Obtaining an Understanding of the Services Provided by a Service Organization, Including Internal Control

1. When obtaining an understanding of the user entity in accordance with ISA 315, the user auditor shall obtain an understanding of how a user entity uses the services of a service organization in the user entity’s operations, including:

  1. The nature of the services provided by the service organization and the significance of those services to the user entity, including the effect thereof on the user entity’s internal control;
  2. The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organization;
  3. The degree of interaction between the activities of the service organization and those of the user entity; and
  4. The nature of the relationship between the user entity and the service organization, including the relevant contractual terms for the activities undertaken by the service organization.

2. When obtaining an understanding of internal control relevant to the audit in accordance with ISA 315, the user auditor shall evaluate the design and implementation of relevant controls at the user entity that relate to the services provided by the service organization, including those that are applied to the transactions processed by the service organization.
3. The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control relevant to the audit has been obtained to provide a basis for the identification and assessment of risks of material misstatement.
4. If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures:

  1. Obtaining a type 1 or type 2 report, if available;
  2. Contacting the service organization, through the user entity, to obtain specific information;
  3. Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization; or
  4. Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organization.

Using a Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the Service Organization

5. In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor shall be satisfied as to:

  1. The service auditor’s professional competence and independence from the service organization; and
  2. The adequacy of the standards under which the type 1 or type 2 report was issued.

6. If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organization, the user auditor shall:

  1. Evaluate whether the description and design of controls at the service organization is at a date or for a period that is appropriate for the user auditor’s purposes;
  2. Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the user entity’s internal control relevant to the audit; and
  3. Determine whether complementary user entity controls identified by the service organization are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.

Responding to the Assessed Risks of Material Misstatement

7. In responding to assessed risks in accordance with ISA 330, the user auditor shall:

  1. Determine whether sufficient appropriate audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and, if not,
  2. Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor to perform those procedures at the service organization on the user auditor’s behalf.