ISA 402 (Revised and Redrafted) deals with the user auditor’s responsibility to obtain sufficient appropriate audit evidence when a ‘User Entity’ uses the services of one or more service organizations.
International Standard on Auditing
ISA 402 – Audit Considerations Relating to an Entity Using a Service Organization
What Is ISA 402?
ISA 402, titled “Audit Considerations Relating to an Entity Using a Service Organization,” is an International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB) under IFAC. It was revised and redrafted in December 2008 and became effective for audits of financial statements for periods beginning on or after December 15, 2009.
In the modern economy, it is increasingly common for businesses to outsource critical functions; payroll processing, IT operations, loan servicing, custody of assets, and more to third-party providers known as service organizations. When a client entity (the “user entity”) relies on such providers, their internal controls and transaction records become directly relevant to the integrity of the user entity’s financial statements.
ISA 402 provides the authoritative framework that governs how the user auditor must gather sufficient and appropriate audit evidence in these circumstances. Rather than being able to rely solely on the user entity’s own records, the auditor must extend their understanding to encompass the controls and activities at the service organization level.
Why ISA 402 Matters
Without ISA 402, auditors lacked clear guidance on how far their responsibility extended when clients used third-party providers. The standard eliminates ambiguity: it sets out specific requirements for understanding, assessing, and obtaining evidence regarding service organization controls, ultimately protecting the reliability of the financial reporting process.
Objective – ISA 402
“The objective of the user auditor, when the user entity uses a service organization, is to obtain sufficient appropriate audit evidence to provide a reasonable basis for the auditor’s opinion on the user entity’s financial statements.”
– IAASB, ISA 402 (Revised and Redrafted)
The Scale of Outsourcing in Modern Auditing
Service organizations now sit at the heart of thousands of audited entities, from payroll bureaus and bank trust departments to cloud ERP providers and mortgage servicers. ISA 402 ensures auditors never lose sight of these crucial dependencies.
Objectives of ISA 402
ISA 402 defines two primary objectives that guide the user auditor throughout an engagement where the client entity relies on a service organization:
Understanding Services & Controls
The user auditor must obtain a thorough understanding of the nature and significance of services provided, including the controls the service organization maintains over those services and their effect on the user entity’s internal control relevant to financial reporting.
Risk Assessment & Response
The auditor must identify and assess the risks of material misstatement in the user entity’s financial statements arising from the activities of the service organization, and design and perform audit procedures responsive to those risks.
Sufficient Appropriate Audit Evidence
Ultimately, the auditor must obtain sufficient appropriate audit evidence to provide a reasonable basis for the audit opinion — even when relevant transactions and controls reside partly or wholly at the service organization.
Key Definitions Under ISA 402
Understanding ISA 402 requires fluency in its core terminology. The following definitions establish the precise scope of each concept.
Term 01
Service Organization
A third-party organization (or segment thereof) that provides services to user entities which are part of those entities’ information systems relevant to financial reporting. Examples include payroll processors, bank trust departments, cloud ERP providers, and mortgage servicers.
Term 02
User Entity
An entity that uses the services of a service organization and whose financial statements are being audited by the user auditor. This is the direct client of the audit engagement.
Term 03
User Auditor
The auditor who audits and reports on the financial statements of the user entity. The user auditor bears primary responsibility under ISA 402 for obtaining sufficient evidence in relation to service organization activities.
Term 04
Service Auditor
An auditor engaged by the service organization to provide an assurance report on the controls of the service organization. The service auditor’s reports (Type 1 or Type 2) are often the primary source of evidence for the user auditor.
Term 05
Subservice Organization
A service organization used by another service organization to perform services provided to user entities that are part of those user entities’ information systems relevant to financial reporting. ISA 402 requires the user auditor to consider the impact of subservice organizations.
Term 06
Complementary User Entity Controls
Controls that the service organization assumes will be implemented by user entities and which, combined with the service organization’s controls, are necessary to achieve the specified control objectives. These must be identified and assessed by the user auditor.
Term 07
Service Organization’s System
The policies and procedures designed, implemented, and maintained by the service organization to provide user entities with the services covered by the service auditor’s report. This encompasses both IT general controls and application-level controls.
Term 08
Carve-Out Method
A method of addressing subservice organizations in which the description of the service organization’s system excludes the controls at the subservice organization, requiring the user auditor to apply ISA 402 to the subservice organization separately.
Type 1 vs Type 2 Service Auditor Reports
A service organization may engage a service auditor to issue a formal report on its controls. ISA 402 recognizes two types of such reports, each providing a different level of assurance to the user auditor.
- Covers the description of the service organization’s system and control objectives as of a specified date
- Addresses the suitability of the design of controls to achieve the stated control objectives
- Does not cover the operating effectiveness of controls over a period
- Provides a useful preliminary understanding of the service organization’s controls
- Cannot on its own provide evidence of operating effectiveness, must be supplemented
- May be used for periods before the audit period if supplemented with current information
- Covers the description of the service organization’s system, control objectives, and related controls
- Addresses both the suitability of design and the operating effectiveness of controls over a specified period
- Includes the service auditor’s test results and descriptions of tests performed
- Provides stronger and more comprehensive evidence for the user auditor
- Allows the user auditor to reduce the extent of their own substantive testing in some circumstances
- Preferred form of evidence when controls at the service organization are relied upon for risk assessment
Using Type 1 and Type 2 Reports
The user auditor’s ability to rely on these reports is not automatic. Under ISA 402, the user auditor must evaluate whether the service auditor is sufficiently independent, competent, and subject to appropriate professional standards. The auditor must also assess whether the report covers the relevant period and whether any exceptions or qualifications noted could affect the audit evidence obtained.
When a Type 2 report is available and used, the user auditor should still consider performing supplementary procedures where there are gaps, material changes in controls, or identified exceptions reported by the service auditor.
ISA 402 Audit Procedures
ISA 402 requires the user auditor to follow a structured approach when auditing a user entity that relies on a service organization.
Determine the Significance of the Service Organization
Assess whether the services provided by the service organization are significant enough to be relevant to the financial statement audit. Consider the nature of the services, transaction volumes, and how integral those services are to the user entity’s financial reporting information systems.
Obtain an Understanding of Services and Controls
Gather information from multiple sources: user manuals, system overviews, contracts, inquiries of management, previous experience with the service organization, and available service auditor reports. Evaluate the interaction between user entity controls and service organization controls.
Assess the Risk of Material Misstatement
Identify which risks of material misstatement in the user entity’s financial statements are created or amplified by the service organization’s activities. Consider both inherent and control risks at the assertion level, taking into account complementary user entity controls.
Evaluate the Availability and Sufficiency of Type 1/Type 2 Reports
Determine whether a Type 1 or Type 2 service auditor’s report is available. Assess its relevance, currency, and the competence and independence of the service auditor. Evaluate whether any noted exceptions affect the reliability of evidence obtained.
Respond to Assessed Risks
Design and perform audit procedures in response to the assessed risks. This may include direct visits to the service organization, requesting additional information, performing additional substantive testing, or using another auditor to perform procedures at the service organization.
Reporting Considerations
If the user auditor is unable to obtain sufficient appropriate audit evidence regarding services at the service organization, a scope limitation may arise. This can result in a qualified audit opinion or a disclaimer of opinion, depending on the materiality and pervasiveness of the limitation.
Responsibilities of User Auditor and Service Auditor
ISA 402 draws clear distinctions between the responsibilities of the user auditor and those of the service auditor, preventing confusion and overlap in who is accountable for what.
| Dimension | User Auditor | Service Auditor |
|---|---|---|
| Engaged by | User entity (the direct audit client) | Service organization |
| Primary mandate | Audit of the user entity’s financial statements | Report on controls at the service organization |
| Scope of opinion | User entity’s financial statements as a whole | Description, design (and if Type 2, operating effectiveness) of service org controls |
| Use of the other’s work | May rely on the service auditor’s Type 1 or Type 2 report as audit evidence (with evaluation) | Not directly reliant on the user auditor’s work |
| Responsibility for audit opinion | Bears sole responsibility for the audit opinion on user entity financials | No responsibility for the user entity’s financial statements |
| Standards followed | ISA 402 (and broader ISA suite) | ISAE 3402 or applicable national assurance standards |
The Service Auditor’s Report and Reliance
Even when a Type 2 report is available, ISA 402 makes it clear that the user auditor cannot simply hand responsibility to the service auditor. The user auditor must independently evaluate the quality and applicability of the report, consider its coverage period, and make their own professional judgment about whether sufficient appropriate evidence has been obtained for the assertions at risk.
ISA 402 and Related Audit Standards
ISA 402 does not operate in isolation. It forms part of an integrated suite of auditing standards that together address risk assessment, evidence gathering, and audit response.
| Standard | Title | Relationship to ISA 402 |
|---|---|---|
| ISA 315 | Identifying and Assessing Risks of Material Misstatement | ISA 402 directly references ISA 315 for the requirement to understand the entity and its environment, including the use of service organizations as part of the information system |
| ISA 330 | The Auditor’s Responses to Assessed Risks | ISA 402 requires audit procedures designed under ISA 330 to be responsive to risks that include those arising from service organization activities |
| ISA 500 | Audit Evidence | ISA 500 governs what constitutes sufficient appropriate evidence; ISA 402 applies these principles in the context of evidence obtained regarding service organization controls |
| ISAE 3402 | Assurance Reports on Controls at a Service Organization | The assurance standard under which service auditors issue Type 1 and Type 2 reports used as evidence by user auditors under ISA 402 |
| ISA 600 | Special Considerations – Audits of Group Financial Statements | Relevant where a service organization is considered a component for group audit purposes; ISA 402 may apply, adapted as necessary |
Frequently Asked Questions
The following questions address the most common points of uncertainty practitioners encounter when applying ISA 402.
No. ISA 402 applies specifically to service organizations whose services are part of the user entity’s information systems relevant to financial reporting. Not all outsourced services qualify. For example, outsourcing cleaning or catering services would not typically fall under ISA 402, whereas outsourcing payroll processing, transaction recording, or asset custody would.
Yes. ISA 402 explicitly allows the user auditor to perform procedures directly at the service organization, provided the service organization agrees to this. The user auditor may also engage another auditor to perform procedures on their behalf at the service organization’s premises.
If no service auditor’s report is available, the user auditor must consider alternative means of obtaining sufficient evidence. This may include direct access to the service organization, use of another auditor, examination of user entity controls over the service organization’s outputs, or increased substantive testing. If evidence cannot be obtained, a scope limitation may arise, potentially affecting the audit opinion.
Under the inclusive method, the description of the service organization’s system includes the relevant controls at the subservice organization, and the service auditor’s procedures also extend to the subservice organization. This contrasts with the carve-out method, where the subservice organization’s controls are excluded and the user auditor must apply ISA 402 separately.
In most cases, the audit report on the user entity does not explicitly reference ISA 402 or the service organization. However, if the user auditor is unable to obtain sufficient appropriate audit evidence due to restrictions placed by the service organization, a qualified opinion or disclaimer of opinion may be required.
The IAASB has acknowledged that ISA 402 may be applicable, adapted as necessary, to situations where an entity uses a shared service center providing services to a group of related entities. This is a matter of professional judgment based on the specific facts and circumstances.
(Qualified) Chartered Accountant – ICAP
Master of Commerce – HEC, Pakistan
Bachelor of Accounting (Honours) – AeU, Malaysia