the effectiveness of the controls, unless other procedures are performed (CAS 402.A35).

In certain circumstances, a service provided by the service organization may be designed with the assumption that certain controls will be implemented by the entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorizing transactions before they are sent to the service organization for processing. In such a situation, the service organization’s description of controls may include a description of those complementary entity controls. The auditor considers whether those complementary entity controls are relevant to the service provided to the user entity (CAS 402.A36).

If the user auditor believes that the service auditor’s report may not provide sufficient appropriate audit evidence, for example, if a service auditor’s report does not contain a description of the service auditor’s tests of controls and results thereon, the auditor may supplement the understanding of the service auditor’s procedures and conclusions by contacting the service organization, through the user entity, to request a discussion with the service auditor about the scope and results of the service auditor’s work. Also, if the user auditor believes it is necessary, the auditor may contact the service organization, through the user entity, to request that the service auditor perform procedures at the service organization. Alternatively, the user auditor, or another auditor at the request of the auditor, may perform such procedures (CAS 402.A37).

The service auditor’s type 2 report identifies results of tests, including exceptions and other information that could affect the user auditor’s conclusions. Exceptions noted by the service auditor or a modified opinion in the service auditor’s type 2 report do not automatically mean that the service auditor’s type 2 report will not be useful for the audit of the user entity’s financial statements in assessing the risks of material misstatement. Rather, the exceptions and the matter giving rise to a modified opinion in the service auditor’s type 2 report are considered in the user auditor’s assessment of the testing of controls performed by the service auditor. In considering the exceptions and matters giving rise to a modified opinion, the user auditor may discuss such matters with the service auditor. Such communication is dependent upon the user entity contacting the service organization, and obtaining the service organization’s approval for the communication to take place (CAS 402.A38).

The user auditor is required to communicate in writing significant deficiencies identified during the audit to both management and those charged with governance on a timely basis. The auditor is also required to communicate to management at an appropriate level of responsibility on a timely basis other deficiencies in internal control identified during the audit that, in the user auditor’s professional judgment, are of sufficient importance to merit management’s attention. Matters that the user auditor may identify during the audit and may communicate to management and those charged with governance of the entity include (CAS 402.A39):

• Any controls within the entity’s process to monitor the system of internal control that could be implemented by the user entity, including those identified as a result of obtaining a type 1 or type 2 report;
• Instances where complementary user entity controls are noted in the type 1 or type 2 report and are not implemented at the user entity; and
• Controls that may be needed at the service organization that do not appear to have been implemented or that are not specifically covered by a type 2 report.