6043 Service organization audit evidence
Sep-2022

Support understanding of the service organization using a Type 1 or type 2 report

CAS Requirement

If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organization, the user auditor shall (CAS 402.14):

(a) Evaluate whether the description and design of controls at the service organization is at a date or for a period that is appropriate for the user auditor’s purposes;

(b) Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the controls at the service organization; and

(c) Determine whether complementary user entity controls identified by the service organization are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.

OAG Guidance

A type 1 or type 2 report, along with information about the user entity, may assist the user auditor in obtaining an understanding of (CAS 402.A22):

(a) The aspects of controls at the service organization that may affect the processing of the user entity’s transactions, including the use of subservice organizations;

(b) The flow of significant transactions through the service organization to determine the points in the transaction flow where material misstatements in the user entity’s financial statements could occur;

(c) The control objectives at the service organization that are relevant to the user entity’s financial statement assertions; and

(d) Whether controls at the service organization are suitably designed and implemented to prevent or detect processing errors that could result in material misstatements in the user entity’s financial statements.

A type 1 or type 2 report may assist the user auditor in obtaining a sufficient understanding to identify and assess the risks of material misstatement. A type 1 report, however, does not provide any evidence of the operating effectiveness of the controls.

A type 1 or type 2 report that is as of a date or for a period that is outside of the reporting period of a user entity may assist the user auditor in obtaining a preliminary understanding of the controls implemented at the service organization if the report is supplemented by additional current information from other sources. If the service organization’s description of controls is as of a date or for a period that precedes the beginning of the period under audit, the user auditor may perform procedures to update the information in a type 1 or type 2 report, such as (CAS 402.A23):

  • Discussing the changes at the service organization with user entity personnel who would be in a position to know of such changes.
  • Reviewing current documentation and correspondence issued by the service organization.
  • Discussing the changes with service organization personnel.

OAG Guidance

A service organization’s controls are generally designed with the assumption that certain controls will be implemented by the user entity. In many situations, the application of specific controls at the user entity is necessary to achieve certain control objectives identified within the type 1 or type 2 reports. It is the entity’s responsibility to determine whether the control objectives identified in the type 1 or 2 report are relevant to the user entity’s controls. We review the user entity’s documented design of controls for reasonableness and completeness.

If complementary user entity controls are required to achieve the stated control objectives, the service organization typically describes them in its description of controls. Examples of complementary user entity controls include

  • passwords needed to access the service organization’s applications through computer terminals;
  • inputs sent to the service organization are complete, accurate, and authorized; and
  • required output is received from the service organization and reconciled to the input sent to the service organization.

It is the user entity’s responsibility to determine whether complementary user entity controls cited in the report issued by the service organization are relevant to the overall design of the entity’s controls and, if so, to assess that they are placed in operation and are operating effectively. Our responsibility is to evaluate those complementary user entity controls included in the control activities component.

If the complementary user entity’s controls do not fully address a control objective, the entity may identify/implement mitigating controls. We are responsible for evaluating the relevance of such complementary user entity controls.

Appropriateness of audit evidence provided by a type 1 or type 2 report

CAS Requirement

In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor shall be satisfied as to: (CAS 402.13)

(a) The service auditor’s professional competence and independence from the service organization; and

(b) The adequacy of the standards under which the type 1 or type 2 report was issued.

CAS Guidance

The user auditor may make inquiries about the service auditor to the service auditor’s professional organization or other practitioners and inquire whether the service auditor is subject to regulatory oversight. The service auditor may be practicing in a jurisdiction where different standards are followed in respect of reports on controls at a service organization, and the user auditor may obtain information about the standards used by the service auditor from the standards setting organization (CAS 402.A21).

OAG Guidance

See section “Using a Type 1 or Type 2 Service Auditor’s Report” in OAG Audit 6042 for guidance on determining the adequacy of the services auditor’s reporting standard.

Responding to the assessed risks of material misstatement

CAS Requirement

In responding to assessed risks in accordance with CAS 330, the user auditor shall (CAS 402.15):

(a) Determine whether sufficient appropriate audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and if not,

(b) Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor to perform those procedures at the service organization on the user auditor’s behalf.

CAS Guidance

Whether the use of a service organization increases a user entity’s risk of material misstatement depends on the nature of the services provided and the controls over these services; in some cases, the use of a service organization may decrease the user entity’s risk of material misstatement, particularly if the user entity itself does not possess the expertise necessary to undertake particular activities, such as initiating, processing, and recording transactions, or does not have adequate resources (for example, an IT system) (CAS 402.A24).

When the service organization maintains material elements of the accounting records of the user entity, direct access to those records may be necessary in order for the user auditor to obtain sufficient appropriate audit evidence relating to the operations of controls over those records or to substantiate transactions and balances recorded in them, or both. Such access may involve either physical inspection of records at the service organization’s premises or interrogation of records maintained electronically from the user entity or another location, or both. Where direct access is achieved electronically, the user auditor may thereby obtain evidence as to the adequacy of controls operated by the service organization over the completeness and integrity of the user entity’s data for which the service organization is responsible (CAS 402.A25).

In determining the nature and extent of audit evidence to be obtained in relation to balances representing assets held or transactions undertaken by a service organization on behalf of the user entity, the following procedures may be considered by the user auditor (CAS 402.A26):

(a) Inspecting records and documents held by the user entity: the reliability of this source of evidence is determined by the nature and extent of the accounting records and supporting documentation retained by the user entity. In some cases, the user entity may not maintain independent detailed records or documentation of specific transactions undertaken on its behalf.

(b) Inspecting records and documents held by the service organization: the user auditor’s access to the records of the service organization may be established as part of the contractual arrangements between the user entity and the service organization. The user auditor may also use another auditor, on its behalf, to gain access to the user entity’s records maintained by the service organization.

(c) Obtaining confirmations of balances and transactions from the service organization: where the user entity maintains independent records of balances and transactions, confirmation from the service organization corroborating the user entity’s records may constitute reliable audit evidence concerning the existence of the transactions and assets concerned. For example, when multiple service organizations are used, such as an investment manager and a custodian, and these service organizations maintain independent records, the user auditor may confirm balances with these organizations in order to compare this information with the independent records of the user entity.

If the user entity does not maintain independent records, information obtained in confirmations from the service organization is merely a statement of what is reflected in the records maintained by the service organization. Therefore, such confirmations do not, taken alone, constitute reliable audit evidence. In these circumstances, the user auditor may consider whether an alternative source of independent evidence can be identified.

(d) Performing analytical procedures on the records maintained by the user entity or on the reports received from the service organization: the effectiveness of analytical procedures is likely to vary by assertion and will be affected by the extent and detail of information available.

Another auditor may perform procedures that are substantive in nature for the benefit of user auditors. Such an engagement may involve the performance, by another auditor, of procedures agreed upon by the user entity and its user auditor and by the service organization and its service auditor. The findings resulting from the procedures performed by another auditor are reviewed by the user auditor to determine whether they constitute sufficient appropriate audit evidence. In addition, there may be requirements imposed by governmental authorities or through contractual arrangements whereby a service auditor performs designated procedures that are substantive in nature. The results of the application of the required procedures to balances and transactions processed by the service organization may be used by user auditors as part of the evidence necessary to support their audit opinions. In these circumstances, it may be useful for the user auditor and the service auditor to agree, prior to the performance of the procedures, to the audit documentation or access to audit documentation that will be provided to the user auditor (CAS 402.A27).

In certain circumstances, in particular when a user entity outsources some or all of its finance function to a service organization, the user auditor may face a situation where a significant portion of the audit evidence resides at the service organization. Substantive procedures may need to be performed at the service organization by the user auditor or another auditor on its behalf. A service auditor may provide a type 2 report and, in addition, may perform substantive procedures on behalf of the user auditor. The involvement of another auditor does not alter the user auditor’s responsibility to obtain sufficient appropriate audit evidence to afford a reasonable basis to support the user auditor’s opinion. Accordingly, the user auditor’s consideration of whether sufficient appropriate audit evidence has been obtained and whether the user auditor needs to perform further substantive procedures includes the user auditor’s involvement with, or evidence of, the direction, supervision and performance of the substantive procedures performed by another auditor (CAS 402.A28).

Test of controls at a service organization

CAS Requirement

When the user auditor’s risk assessment includes an expectation that controls at the service organization are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures (CAS 402.16):

(a) Obtaining a type 2 report, if available;

(b) Performing appropriate tests of controls at the service organization; or

(c) Using another auditor to perform tests of controls at the service organization on behalf of the user auditor.

CAS Guidance

The user auditor is required by CAS 330 to design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of controls in certain circumstances. In the context of a service organization, this requirement applies when (CAS 402.A29):

(a) The user auditor’s assessment of risks of material misstatement includes an expectation that the controls at the service organization are operating effectively (that is, the user auditor intends to rely on the operating effectiveness of controls at the service organization in determining the nature, timing and extent of substantive procedures); or

(b) Substantive procedures alone, or in combination with tests of the operating effectiveness of controls at the user entity, cannot provide sufficient appropriate audit evidence at the assertion level.

If a type 2 report is not available, a user auditor may contact the service organization, through the user entity, to request that a service auditor be engaged to provide a type 2 report that includes tests of the operating effectiveness of the controls or the user auditor may use another auditor to perform procedures at the service organization that test the operating effectiveness of those controls. A user auditor may also visit the service organization and perform tests of controls if the service organization agrees to it. The user auditor’s risk assessments are based on the combined evidence provided by the work of another auditor and the user auditor’s own procedures (CAS 402.A30).

OAG Guidance

It is important to remember that unlike type 2 reports, the auditor cannot rely on a type 1 report to reduce the assessed level of control risk in order to adjust the nature, timing and extent of substantive procedures.

Use of a type 2 report as evidence

CAS Requirement

If, in accordance with paragraph 16 (a), the user auditor plans to use a type 2 report as audit evidence that controls at the service organization are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by (CAS 402.17):

(a) Evaluating whether the description, design and operating effectiveness of controls at the service organization is at a date or for a period that is appropriate for the auditor’s purposes

(b) Determining whether complementary user entity controls identified by the service organization are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness

(c) Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls

(d) Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditor’s report, are relevant to the assertions in the user entity’s financial statements and provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.

CAS Guidance

A type 2 report may be intended to satisfy the needs of several different user auditors; therefore tests of controls and results described in the service auditor’s report may not be relevant to assertions that are significant in the user entity’s financial statements. The relevant tests of controls and results are evaluated to determine that the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment. In doing so, the user auditor may consider the following factors (CAS 402.A31):

(a) The time period covered by the tests of controls and the time elapsed since the performance of the tests of controls

(b) The scope of the service auditor’s work and the services and processes covered, the controls tested and tests that were performed, and the way in which tested controls relate to the user entity’s controls

(c) The results of those tests of controls and the service auditor’s opinion on the operating effectiveness of the controls

For certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less audit evidence the test may provide. In comparing the period covered by the type 2 report to the user entity’s financial reporting period, the user auditor may conclude that the type 2 report offers less audit evidence if there is little overlap between the period covered by the type 2 report and the period for which the user auditor intends to rely on the report. When this is the case, a type 2 report covering a preceding or subsequent period may provide additional audit evidence. In other cases, the user auditor may determine it is necessary to perform, or use another auditor to perform, tests of controls at the service organization in order to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls (CAS 402.A32).

It may also be necessary for the user auditor to obtain additional evidence about significant changes to the controls at the service organization outside of the period covered by the type 2 report or determine additional audit procedures to be performed. Relevant factors in determining what additional audit evidence to obtain about controls at the service organization that were operating outside of the period covered by the service auditor’s report may include (CAS 402.A33):

  • The significance of the assessed risks of material misstatement at the assertion level;
  • The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel;
  • The degree to which audit evidence about the operating effectiveness of those controls was obtained;
  • The length of the remaining period;
  • The extent to which the user auditor intends to reduce further substantive procedures based on the reliance on controls; and
  • The effectiveness of the control environment and the user entity’s process to monitor the system of internal control.

Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the user entity’s process to monitor the system of internal control (CAS 402.A34).

If the service auditor’s testing period is completely outside the user entity’s financial reporting period, the user auditor will be unable to rely on such tests for the user auditor to conclude that the user entity’s controls are operating effectively because they do not provide current audit period evidence of the effectiveness of the controls, unless other procedures are performed (CAS 402.A35).

In certain circumstances, a service provided by the service organization may be designed with the assumption that certain controls will be implemented by the entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorizing transactions before they are sent to the service organization for processing. In such a situation, the service organization’s description of controls may include a description of those complementary entity controls. The auditor considers whether those complementary entity controls are relevant to the service provided to the user entity (CAS 402.A36).

If the user auditor believes that the service auditor’s report may not provide sufficient appropriate audit evidence, for example, if a service auditor’s report does not contain a description of the service auditor’s tests of controls and results thereon, the auditor may supplement the understanding of the service auditor’s procedures and conclusions by contacting the service organization, through the user entity, to request a discussion with the service auditor about the scope and results of the service auditor’s work. Also, if the user auditor believes it is necessary, the auditor may contact the service organization, through the user entity, to request that the service auditor perform procedures at the service organization. Alternatively, the user auditor, or another auditor at the request of the auditor, may perform such procedures (CAS 402.A37).

The service auditor’s type 2 report identifies results of tests, including exceptions and other information that could affect the user auditor’s conclusions. Exceptions noted by the service auditor or a modified opinion in the service auditor’s type 2 report do not automatically mean that the service auditor’s type 2 report will not be useful for the audit of the user entity’s financial statements in assessing the risks of material misstatement. Rather, the exceptions and the matter giving rise to a modified opinion in the service auditor’s type 2 report are considered in the user auditor’s assessment of the testing of controls performed by the service auditor. In considering the exceptions and matters giving rise to a modified opinion, the user auditor may discuss such matters with the service auditor. Such communication is dependent upon the user entity contacting the service organization, and obtaining the service organization’s approval for the communication to take place (CAS 402.A38).

The user auditor is required to communicate in writing significant deficiencies identified during the audit to both management and those charged with governance on a timely basis. The auditor is also required to communicate to management at an appropriate level of responsibility on a timely basis other deficiencies in internal control identified during the audit that, in the user auditor’s professional judgment, are of sufficient importance to merit management’s attention. Matters that the user auditor may identify during the audit and may communicate to management and those charged with governance of the entity include (CAS 402.A39):

  • Any controls within the entity’s process to monitor the system of internal control that could be implemented by the user entity, including those identified as a result of obtaining a type 1 or type 2 report;
  • Instances where complementary user entity controls are noted in the type 1 or type 2 report and are not implemented at the user entity; and
  • Controls that may be needed at the service organization that do not appear to have been implemented or that are not specifically covered by a type 2 report.

OAG Guidance

Regardless of its source, management’s evaluation of controls at the service organization typically includes

  • the controls at the service organization and/or at the entity that may affect the processing of the entity’s transactions and that are relevant to the entity’s financial statement assertions;
  • controls related to the flow of significant transactions through the service organization; and
  • testing of design and operating effectiveness of these controls; and testing of any relevant user controls.

Similar to controls at the user entity, when relying on controls at a service organization, evidence of operating effectiveness is be obtained throughout the period of reliance.

The time period between the service auditor’s report as‑of date and the client’s fiscal year‑end for which we are seeking reliance on controls in our audit may differ (i.e., a "gap period"). In those instances of a "gap period", we request that the entity makes inquiries of service organization management and inspect service organization communications to ascertain whether there have been any significant changes in controls that could impact internal controls over financial reporting. These changes might include the following:

  • Changes in personnel with whom management interacts at the service organization
  • Changes in reports or other data received from the service organization
  • Change in contracts or service level agreements with the service organization, or
  • Errors identified in the service organization’s processing

Based on an evaluation of various risk factors, including: the timing and length of any “gap period”, the significance of the service organization activities, whether errors have been identified in the service organization’s processing, and the nature and significance of any changes in the service organization’s controls identified by us or management, consider whether we need additional evidence about the operating effectiveness of controls during the “gap period.” For example

  • Have the entity request the service organization to engage the service auditor to perform additional tests of operating effectiveness of controls for the period not covered by the type 1 or type 2 report
  • Visit the service organization and perform tests of operating effectiveness,
  • Perform inquiry or observation procedures confirming no changes to controls, or
  • Have the entity obtain a letter from the service organization confirming no changes in controls.

Generally if the report is older than six months, consider requesting a more current report. If a more current report cannot be obtained, we perform other procedures in order to obtain evidence over the controls performed by the service organization.

See OAG Audit 4028.4 for further guidance on the reliability of information generated by an IT application used in our audit when the information is provided by a service organization. In such cases, we also assess whether the service auditor’s report describes the procedures performed to assess the completeness and accuracy of information used in the controls and whether these procedures are considered to be sufficient when determining the adequacy of the audit evidence provided by the service auditor’s report.

If the service auditor report indicates that complementary user entity controls are required to achieve the stated control objectives and the user entity has determined that the complementary user entity controls cited in the report issued by the service organization are relevant to the overall design of the user entity’s controls, then we need to test the design and operating effectiveness of these controls. See the “Support Understanding of the Service Organization Using a Type 1 or Type 2 Report” section above for more background on complementary user entity controls. When complementary user entity controls relevant to the overall design of the entity’s controls are not designed or operating effectively, these would normally represent deficiencies in internal control.

When exceptions are noted in type 2 reports, the entity is responsible for evaluating the impact and significance of the exception on the entity’s controls. We are responsible for evaluating and documenting whether the entity’s conclusions are reasonable. In situations where exceptions represent deficiencies in internal control, we create an issue within the audit file. Refer to OAG Audit 6057 for further information on how to post deficiencies in internal control within the audit file.

Guidance specific to Legislative Auditors

OAG Guidance

When the service organization is a federal public sector entity (for example processing payroll by PWGSC), the auditor of the service organization will normally be the OAG. In this situation, the engagement leaders of the teams involved (user entity and service organization) shall ensure appropriate communication at the planning phase to clearly establish the needs of their respective audits and the expected nature, timing and extent of inter-office reports. The financial audit file contains the results of these communications and reports.