SA 402:- Audit Considerations relating to an Entity Using a Service Organisation (01/04/2010)

1. Service organisation – A third-party organisation that provides services to user entities that are part of those entities information systems relevant to financial reporting.
2. User entity – An entity that uses a service organisation and whose financial statements are being audited.
3. Subservice organisation – A service organisation used by another service organisation to perform some of the services provided to user entities.
4. User auditor – An auditor who audits and reports on the financial statements of a user entity.
5. Service auditor – An auditor who, at the request of the service organisation, provides an assurance report on the controls of a service organisation.
6. Complementary user entity controls – Controls that the service organisation assumes, in the design of its service, will be implemented by user entities, and which, if necessary to achieve control objectives, are identified in the description of its system.
7. Type 1 report:- Report on the description and design of controls at a service organization – A report that comprises:

• A description of the service organisation’s system, control objectives and related controls that have been designed and implemented as at a specified date, prepared by management; and
• A report by the service auditor that includes the service auditor’s opinion on the description of the service organization’s system, control objectives, and related controls and their suitability to achieve the specified control objectives.

Type 2 report:- Report on the description, design, and operating effectiveness of controls at a service organization – A report that comprises:

1. A description, of the service organisation’s system, control objectives and related controls, their design and implementation as at a specified date or throughout a specified period and, in some cases, their operating effectiveness throughout a specified period; and
2. A report by the service auditor with the objective of conveying reasonable assurance that includes:

• The service auditor’s opinion on the description of the service organisation’s system, control objectives and related controls, the suitability of the design of the controls to achieve the specified control objectives, and the operating effectiveness of the controls; and
• A description of the service auditor’s tests of the controls and the results thereof.

when the user entity uses the services of a service organization The objectives of the user auditor are:

• To obtain an understanding of the nature and significance of the services provided by the service organisation and their effect on the user entity’s internal control relevant to the audit, sufficient to identify and assess the risks of material misstatement; and
• To design and perform audit procedures responsive to those risks.

When obtaining an understanding of the user entity in accordance with SA 315, the user auditor shall obtain an understanding of how a user entity uses the services of a service organisation in the user entity’s operations, including: 

• The nature and significance of the services provided by the service organisation, including the effect thereof on the user entity’s internal control; 
• The nature and materiality of the transactions processed by the service organisation; 
• The degree of interaction between the activities of the service organisation and those of the user entity; and 
• The nature of the relationship between the user entity and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation. 

If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures: 

• Obtaining a Type 1 or Type 2 report, if available;
• Contacting the service organisation, through the user entity, to obtain specific information;
• Visiting the service organisation and performing procedures that will provide the necessary information about the relevant controls at the service organisation; or
• Using another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organisation

If the user auditor plans to use a Type 1 or Type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organisation, the user auditor shall: 

• Evaluate whether the description and design of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
• Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding internal control relevant to the audit; and
• Determine whether complementary user entity controls identified by the service organisation are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and implemented such controls.

If, the user auditor plans to use a Type 2 report as audit evidence that controls at the service organisation are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by: 

• Evaluating whether the description, design and operating effectiveness of controls at the service organisation is at a date or for a period that is appropriate for the user auditor’s purposes;
• Determining whether complementary user entity controls identified by the service organisation  are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed and implemented such controls and, if so, testing their operating effectiveness;
• Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; and
• Evaluating whether the tests of controls performed by the service auditor and the results thereof, as described in the service auditor’s report, are relevant to the assertions in the user entity’s financial statements and provide sufficient appropriate audit evidence to support the user auditor’s risk assessment.

• If the user auditor plans to use a Type 1 or a Type 2 report that excludes the services provided by a subservice organisation and those services are relevant to the audit of the user entity’s financial statements, the user auditor shall apply the requirements of this SA with respect to the services provided by the subservice organisation.
• These two methods of reporting are known as the inclusive method and the carve-out method

• The user auditor shall inquire management of the user entity whether the service organisation has reported or whether the user entity is otherwise aware of, any fraud, non- compliance with laws and regulations or uncorrected misstatements affecting the financial statements of the user entity. 
• The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and user auditor’s report.

• The user auditor shall modify the opinion in the user auditor’s report in accordance with SA 705 if the user auditor is unable to obtain SAAE regarding the services provided by the service organisation 
• If reference to the work of a service auditor is relevant to an understanding of a modification to the user auditor’s opinion, the user auditor’s report shall indicate that such reference does not diminish the user auditor’s responsibility for that opinion. 
• The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditor’s report shall indicate that the reference does not diminish the user auditor’s responsibility for the audit opinion.

To get detailed understanding of the concept you can consider purchasing our Audit classes from here – https://lecturepedia.in/product/ca-final-audit-fastrack-classes-for-nov-2023-onward-exams-by-ca-balakrishna-kovuru/