13 AU-C 402 Audit Considerations Relating to an Entity Using a Service Organization
Types of Service Auditor’s Reports
Considerations in Using a Service Auditor’s Report
AU-C 402 Illustration—Audit Program for an Auditor’s Review of a Service Auditor’s Report
SCOPE
More and more entities are outsourcing activities to service organizations. There is often a belief by the user organization that the service organization can be totally relied upon and that the user organization needs only to have limited, if any, controls.
AU-C 402 is intended to help auditors determine what additional information they might need when auditing an entity that uses a service organization. It expands on the application of AU-C 315 and 330 in obtaining an understanding of the user entity, including internal control. (AU-C 402.01) AU-C 402 also makes it clear that the guidance applies if an entity obtains services from another organization that is part of the entity’s information system. Also, it clarifies the factors that an auditor should use in determining the significance of a service organization’s controls to the user organization’s controls. In other words, the audit procedures that are appropriate when a service organization’s procedures are significant to the audited entity are not optional. The auditor must evaluate the interaction between the audited entity and all service organizations used by that entity. (AU-C 402.02)
A service organization’s services are part of an entity’s information system if they affect any of the following:
Significant classes of transactions
Transaction initiation, authorization, recording, processing, correction, and reporting
Accounting records, supplemental detail, and specific accounts used to initiate, authorize, record, process, correct, transfer to the general ledger, and report
Processing of significant accounting information other than transactions
Financial reporting and journal entry processes
Journal entry controls
(AU-C 402.03)
For example, bank trust departments are service organizations because they invest and service assets for others. An example of a user organization for a bank trust department is an employee benefit plan. Data processing service centers are service organizations because they process transactions and related data for others. Similarly, mortgage bankers that service mortgages for other entities are service organizations.
A bank that processes checking account transactions or a broker who executes securities transactions is not included under the Section’s definition of service organizations. That is because when services are limited to executing transactions specifically authorized by the client, Section 402 is not applicable. The Section also is not applicable to the audit of transactions arising from financial interest in partnerships, corporations, and joint ventures. (AU-C 402.05)
DEFINITIONS OF TERMS
Source: AU-C 402.08. For definitions related to this standard, see Appendix A, “Definitions of Terms”: Complementary user entity controls, Report on management’s description of a service organization’s system and the suitability of the design of controls (referred to in this section as a type 1 report), Report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls (referred to in this section as a type 2 report), Service auditor, Service organization, Service organization’s system, Subservice organization, User auditor, User entity.
OBJECTIVES OF AU-C SECTION 402
The objectives of the user auditor, when the user entity uses the services of a service organization, are to
1 obtain an understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement.
2 design and perform audit procedures responsive to those risks.
(AU-C Section 402.07)
REQUIREMENTS
When an entity uses a service organization, part of the processing that the auditor usually finds in the client’s internal control is physically and operationally separate from that entity (the user entity). In some circumstances, the user entity may be able to implement effective internal controls. This occurs when the user entity authorizes all transactions and maintains accountability that would detect unauthorized transactions or activity.
In other circumstances, the service organization’s procedures relevant to the user entity need to be included when the user auditor is obtaining an understanding of internal control in accordance with AU-C 315. One source of additional information to obtain this understanding is a service auditor’s report. (AU-C 402.12)
The key factors for a user auditor to consider in deciding whether additional information, such as a service auditor’s report, is needed are:
The nature and significance of the sources provided by the service organization
The nature of the relationship between the user entity and the service organization, including contractual terms
The degree of interaction between the activity at the service organization and that of the user organization
The nature of the transactions processed
The materiality of the transactions processed
(AU-C 402.09)
Information about a service organization’s controls may be obtained from various sources, including:
User
