ISA 402 (Revised and Redrafted) DEALS with the user auditor’s responsibility to obtain SUFFICIENT appropriate audit evidence when a ‘User Entity’ uses the services of one or More service organizations.
International Standard on Auditing
Issued byIAASB / IFAC
Effective DateDec 15, 2009 onwards
Standard StatusRevised & Redrafted
Related StandardsISA 315 · ISA 330 · ISA 500
01
What Is ISA 402?
ISA 402, titled “Audit Considerations Relating to an Entity Using a Service Organization,” is an International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB) under IFAC. It was revised and redrafted in December 2008 and became effective for audits of financial statements for periods beginning on or after December 15, 2009.
In the modern economy, it is increasingly common for businesses to outsource critical functions like payroll processing, IT operations, loan servicing, custody of assets, and more to third-party providers known as service organizations. When a client entity (the “user entity”) relies on such providers, their internal controls and transaction records become directly relevant to the integrity of the user entity’s financial statements.
ISA 402 provides the authoritative framework that governs how the user auditor must gather sufficient and appropriate audit evidence in these circumstances. Rather than being able to rely solely on the user entity’s own records, the auditor must extend their understanding to encompass the controls and activities at the service organization level.
Why ISA 402 Matters
Without ISA 402, auditors lacked clear guidance on how far their responsibility extended when clients used third-party providers. The standard eliminates Ambiguity: It sets out specific requirements for understanding, assessing, and obtaining evidence regarding service organization controls; ultimately protecting the reliability of the financial reporting process.
Objective – ISA 402
“The objective of the user auditor, when the user entity uses a service organization, is to obtain sufficient appropriate audit evidence to provide a reasonable basis for the auditor’s opinion on the user entity’s financial statements.”
— IAASB, ISA 402 (Revised and Redrafted)
The Scale of Outsourcing in Modern Auditing
Service organizations now sit at the heart of thousands of audited entities, from payroll bureaus and bank trust departments to cloud ERP providers and mortgage servicers. ISA 402 ensures auditors never lose sight of these crucial dependencies.
ISA 315Aligned Standard
2Report Types (1 & 2)
2009Effective From
IAASBIssuing Body
02
Objectives of the Standard
ISA 402 defines two primary objectives that guide the user auditor throughout an engagement where the client entity relies on a service organization:
🔍
Understanding Services & Controls
The user auditor must obtain a thorough understanding of the nature and significance of services provided, including the controls the service organization maintains over those services and their effect on the user entity’s internal control relevant to financial reporting.
⚖️
Risk Assessment & Response
The auditor must identify and assess the risks of material misstatement in the user entity’s financial statements arising from the activities of the service organization, and design and perform audit procedures responsive to those risks.
📋
Sufficient Appropriate Audit Evidence
Ultimately, the auditor must obtain sufficient appropriate audit evidence to provide a reasonable basis for the audit opinion, even when relevant transactions and controls reside partly or wholly at the service organization.
🔗
Alignment with ISA 315 & ISA 330
ISA 402 operates in conjunction with ISA 315 (identifying and assessing risks through understanding the entity) and ISA 330 (auditor’s responses to assessed risks), ensuring a cohesive approach to risk-based auditing.
03
Key Definitions Under ISA 402
Understanding ISA 402 requires fluency in its core terminology. The following definitions are drawn directly from the standard and establish the precise scope of each concept.
Term 01
Service Organization
A third-party organization (or segment thereof) that provides services to user entities which are part of those entities’ information systems relevant to financial reporting. Examples include payroll processors, bank trust departments, cloud ERP providers, and mortgage servicers.
Term 02
User Entity
An entity that uses the services of a service organization and whose financial statements are being audited by the user auditor. This is the direct client of the audit engagement.
Term 03
User Auditor
The auditor who audits and reports on the financial statements of the user entity. The user auditor bears primary responsibility under ISA 402 for obtaining sufficient evidence in relation to service organization activities.
Term 04
Service Auditor
An auditor engaged by the service organization to provide an assurance report on the controls of the service organization. The service auditor’s reports (Type 1 or Type 2) are often the primary source of evidence for the user auditor.
Term 05
Subservice Organization
A service organization used by another service organization to perform services provided to user entities that are part of those user entities’ information systems relevant to financial reporting. ISA 402 requires the user auditor to consider the impact of subservice organizations.
Term 06
Complementary User Entity Controls
Controls that the service organization assumes will be implemented by user entities and which, combined with the service organization’s controls, are necessary to achieve the specified control objectives. These must be identified and assessed by the user auditor.
Term 07
Service Organization’s System
The policies and procedures designed, implemented, and maintained by the service organization to provide user entities with the services covered by the service auditor’s report. This encompasses both IT general controls and application-level controls.
Term 08
Carve-Out Method
A method of addressing subservice organizations in which the description of the service organization’s system excludes the controls at the subservice organization, requiring the user auditor to apply ISA 402 to the subservice organization separately.
04
Type 1 and Type 2 Service Auditor Reports
A service organization may engage a service auditor to issue a formal report on its controls. ISA 402 recognizes two types of such reports, each providing a different level of assurance to the user auditor.
Type 1 Report Design Only
Covers the description of the service organization’s system and control objectives as of a specified date
Addresses the suitability of the design of controls to achieve the stated control objectives
Does not cover the operating effectiveness of controls over a period
Provides a useful preliminary understanding of the service organization’s controls
Cannot on its own provide evidence of operating effectiveness, must be supplemented
May be used for periods before the audit period if supplemented with current information
Type 2 Report Design + Operation
Covers the description of the service organization’s system, control objectives, and related controls
Addresses both the suitability of design and the operating effectiveness of controls over a specified period
Includes the service auditor’s test results and descriptions of tests performed
Provides stronger and more comprehensive evidence for the user auditor
Allows the user auditor to reduce the extent of their own substantive testing in some circumstances
Preferred form of evidence when controls at the service organization are relied upon for risk assessment
Using Type 1 and Type 2 Reports
The user auditor’s ability to rely on these reports is not automatic. Under ISA 402, the user auditor must evaluate whether the service auditor is sufficiently independent, competent, and subject to appropriate professional standards. The auditor must also assess whether the report covers the relevant period and whether any exceptions or qualifications are noted that could affect the audit evidence obtained.
When a Type 2 report is available and used, the user auditor should still consider performing supplementary procedures where there are gaps, material changes in controls, or identified exceptions reported by the service auditor.
05
The ISA 402 Audit Process: Step by Step
ISA 402 requires the user auditor to follow a structured approach when auditing a user entity that relies on a service organization. The key stages are outlined below.
1
Determine the Significance of the Service Organization
Assess whether the services provided by the service organization are significant enough to be relevant to the financial statement audit. Consider the nature of the services, transaction volumes, and how integral those services are to the user entity’s financial reporting information systems.
2
Obtain an Understanding of Services and Controls
Gather information from multiple sources: user manuals, system overviews, contracts, inquiries of management, previous experience with the service organization, and available service auditor reports. Evaluate the interaction between user entity controls and service organization controls.
3
Assess the Risk of Material Misstatement
Identify which risks of material misstatement in the user entity’s financial statements are created or amplified by the service organization’s activities. Consider both inherent and control risks at the assertion level, taking into account complementary user entity controls.
4
Evaluate the Availability and Sufficiency of Type 1/Type 2 Reports
Determine whether a Type 1 or Type 2 service auditor’s report is available. Assess its relevance, currency, and the competence and independence of the service auditor. Evaluate whether any noted exceptions affect the reliability of evidence obtained.
5
Respond to Assessed Risks
Design and perform audit procedures in response to the assessed risks. This may include direct visits to the service organization, requesting additional information, performing additional substantive testing, or using another auditor to perform procedures at the service organization.
6
Reporting Considerations
If the user auditor is unable to obtain sufficient appropriate audit evidence regarding services at the service organization, a scope limitation may arise. This can result in a qualified audit opinion or a disclaimer of opinion, depending on the materiality and pervasiveness of the limitation.
06
Responsibilities: User Auditor vs. Service Auditor
ISA 402 draws clear distinctions between the responsibilities of the user auditor and those of the service auditor, preventing confusion and overlap in who is accountable for what.
Dimension
User Auditor
Service Auditor
Engaged by
User entity (the direct audit client)
Service organization
Primary mandate
Audit of the user entity’s financial statements
Report on controls at the service organization
Scope of opinion
User entity’s financial statements as a whole
Description, design (and if Type 2, operating effectiveness) of service org controls
Use of the other’s work
May rely on the service auditor’s Type 1 or Type 2 report as audit evidence (with evaluation)
Not directly reliant on the user auditor’s work
Responsibility for audit opinion
Bears sole responsibility for the audit opinion on user entity financials
No responsibility for the user entity’s financial statements
Standards followed
ISA 402 (and broader ISA suite)
ISAE 3402 or applicable national assurance standards
The Service Auditor’s Report and Reliance
Even when a Type 2 report is available, ISA 402 makes it clear that the user auditor cannot simply hand responsibility to the service auditor. The user auditor must independently evaluate the quality and applicability of the report, consider its coverage period, and make their own professional judgment about whether sufficient appropriate evidence has been obtained for the assertions at risk.
07
ISA 402 in the Context of Related Standards
ISA 402 does not operate in isolation. It forms part of an integrated suite of auditing standards that together address risk assessment, evidence gathering, and audit response. Understanding how ISA 402 relates to its companion standards is essential for effective application.
Identifying and Assessing Risks of Material Misstatement
ISA 402 directly references ISA 315 for the requirement to understand the entity and its environment, including the use of service organizations as part of the information system
ISA 500 governs what constitutes sufficient appropriate evidence; ISA 402 applies these principles in the context of evidence obtained regarding service organization controls
ISAE 3402
Assurance Reports on Controls at a Service Organization
The assurance standard under which service auditors issue Type 1 and Type 2 reports used as evidence by user auditors under ISA 402
Special Considerations – Audits of Group Financial Statements
Relevant where a service organization is considered a component for group audit purposes; ISA 402 may apply, adapted as necessary
08
Frequently Asked Questions about ISA 402
The following questions address the most common points of uncertainty practitioners encounter when applying ISA 402.
Does ISA 402 apply to all outsourced services?
No. ISA 402 applies specifically to service organizations whose services are part of the user entity’s information systems relevant to financial reporting. Not all outsourced services qualify. For example, outsourcing cleaning or catering services would not typically fall under ISA 402, whereas outsourcing payroll processing, transaction recording, or asset custody would.
Can the user auditor visit the service organization directly?
Yes. ISA 402 explicitly allows the user auditor to perform procedures directly at the service organization, provided the service organization agrees to this. The user auditor may also engage another auditor to perform procedures on their behalf at the service organization’s premises.
What happens if a Type 1 or Type 2 report is not available?
If no service auditor’s report is available, the user auditor must consider alternative means of obtaining sufficient evidence. This may include direct access to the service organization, use of another auditor, examination of user entity controls over the service organization’s outputs, or increased substantive testing. If evidence cannot be obtained, a scope limitation may arise, potentially affecting the audit opinion.
What is the “inclusive method” for dealing with subservice organizations?
Under the inclusive method, the description of the service organization’s system includes the relevant controls at the subservice organization, and the service auditor’s procedures also extend to the subservice organization. This contrasts with the carve-out method, where the subservice organization’s controls are excluded and the user auditor must apply ISA 402 separately to the subservice organization.
How does ISA 402 affect the audit report issued on the user entity?
In most cases, the audit report on the user entity does not explicitly reference ISA 402 or the service organization. However, if the user auditor is unable to obtain sufficient appropriate audit evidence due to restrictions placed by the service organization, a qualified opinion or disclaimer of opinion may be required. The standard provides application guidance on the reporting implications of such scope limitations.
Does ISA 402 apply to shared service centers within a group?
The IAASB has acknowledged that ISA 402 may be applicable, adapted as necessary, to situations where an entity uses a shared service center providing services to a group of related entities. This is a matter of professional judgment based on the specific facts and circumstances.
