NSA 402- Use of the service organizations
Many companies use service organizations to perform business functions such as
✓ Payroll processing
✓ Receivables collection
✓ Pension management.
If a company uses a service organization, audit evidence will need to be obtained from the service
organization instead of, or in addition to, the client. This needs to be considered when planning the
audit.
Planning the audit
The auditor will need to:
✓ Obtain an understanding of the service organization sufficient to identify and assess the risks
of material misstatement.
✓ Design and perform audit procedures responsive to those risks.
This requires the auditor to obtain an understanding of the service provided:
✓ Nature of the services and their effect on internal controls
✓ Nature and materiality of the transactions to the entity.
✓ Level of interaction between the activities of the service organization and the entity.
✓ Nature of the relationship between the service organization and the entity, including
contractual terms.
The auditor should determine the effect the use of a service organization will have on their
assessment of risk. The following issues should be considered:
✓ Reputation of the service organization.
✓ Existence of external supervision.
✓ Extent of controls operated by service provider.
✓ Experience of errors and omissions.
✓ Degree of monitoring by the user.
Sources of information about the service organization
• Obtaining a type 1 or type 2 report from the service organization’s auditor
A Type 1 report provides a description of the design of the controls at the service organization
prepared by the management of the service organization. It includes a report by the service auditor
providing an opinion on the description of the system and the suitability of the controls.
A Type 2 report is a report on the description, design and operating effectiveness of controls at the
service organization. It contains a report prepared by management of the service organization. It
includes a report by the service auditor providing an opinion on the description of the system, the
suitability of the controls, the effectiveness of the controls and a description of the tests of controls
performed by the auditor.
�If the auditor intends to use a report from a service auditor they should consider:
✓ The competence and independence of the service organization auditor
✓ The standards under which the report was issued.
• Contacting the service organization through the client.
• Visiting the service organization
• Using another auditor to perform procedures that will provide the necessary information about
controls at the service organization.
Responding to assessed risks
The auditor should determine whether sufficient appropriate evidence is available from the client
and if not, perform further procedures or use another auditor to perform procedures on their behalf
If controls are expected to operate effectively:
• Obtain a type 2 report if available and consider:
✓ Whether the date covered by the report is appropriate for the audit.
✓ Whether the client has any complementary controls in place.
✓ The time elapsed since the tests of controls were performed.
✓ Whether the tests of controls performed by the auditor are relevant to the financial
statement assertions
• Perform tests of controls at the service organization
• Use another auditor to perform tests of controls.
The auditor should enquire of the client whether the service organization has reported any frauds
to them or whether they are aware of any frauds.
Impact on the auditor's report
If sufficient appropriate evidence has not been obtained, a qualified or disclaimer of opinion will be
issued.
The use of a service organization auditor is not mentioned in the auditor's report unless required by
law or regulation. Reference to the work of a service organization auditor may be included in a report
containing a modified opinion if it is relevant to the understanding of the modification. This does not
diminish the auditor’s responsibility for the opinion.
Benefits to the audit
Independence: because the service organization is external to the client, the audit evidence derived
from it is regarded as being more reliable than evidence generated internally by the client.
Competence: because the service organization is a specialist, it may be more competent in
executing its role than the client’s internal department resulting in fewer errors.
Possible reliance on the service organization’s auditors: it may be possible for the audit firm to
confirm information directly with the service organization’s auditors.
�Drawbacks
The main disadvantage of outsourced services from the auditor's point of view concerns access to
records and information.
The auditor has a legal right to access the client’s records and to receive answers and explanations
that they consider necessary for the audit. They do not have such rights over records and information
held by a third party such as a service organization
If access to records and other information is denied by the service organization, this may impose a
limitation on the scope of the auditor’s work. If sufficient appropriate evidence is not obtained, this
will result in a modified audit opinion.
Question No. 1
G Ltd. is a mobile phone operating company. Barring the marketing function it had outsourced the
entire operations like maintenance of mobile infrastructure, customer billing, payroll, accounting
functions, etc. Assist the auditor of G Ltd. as to how he can obtain an understanding of how G Ltd.
uses the services of the outsourced agency in its operations.
Answer
As per NSA 402 on "Audit Considerations Relating to an Entity Using a Service Organization", when
obtaining an understanding of the user entity in accordance with NSA 315 "Identifying and Assessing
the Risks of Material Misstatement through Understanding the Entity and its Environment", the user
auditor shall obtain an understanding of how a user entity uses the services of a service organization
in the user entity's operations, including:
a) The nature of the services provided by the service organization and the significance of those
services to the user entity, including the effect thereof on the user entity's internal control;
b) The nature and materiality of the transactions processed or accounts or financial reporting
processes affected by the service organization;
c) The degree of interaction between the activities of the service organization and those of the
user entity; and
d) The nature of the relationship between the user entity and the service organization, including
the relevant contractual terms for the activities undertaken by the service organization.
Q. No. 2
A Company gets its accounting data processed by a third party to achieve cost reduction. As a
Statutory Auditor of such a company, what are the additional precautions/checks that you would
consider for conduct of the audit?
Answer
�Processing of accounting data may be given to a third party on account of various considerations
such as economy, own computer working to full capacity, an interim measures restricting
accessibility to sensitive information, etc. A client may use a service organization such as one that
executes transactions and maintains related accountability or records transactions and processes
related data (e.g., a computer systems service organization). If a client uses a service organization,
certain policies, procedures and records maintained by the service organization might be relevant
to the audit of the financial statements of the client. Consequently, the auditor would consider the
nature and extent of activities undertaken by service organizations so as to determine whether those
activities are relevant to the audit and, if so, to assess their effect on audit risk.
As per NSA 402 "Audit Considerations relating to an Entity using a Service Organization", when
obtaining an understanding of the user entity in accordance with NSA 315, the user auditor shall
obtain an understanding of how a user entity uses the services of a service organization in the user
entity's operations, including:
a) The nature of the services provided by the service organization and the significance of those
services to the user entity, including the effect thereof on the user entity's internal control;
b) The nature and materiality of the transactions processed or accounts or financial reporting
processes affected by the service organization;
c) The degree of interaction between the activities of the service organization and those of the
user entity; and
d) The nature of the relationship between the user entity and the service organization, including
the relevant contractual terms for the activities undertaken by the service organization.
Information on the nature of the services provided by a service organization may be available from a
wide variety of sources, such as user manuals; system overviews; technical manuals; the contract
or service level agreement between the user entity and the service organization; reports by service
organizations, internal auditors or regulatory authorities on controls at the service organization;
reports by the service auditor, including management letters, if available.
Knowledge obtained through the user auditor's experience with the service organization, for example
through experience with other audit engagements, may also be helpful in obtaining an understanding
of the nature of the services provided by the service organization. This may be particularly helpful if
the services and controls at the service organization over those services are highly standardized.
Q. No. 3
When a sub-service organization performs services for a service organization, there are two
alternative methods of presenting the description of controls. The service organization determines
which method will be used. As a user auditor what information would you obtain about controls at a
sub-service organization?
Answer
�In accordance with SA 402 "Audit Considerations relating to an Entity Using a Service Organization",
a user entity may use a service organization that in turn uses a sub-service organization to provide
some of the services provided to a user entity that are part of the user entity's information system
relevant to financial reporting. The sub-service organization may be a separate entity from the
service organization or may be related to the service organization.
A user auditor may need to consider controls at the sub-service organization. In situations where one
or more sub-service organizations are used, the interaction between the activities of the user entity
and those of the service organization is expanded to include the interaction between the user entity,
the service organization and the sub-service organizations. The degree of this interaction, as well as
the nature and materiality of the transactions processed by the service organization and the sub-
service organizations are the most important factors for the user auditor to consider in determining
the significance of the service organization's and sub-service organization's controls to the user
entity's controls.
Further, the user auditor shall determine whether a sufficient understanding of the nature and
significance of the services provided by the service organization and their effect on the user entity's
internal control relevant to the audit has been obtained to provide a basis for the identification and
assessment of risks of material misstatement.
If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor
shall obtain that understanding by application of the following two methods of presenting
description of internal controls i.e. (I) Type 1 report; or (ii) Type 2 report.
If a service organization uses a subservice organization, the service auditor's report may either
include or exclude the subservice organization's relevant control objectives and related controls in
the service organization's description of its system and in the scope of the service auditor's
engagement. These two methods of reporting are known as the inclusive method and the carve -out
method respectively.
In either method, the service organization includes in its description of controls a description of the
functions and nature of the processing performed by the sub-service organization.
If the Type 1 or Type 2 report excludes the control at a subservice organization and the services
provided by the subservice organization are relevant to the audit of the user entity's financial
statements, the user auditor is required to apply the requirements of the NSA 402 in respect of the
subservice organization.
The nature and extent of work to be performed by the user auditor regarding the services provided by
a subservice organization depend on the nature and significance of those services to the user entity
and relevance of those services to the audit.
