1. When the user auditor’s risk assessment includes an expectation that controls at the service organization are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures:

  1. Obtaining a type 2 report, if available;
  2. Performing appropriate tests of controls at the service organization; or
  3. Using another auditor to perform tests of controls at the service organization on behalf of the user auditor.

Using a Type 2 Report as Audit Evidence that Controls at the Service Organization Are Operating Effectively

2. If, in accordance with paragraph 16(a), the user auditor plans to use a type 2 report as audit evidence that controls at the service organization are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by:

  1. Evaluating whether the description, design and operating effectiveness of controls at the service organization is at a date or for a period that is appropriate for the user auditor’s purposes;
  2. Determining whether complementary user entity controls identified by the service organization are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness;
  3. Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; and
  4. Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditor’s report, are relevant to the assertions in the user entity’s financial statements and provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.

Type 1 and Type 2 Reports that Exclude the Services of a Subservice Organization

3. If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided by a subservice organization and those services are relevant to the audit of the user entity’s financial statements, the user auditor shall apply the requirements of this ISA with respect to the services provided by the subservice organization.

Fraud, Non-Compliance with Laws and Regulations, and Uncorrected Misstatements in Relation to Activities at the Service Organization

4. The user auditor shall inquire of management of the user entity whether the service organization has reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non-compliance with laws and regulations or uncorrected misstatements affecting the financial statements of the user entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and report.
Reporting by the User Auditor
5. The user auditor shall modify the opinion in the user auditor’s report in accordance with ISA 705 if the user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organization relevant to the audit of the user entity’s financial statements.
6. The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditor’s report shall indicate that the reference does not diminish the user auditor’s responsibility for the audit opinion.
7. If reference to the work of a service auditor is relevant to an understanding of a modification to the user auditor’s opinion, the user auditor’s report shall indicate that such reference does not diminish the user auditor’s responsibility for that opinion.