Please enable JavaScript.
Coggle requires JavaScript to display documents.
SA 402: Audit Considerations to an Entity using a Service Organisation -…
SA 402: Audit Considerations to an Entity using a Service Organisation
Definitions
Service Auditors
An auditor, who at the request of the SO provides an assurance report on controls of the SO.
Service Organisation (SO)
A third-party org. that provides services to user entities, which are a part of those entities' IS relevant to FR.
SO's System
Policies & procedures DIM by SO to provide user entities with services covered by the service auditor's report.
Sub-SO (SSO)
A SO used by another SO to perform some of the services provided to user entities with the services cover by service auditor's report.
User Auditor (UA)
An auditor who audits and reports on FS of a user entity.
User Entity (UE)
An entity that uses a SO and whose FS are being audited.
Obtaining an understanding of services provided by a SO incl. IC
The UA shall obtain an understanding of how a UE uses the services of a SO in UE's operations, including:
Nature & significance of services and its effect on UE's IC
Nature & materiality of transactions processed and its effect on FR Process
Degree of interaction between activities of SO and those of UE
Nature of relationship between them incl. contractual terms
As per SA 315, obtain an understanding of design and implementation of complementary UE controls.
Further procedures if sufficient understanding not obtained
Determine whether sufficient understanding of effect on UE's IC relevant to audit has been obtained to provide basis for identification and assessment of ROMM.
If not, UA to obtain that understanding from one or more of the fol.:
Obtain a
Type-1 or Typr-2 report
if available
Contacting the SO through UE
to obtain specific info.
Visiting the SO and performing procedures
that provide necessary info. about control
Using another auditor
to perform procedures that will provide necessary info. about relevant control at SO
Obtaining SAAE based on assessed ROMM
UA shall
determine whether SAAE concerning relevant FS assertions is available
from records held at UE, and if not
Perform FAP to obtain SAAE or use another auditor
to perform those procedures at SO on UA's behalf.
SO Auditor's Report
Type-1
report on suitability of design
On SO's accounting and IC systems
A
description
of SO's accounting and IC systems, ordinarily prepared by MGT of SO, and
An opinion by SO's auditor that
The
above description is accurate
,
The
system controls have been placed in operation
, and
Suitably designed to achieve their stated objective
.
Type-2
report on suitability of design & operating effectiveness
On SO's accounting and IC systems
All points discussed in Type-1
report, and
Accounting and IC systems
are operating effectively based on results of TOC
.
Type-1 reports may not reduce the assessment of control risk, but Type-2 may provide such a basis.
If UA plans to use a report that excludes services by SSO and those are relevant to UE's FS, the UA shall apply the requirements of this SA wrt services provided by SSO.
Fraud, non-compliance w/ L&R, and uncorrected misstatements in relation to activities at SO
Inquire MGT of UE
whether SO has reported or is aware of any fraud, non-compliance with L&R, and uncorrected misstatements affecting the FS of UE.
UA shall evaluate how such matter affects the NTE of UA's FAP and AR.
Reporting by UA
If UA is unable to obtain SAAE, UA shall modify the report as per SA 705
UA shall not refer to the work of service auditor in UA's report containing an unmodified opinion, unless required by law.
If reference to the work of service auditor is relevant to an understanding of a modification in UA's opinion, UA's report shall indicate that
such reference does not diminish the UA's responsibility for that opinion
.