When a user entity utilizes the services of one or more service organizations, this International Standard on Auditing (UK) (ISA (UK)) addresses the user auditor's responsibilities to gather adequate appropriate audit evidence. It explains how the user auditor can use ISA (UK) 315 and ISA (UK) 330 to gain a sufficient understanding of the user entity, including relevant internal controls, to identify and assess the risks of material misstatement, and to design and perform additional audit procedures in response to those risks. When services provided by a service organization, as well as the controls over them, are part of the user entity's information system, including related business activities, relevant to financial reporting, they are relevant to the audit of the user entity's financial statements. The user auditor must comprehend how a user entity uses the services of a service organization in the user entity's activities when developing an understanding of the user entity in accordance with ISA (UK) 315.
When
a user entity uses the services of a service organization, the user auditor's
objectives are to:
(a) gain a sufficient understanding of
the nature and significance of the service organization's services and their
impact on the user entity's internal control relevant to the audit to identify
and assess the risks of material misstatement; and
(b) design and perform audit procedures
responsive to those risks.
Maintenance
of the user entity's accounting records is an example of a service organization
service that is important to the audit. Regardless of the controls in place at
the service organization, the user entity may establish controls over the
service organization's services that the user auditor can test, allowing the
user auditor to conclude that the user entity's controls are operating
effectively for some or all of the related assertions. If a user entity, for
example, hires a service organization to conduct its payroll transactions, the
user entity can set up controls over the submission and receipt of payroll data
to prevent or identify serious misstatements.
Practice:
The
user auditor shall evaluate the design and implementation of relevant controls
at the user entity that relates to the services provided by the service organization,
including those that are applied to the transactions processed by the service organization,
when obtaining an understanding of internal control relevant to the audit in
accordance with ISA (UK) 315.
Reference:
https://bit.ly/3Mm0kVB