ISA 402 (Revised and Redrafted) — Audit Considerations Relating to an Entity Using a Service Organization

ISA 402 (Revised and Redrafted) DEALS with the user auditor’s responsibility to obtain SUFFICIENT appropriate audit evidence when a ‘User Entity’ uses the services of one or More service organizations.

ISA 402 (Revised and Redrafted) – Introduction

1. Scope of this ISA

It expands on how the ‘User Auditor’ applies ISA 315 (Revised) and ISA 330 in obtaining an understanding of the user entity, Including Internal Controls relevant to the audit.

2. Effective Date

This ISA is EFFECTIVE for audits of financial statements for periods beginning on or after December 15, 2009.

ISA 402

ISA 402 – Objectives

The Objectives of the ‘User Auditor’ are:

  • To obtain an understanding of the nature and significance of the services provided by the service organization; AND
  • To design and perform audit procedures responsive to those risks.

ISA 402 – Definitions

1. Type 1 Report

A Report that Comprises:
(i) A description prepared by the Management of the service organization, it’s system, control objectives and related controls; AND
(ii) A report by the service auditor with the objective of conveying reasonable assurance.

2. Type 2 Report

A Report that Comprises:
(i) A description prepared by the Management of the service organization, it’s system, control objectives and related controls their design and implementation; AND
(ii) A report by the service auditor with the objective of conveying reasonable assurance.

ISA 402 – Requirements

1. Obtaining an Understanding of the Services Provided by a Service Organization, Including Internal Control

In accordance with ISA 315 (Revised), the ‘User Auditor’ shall OBTAIN an understanding of how a user entity uses the services of a service organization in the user entity’s operations including:

  • The Nature of services provided by the service organization;
  • The Nature and materiality of the transactions processed ;
  • The Degree of interaction between the activities of the service organization and those of the user entity; AND
  • The Nature of the relationship between the user entity and the service organization.

If the ‘User Auditor’ is UNABLE to obtain sufficient understanding, the user auditor shall OBTAIN that understanding from one or More of the following procedures:

(a) Obtaining a Type 1 or Type 2 Report, if available;
(b) Contacting the service organization, through the user’s entity;
(c) Visiting the service organization and performing procedures about the relevant controls; OR
(d) Using another auditor to perform procedures.

2. Responding to the Assessed Risks of Material Misstatement

In accordance with ISA 330, the ‘User Auditor’ shall:

  • DETERMINE whether sufficient appropriate audit evidence is available from records held at the user entity; AND, if not
  • PERFORM further audit procedures or use another auditor.

2.1 Tests of Controls

The ‘User Auditor’ shall OBTAIN audit evidence from the operating effectiveness of those controls from one or More of the following procedures:

(a) Obtaining a Type 2 report, if available;
(b) Performing appropriate tests of controls at the service organization; OR
(c) Using another auditor to perform tests of controls.

3. Type 1 and Type 2 Reports that Exclude the Services of a Sub-service Organization

The ‘User Auditor’ shall APPLY the Requirements of this ISA with respect to the services provided by the sub-service organization.

4. Fraud, Non-Compliance with Laws and Regulations and Uncorrected Misstatements in Relation to Activities at the Service Organization

The ‘User Auditor’ shall EVALUATE how such Matters affect the nature, timing and extent of the user auditor’s further audit procedures Including the effect on the user auditor’s conclusions and report.

5. Reporting by the User Auditor

The ‘User Auditor’ shall MODIFY the opinion in accordance with ISA 705 (Revised), if UNABLE to obtain sufficient appropriate audit evidence.

The ‘User Auditor’ shall NOT REFER to the work of ‘Service Auditorin user auditor’s report containing an Un-Modified opinion UNLESS required by law or regulation to do so.

Synopsis

ISA 402Audit Considerations Relating to an Entity Using a Service Organization‘ DEALS with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a ‘User Entity’ uses the services of one or More service organizations.

[300-499] Risk Assessment and Response to Assessed Risk

ISA 300

ISA 315

ISA 320

ISA 330

ISA 450

Leave a Comment