ISA 402 Page 65

ISA 402

Report on description and design of controls at a service organization (Type 1 report)

A report that comprises:
(i) A description, prepared by management of service organization, of service organization’s system,
control objectives and related controls that have been designed & implemented as at a specified date;
and
(ii) A report by service auditor with objective of conveying reasonable assurance that includes service
auditor’s opinion on description of service organization’s system, control objectives and related controls
and suitability of the design of the controls to achieve the specified control objectives.

Report on description, design, and operating effectiveness of controls at service organization

(Type 2 report)
A report that comprises:
(i) A description, prepared by management of service organization, of service organization’s system,
control objectives and related controls, their design and implementation as at a specified date or
throughout a specified period and, in some cases, their operating effectiveness throughout a specified
period; and
(ii) A report by service auditor with objective of conveying reasonable assurance that includes:
a. Service auditor’s opinion on description of service organization’s system, control objectives and
related controls, suitability of the design of the controls to achieve the specified control objectives,
and the operating effectiveness of the controls; and
b. A description of service auditor’s tests of the controls and results thereof.

Service organization - A 3rd-party organization (or segment of a third- party organization) that provides
services to user entities that are part of those entities’ information systems relevant to financial reporting.

Service auditor - An auditor who, at the request of the service organization, provides an assurance
report on the controls of a service organization.

Subservice organization
A service organization used by another service organization to perform some of the services provided
to user entities that are part of those user entities’ information systems relevant to financial reporting.

User entity - An entity that uses a service organization and whose F/S are being audited.
User auditor - An auditor who audits and reports on the F/S of a user entity.

Obtaining Understanding of Services Provided by Service Organization (Ref: 9, A1-A11)

Information on nature of services provided by a service organization may be available from:

 User manuals.
 System overviews.
 Technical manuals.
 The contract or service level agreement between the user entity and the service organization.
 Reports by service organizations, internal audit function or regulatory authorities
 Reports by the service auditor, including management letters, if available.
ISA 402 Page 66

When obtaining understanding of user entity, user auditor shall obtain understanding of how
user entity uses services of a service organization in user entity’s operations, including:

a) Nature of services provided by service organization and the significance of those services
to user entity, including effect thereof on user entity’s internal control;

Examples of service organization services that are relevant to the audit include:
- Maintenance of the user entity’s accounting records.
- Management of assets.
- Initiating, recording or processing transactions as agent of the user entity.

b) Nature and materiality of transactions processed or accounts or financial reporting

processes affected by the service organization;

c) Degree of interaction between activities of service organization and those of user entity;

- If high degree of interaction exists (e.g. user entity authorises transactions and service
organisation processes those), it may be practicable for user entity to implement
effective controls
- If lower degree of interaction exists (e.g. service organization initiates or initially
records, processes, and does accounting for user entity’s transactions), user entity may
be unable to implement effective controls and may rely on controls at service
organisation

d) Nature of relationship between user entity and service organization, including relevant
contractual terms for the activities undertaken by the service organization.

- Information to be provided to user entity and responsibilities for initiating transactions

relating to the activities undertaken by the service organization;
- Application of requirements of regulatory bodies concerning the form of records to be
maintained, or access to them;
- Indemnification, if any, to be provided to user entity in event of a performance failure;
- Whether service organization will provide a report on its controls
- Whether such report would be a type 1 or type 2 report;
- Whether user auditor has rights of access to records of user entity maintained by service
organization and other information necessary for conduct of audit; and
- Whether agreement allows for direct communication between user auditor and service
auditor

A user auditor may use a service auditor to perform procedures on user auditor’s behalf, e.g.:
- Tests of controls at the service organization; or
- Substantive procedures on user entity’s F/S transactions and balances maintained by a
service organization.
ISA 402 Page 67

Understanding the Controls Relating to Services Provided by the Service Organization

(Ref: 10-12, A12-A20)

User auditor shall evaluate design and implementation of relevant controls at user entity ,
including those that are applied to the transactions processed by service organization.

These controls may include:

 Comparing the data submitted to service organization with reports of information received
from service organization after data has been processed.
 Recomputing a sample of payroll amounts for clerical accuracy and reviewing total amount
of the payroll for reasonableness.

If user auditor is unable to obtain a sufficient understanding from user entity, the user auditor
shall obtain that understanding from one or more of the following procedures:
 Obtaining a type 1 or type 2 report, if available (as per ISAE 3402);
 Contacting service organization, through user entity, to obtain specific information;
 Visiting service organization and performing procedures providing necessary information
about the relevant controls at the service organization; or
 Using another auditor to perform procedures that will provide the necessary information
about the relevant controls at the service organization.

User auditor’s decision as to selection of procedure(s) may be influenced by such matters as:
 Size of both user entity and service organization;
 Complexity of transactions at user entity and complexity of services provided by service
organization;
 Location of service organization;
 Nature of the relationship between user entity and the service organization.

A user entity may use a service organization that in turn uses a subservice organization to
provide some of the services provided to a user entity that are part of user entity’s information
system relevant to financial reporting.
 Subservice organization may be separate from service organization or may be related
 A user auditor may need to consider controls at subservice organization.

Using Type 1 or Type 2 Report to Support Understanding of the Service Organization

(Ref: 13-14, A21-A23)

User auditor shall be satisfied as to:

 Service auditor’s professional competence
 Service auditor’s independence from service organization; and
 Adequacy of standards under which type 1 or type 2 report was issued.
ISA 402 Page 68

User auditor shall:

 Evaluate whether description and design of controls at service organization is at a date or
for a period that is appropriate for the user auditor’s purposes;
 Evaluate sufficiency and appropriateness of evidence provided by report; and
 Determine whether complementary user entity controls identified by service organization
are relevant and, if so, whether user entity has designed and implemented such controls.

Type 1 or type 2 report, along with information about user entity, may assist user auditor in
obtaining an understanding of:
 Aspects of controls at service organization that may affect processing of user entity’s
transactions, including the use of subservice organizations;
 Flow of significant transactions through service organization to determine the points in the
transaction flow where material misstatements in user entity’s F/S could occur;
 Control objectives at the service organization relevant to the entity’s F/S assertions; and
 Whether controls at service organization are suitably designed and implemented to
prevent, or detect & correct processing errors that could result in material misstatements
in the user entity’s F/S.

Responding to the Assessed Risks of Material Misstatement (Ref: 15-17, A24-A39)

User auditor shall:

 Determine whether sufficient appropriate audit evidence concerning relevant F/S
assertions is available from records held at user entity; and, if not,
 Perform further audit procedures to obtain sufficient appropriate audit evidence or use
another auditor to perform those procedures at service organization on his behalf.

When service organization maintains material elements of accounting records of user entity,
direct access to those records may be necessary. Such access may involve either physical
inspection of records at the service organization’s premises or interrogation of records
maintained electronically from the user entity or another location, or both.

In determining audit evidence to be obtained for assets held or transactions undertaken by a

service organization on behalf of user entity, following procedures may be considered:
 Inspecting records and documents held by the user entity.
 Inspecting records and documents held by service organization
(This access may be defined in contract between user entity and service organization)
 May also use another auditor to gain access to such records at service organisation
(Prime responsibility to obtain sufficient appropriate evidence rests with user auditor)
 Obtaining confirmations of balances and transactions from service organization
(Where user entity maintains independent records of balances and transactions)
 Performing analytical procedures on records maintained by user entity or on the reports
received from the service organization:
ISA 402 Page 69

Tests of Controls

When user expects that controls at service organization are operating effectively, he shall obtain
audit evidence about operating effectiveness of controls by following procedure(s):
 Obtaining a type 2 report, if available;
 Performing appropriate tests of controls at the service organization; or
 Using another auditor to perform tests of controls at service organization on his behalf

If type 2 report is not available, user auditor may contact service organization, through user
entity, to request that a service auditor be engaged to provide a type 2 report

Using a Type 2 Report as Audit Evidence

User auditor shall determine whether type 2 report provides sufficient appropriate audit
evidence about effectiveness of the controls to support user auditor’s risk assessment by:
 Evaluating whether description, design and operating effectiveness of controls at service
organization is at a date or for a period that is appropriate for the user auditor’s purposes;
 Determining whether complementary user entity controls identified by service
organization are relevant to user entity and, if so testing their operating effectiveness;
 Evaluating adequacy of the time period covered by tests of controls; and
 Evaluating whether tests of controls performed by service auditor and the results thereof,
as described in the service auditor’s report, are relevant to the assertions in the user entity’s
F/S and provide sufficient appropriate audit evidence to support the user auditor’s risk
assessment. (Ref: Para. A31-A39)

Additional audit evidence may be obtained (e.g. by extending tests of controls over remaining
period or testing user entity’s monitoring of controls)

If service auditor’s testing period is completely outside user entity’s financial reporting period,
user auditor will be unable to rely on such tests, unless other procedures are performed.

Exceptions noted by service auditor or a modified opinion in type 2 report are considered in
assessment of test of controls performed by service auditor. User auditor may discuss such
matters with service auditor.

Communication of deficiencies in internal control identified during the audit

User auditor is required to communicate in writing significant deficiencies identified

during audit to both management and TCWG of user entity on a timely basis. Matters that
user auditor may identify during audit and may communicate include:
 Any monitoring of controls that could be implemented by user entity;
 Instances where complementary user entity controls are noted in type 1 or type 2 report
and are not implemented at user entity; and
 Controls needed at service organization that do not appear to have been implemented
ISA 402 Page 70

Type 1 & Type 2 Reports that Exclude Services of Subservice Organization (Ref: 18, A40)
Service auditor’s report may either include (inclusive method) or exclude (crave-out method)
the subservice organization’s relevant control objectives and related controls
If those services are relevant to audit of user entity, user auditor shall apply requirements
of this ISA with respect to the services provided by the subservice organization.

Fraud, Non-Compliance with Laws and Regulations, and Uncorrected Misstatements in

Relation to Activities at the Service Organization (Ref: 19, A41)
User auditor shall inquire management of user entity whether the service organization has
reported, or whether user entity is otherwise aware of, any fraud, non-compliance with laws
and regulations or uncorrected misstatements affecting the F/S of user entity.
User auditor shall evaluate how such matters affect nature, timing and extent of further audit
procedures, including effect on user auditor’s conclusions and report
In certain circumstances, user auditor may require additional information, and may request
the user entity to contact the service organization to obtain necessary information.

Reporting by User Auditor (Ref: 20-22, A42-A44)

User auditor shall modify opinion (ISA 705) if user auditor is unable to obtain sufficient
appropriate audit evidence regarding services provided by service organization
This may be the case when:
 User auditor is unable to obtain a sufficient understanding of services provided by service
organization and does not have a basis for identification and assessment of risks of material
misstatement;
 User auditor’s risk assessment includes an expectation that controls at service organization
are operating effectively and user auditor is unable to obtain sufficient appropriate audit
evidence about operating effectiveness of these controls; or
 Sufficient appropriate audit evidence is only available from records held at the service
organization, and the user auditor is unable to obtain direct access to these records.
Reference to the Work of a Service Auditor
 User auditor shall not refer to work of service auditor in report containing an unmodified
opinion unless required by law or regulation to do so.
 If such reference is required by law or regulation, user auditor’s report shall indicate that
reference does not diminish the user auditor’s responsibility for audit opinion.
 If reference to work of a service auditor is relevant to an understanding of a modification
to opinion, user auditor’s report shall indicate that such reference does not diminish the
user auditor’s responsibility for that opinion.
 In such circumstances, user auditor may need the consent of the service auditor before
making such a reference.
Important Paragraphs 8b, 8c, 8d,8h, 8i, 9, 12, 14, 16, 17, A4, A8, A15, A22, A23,
A26, A41, A42
ISA 450 Page 71

ISA 450

Misstatement
A difference between the amount, classification, presentation, or disclosure of a reported
financial statement item and the amount, classification, presentation, or disclosure that is
required for the item to be in accordance with the AFRF. Misstatements can arise from error or
fraud.
When the auditor expresses an opinion on whether the F/S are presented fairly, in all material
respects, or give a true and fair view, misstatements also include those adjustments of amounts,
classifications, presentation, or disclosures that, in the auditor’s judgment, are necessary for the F/S
to be presented fairly, in all material respects, or to give a true and fair view.

Uncorrected misstatements
Misstatements that the auditor has accumulated during audit and that have not been corrected

Accumulation of Identified Misstatements (Ref: 5, A2-A3)

Auditor shall accumulate misstatements identified during the audit, other than those that are
clearly trivial. Auditor may designate an amount below which misstatements would be clearly
trivial and would not need to be accumulated.

Type of Misstatements
 Factual misstatements Misstatements about which there is no doubt.
 Judgmental misstatements Differences arising from the judgments of management
concerning accounting estimates, or selection or application of
accounting policies that the auditor considers inappropriate.
 Projected misstatements Auditor’s best estimate of misstatements in populations,
(See ISA 530)

Consideration of Identified Misstatements as the Audit Progresses (Ref: 6, 7, A4-A6)

Auditor shall determine whether the overall audit strategy and audit plan need to be revised if:
 The nature of identified misstatements and circumstances of their occurrence indicate the
existence of other similar misstatements
(e.g. misstatement arose from a breakdown in internal control or from inappropriate
assumptions or valuation methods that have been widely applied by the entity)
 Aggregate of misstatements accumulated during audit approaches materiality

If management has examined and corrected misstatements that were detected by auditor, the
auditor shall perform additional procedures to determine whether misstatements remain.
ISA 450 Page 72

Communication and Correction of Misstatements (Ref: 8-9, A7-A10)

 Auditor shall communicate on a timely basis all misstatements accumulated during the
audit with the appropriate level of management, unless prohibited by law or regulation.
 Auditor shall request management to correct those misstatements.
(such correction enables management to maintain accurate accounting books and records)
 If management refuses to correct some or all of the misstatements communicated by the
auditor, the auditor shall:
- Obtain an understanding of management’s reasons for not making the corrections; and
- Take that understanding into account when evaluating whether the F/S are free from
material misstatement.

Evaluating the Effect of Uncorrected Misstatements (Ref: 10-13, A11-A23)

Prior to evaluating effect of uncorrected misstatements, auditor shall reassess materiality to

confirm whether it remains appropriate in the context of the entity’s actual financial results.
If reassessment gives rise to a lower amount, then performance materiality and appropriateness of
the nature, timing and extent of the further audit procedures shall also be reconsidered.

Auditor shall determine whether uncorrected misstatements are material, individually or in

aggregate. In making this determination, the auditor shall consider:
 Size and nature of the misstatements, both in relation to particular classes of transactions,
account balances or disclosures and the F/S as a whole, and the particular circumstances of
their occurrence; and
 Effect of uncorrected misstatements related to prior periods on the relevant classes of
transactions, account balances or disclosures, and the F/S as a whole.

Examples of Particular Circumstances (nature of misstatement)

Circumstances that may affect the evaluation, of any misstatement as material, include the
extent to which the misstatement:
 Affects compliance with regulatory requirements;
 Affects compliance with debt covenants or other contractual requirements;
 Relates to the incorrect selection or application of an accounting policy that has an immaterial
effect on the current period’s F/S but is likely to have a material effect on future periods’ F/S;
 Masks a change in earnings or other trends, especially in the context of general economic
and industry conditions;
 Affects ratios used to evaluate entity’s financial position, results of operations or cash flows;
 Affects segment information presented in F/S;
 Has the effect of increasing management compensation, for example, by ensuring that the
requirements for the award of bonuses or other incentives are satisfied;
 Is significant having regard to auditor’s understanding of the known previous
communications to users, for example, in relation to forecast earnings;
ISA 450 Page 73

 Relates to items involving particular parties (for example, whether external parties to the
transaction are related to members of the entity’s management);
 Is an omission of information not specifically required by AFRF but which, in the judgment of
auditor, is important to users’ understanding of financial position & performance etc; or
 Affects other information that will be communicated in documents containing the audited
F/S (for example, information to be included in a “Management Discussion and
Analysis” or an “Operating and Financial Review”) that may reasonably be expected to
influence the economic decisions of the users of the F/S.

Communication with TCWG (Ref: 12, A21-A23)

 Auditor shall communicate with TCWG uncorrected misstatements and the effect that they
may have on the auditor’s opinion (unless prohibited by law or regulation)
 Where there is a large number of individual immaterial uncorrected misstatements, auditor may
communicate the number and overall monetary effect of uncorrected misstatements
 Auditor shall identify material uncorrected misstatements individually.
 Auditor shall request that uncorrected misstatements be corrected.
 Auditor shall also communicate with TCWG the effect of uncorrected misstatements
related to prior periods on current F/S. (See ISA 710)

Written Representations (Ref: 14, A24)

 Auditor shall request a written representation from management and, where appropriate,
TCWG whether they believe the effects of uncorrected misstatements are immaterial,
individually and in aggregate, to the F/S as a whole.
 A summary of such items shall be included in or attached to the written representation.
 They may add to their written representation words such as: “We do not agree that items
… and … constitute misstatements because [description of reasons].”
 Obtaining representation does not, however, relieve the auditor from his responsibilities

Documentation (Ref: 15, A25)

Auditor shall include in the audit documentation:
 Amount below which misstatements would be regarded as clearly trivial
 All misstatements accumulated during audit and whether they have been corrected; and
 Auditor’s conclusion as to whether uncorrected misstatements are material, individually or
in aggregate and the basis for that conclusion

Important Paragraphs 6,11,15, A1, A3, A16