ISA 402, also known as “Audit Considerations Relating to Entities Using Service Organizations,” is an International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB). It provides guidance to auditors on how to effectively plan and perform audits when the entity being audited uses the services of one or more service organizations to process financial transactions or provide services that are significant to the entity’s financial statements.
Definitions:
Service Organization: Refers to an organization that provides services to another entity, such as processing financial transactions or providing IT services, which are relevant to the entity’s financial statements.
User Entity:
Refers to the entity that engages the services of a service organization and whose financial statements are being audited.
Service Auditor:
Refers to an auditor who audits and reports on the controls of a service organization, often referred to as a Service Organization Control (SOC) report.
Explanations:
When a user entity engages the services of a service organization, the user entity may rely on the controls implemented by the service organization to process financial transactions or provide services that are relevant to the user entity’s financial statements. In such cases, the auditor of the user entity needs to obtain sufficient appropriate audit evidence to support their opinion on the financial statements, including the controls implemented by the service organization.
ISA 402 provides guidance to auditors on how to effectively plan and perform audits in such situations. The standard emphasizes the importance of understanding the services provided by the service organization, assessing the risks associated with the services, and obtaining audit evidence regarding the design and operating effectiveness of controls at the service organization.
The standard requires auditors to perform the following procedures in relation to entities using service organizations:
Obtaining an Understanding of the Services Provided by the Service Organization: Auditors should obtain an understanding of the services provided by the service organization, including the nature, significance, and risks associated with those services. This may involve reviewing the service organization’s contracts, agreements, and relevant documentation, and may also require communication with the service auditor.
Assessing the Risks Associated with the Services: Auditors should assess the risks associated with the services provided by the service organization, including the risks of material misstatement in the user entity’s financial statements arising from the services provided by the service organization. This may involve considering the service organization’s control environment, the design and operating effectiveness of controls, and the service organization’s financial stability.
Obtaining Audit Evidence Regarding the Design and Operating Effectiveness of Controls at the Service Organization: Auditors should obtain sufficient appropriate audit evidence regarding the design and operating effectiveness of controls at the service organization. This may involve obtaining and evaluating the service auditor’s report on controls, performing tests of controls at the user entity’s level, or performing procedures at the service organization’s location.
Evaluating the Effect of the Service Organization’s Controls on the User Entity’s Financial Statements: Auditors should evaluate the effect of the service organization’s controls on the user entity’s financial statements, including the effect on the user entity’s internal control over financial reporting. This may involve considering the nature and extent of reliance placed on the service organization’s controls, and evaluating the implications of any identified control deficiencies.
Examples:
Example 1:
XYZ Corporation engages a third-party service organization to process its payroll transactions. The auditor of XYZ Corporation needs to obtain audit evidence regarding the design and operating effectiveness of controls at the service organization. This may involve obtaining the service auditor’s report on controls, reviewing the service organization’s control environment, and performing tests of controls at the user entity’s level to ensure that payroll transactions are accurately processed and recorded in XYZ Corporation’s financial statements.
Example 2:
ABC Bank uses a service organization to provide IT services, including data storage and data processing for its core banking system. The auditor of ABC Bank needs to assess the risks associated with the services provided by the service organization, including the risks of material misstatement in ABC Bank’s financial statements arising from the IT services. This may involve evaluating the service organization’s control environment, assessing the design and operating effectiveness of controls, and obtaining and evaluating the service auditor’s report on controls to ensure the reliability and integrity of the data processed by the service organization.
Example 3:
DEF Insurance Company uses a third-party service organization to manage its claims processing. The auditor of DEF Insurance Company needs to obtain sufficient appropriate audit evidence regarding the design and operating effectiveness of controls at the service organization to ensure the accuracy and completeness of claims recorded in DEF Insurance Company’s financial statements. This may involve performing tests of controls at the user entity’s level, obtaining and evaluating the service auditor’s report on controls, and reviewing relevant documentation and agreements to ensure that claims are properly processed, recorded, and reported in DEF Insurance Company’s financial statements.
Cases Studies:
Case Study 1:
ABC Corporation is a multinational company that uses a third-party service organization to process its global payroll transactions. The auditor of ABC Corporation needs to assess the risks associated with the services provided by the service organization, including the risks of material misstatement in ABC Corporation’s financial statements arising from the payroll transactions. The auditor obtains the service auditor’s report on controls, reviews the service organization’s control environment, performs tests of controls at the user entity’s level, and evaluates the design and operating effectiveness of controls to ensure the accuracy and completeness of payroll transactions recorded in ABC Corporation’s financial statements.
Case Study 2:
XYZ Bank is a financial institution that uses a service organization to provide IT services, including data processing for its core banking system. The auditor of XYZ Bank needs to obtain sufficient appropriate audit evidence regarding the design and operating effectiveness of controls at the service organization to ensure the reliability and integrity of the data processed by the service organization. The auditor performs detailed testing of controls at the user entity’s level, obtains and evaluates the service auditor’s report on controls, and reviews relevant documentation and agreements to ensure that the IT services provided by the service organization are reliable and secure, and the data processed is accurate and complete.
Case Study 3:
DEF Insurance Company is an insurance provider that uses a third-party service organization to manage its claims processing. The auditor of DEF Insurance Company needs to assess the risks associated with the services provided by the service organization, including the risks of material misstatement in DEF Insurance Company’s financial statements arising from the claims processing. The auditor obtains and evaluates the service auditor’s report on controls, performs tests of controls at the user entity’s level, and reviews relevant documentation and agreements to ensure that the claims processed by the service organization are accurately recorded and reported in DEF Insurance Company’s financial statements.
In all these case studies, the auditors have followed the guidance provided by ISA 402 to effectively plan and perform audits when the user entity uses the services of a service organization. These procedures include obtaining an understanding of the services provided by the service organization, assessing the risks associated with the services, obtaining audit evidence regarding the design and operating effectiveness of controls at the service organization, and evaluating the effect of the service organization’s controls on the user entity’s financial statements.
In conclusion, ISA 402 provides guidance to auditors on how to effectively plan and perform audits when the entity being audited uses the services of a service organization. The examples and case studies provided illustrate how auditors can apply ISA 402 in practice to obtain sufficient appropriate audit evidence and ensure the accuracy and completeness of financial statements when relying on the services of a service organization. It is crucial for auditors to understand and follow the requirements of ISA 402.