Auditing and Assurance Standard (AAS) 24 

Audit Considerations Relating to Entities Using Service Organisations
 

The following is the text of the Statement on Standard Auditing Practices (SAP)24 on "Audit Considerations Relating to Entities Using Service Organisations" issued by the Council of the Institute of Chartered Accountants of India. This Statement should be read in conjunction with the "Preface to the Statements on Standard Auditing Practices", issued by the Institute. ¹

The purpose of this Statement on Standard Auditing Practices (SAP) is to establish standards for an auditor whose client uses a service organisation. This SAP also describes the reports of the auditors of the service organisation which may be obtained by the auditor of the client.

The auditor should consider how a service organisation affects the client's accounting and internal control systems so as to plan the audit and develop an effective audit approach.

Service organisations undertake a wide range of activities, for example, information processing, maintenance of accounting records, facilities management, maintenance of safe custody of assets such as investments, and initiation or execution of transactions on behalf of the other enterprise. Not all the activities undertaken by the service organisations are likely, by themselves, to have a significant effect on a user enterprise's financial statements. A client may use a service organisation such as one that executes transactions and maintains related accountability or records transactions and processes related data (e.g., a computer systems service organisation). If a client uses a service organisation, certain policies, procedures and records maintained by the service organisation might be relevant to the audit of the financial statements of the client. Consequently, the auditor would consider the nature and extent of activities undertaken by service organisations so as to determine whether those activities are relevant to the audit and, if so, to assess their effect on audit risk.

A service organisation may establish and execute policies and procedures that affect a client organisation's accounting and internal control systems. These policies and procedures are physically and operationally separate from the client's organisation. When the services provided by the service organisation are limited to recording and processing transactions of the client and the client retains authorisation and maintenance of accountability, the client might be able to implement effective policies and procedures within its organisation. When the service organisation executes the client's transactions and maintains accountability, the client may deem it necessary to rely on policies and procedures at the service organisation.

While planning the audit, the auditor of the client should determine the significance of the activities of the service organisation to the client and their relevance to the audit. In doing so, the auditor of the client would need to consider the following, as appropriate:

• Nature of the services provided by the service organisation.
  
   
• Terms of contract and relationship between the client and the service organisation.
  
   
• The material financial statement assertions that are affected by the use of the service organisation.
  
   
• Inherent risk associated with those assertions.
  
   
• Extent to which the client's accounting and internal control systems interact with the systems at the service organisation.
  
   
• Client's internal controls that are applied to the transactions processed by the service organisation.
  
   
• Service organisation's capability and financial strength, including the possible effect of the failure of the service organisation on the client.
  
   
• Information about the service organisation such as that reflected in user and technical manuals, if any.
  
   
• Information available on general controls and computer systems controls relevant to the client's applications.

The auditor of the client would also consider the availability of third-party reports from service organisation's auditors, internal auditors, or regulatory agencies as a means of providing information about the accounting and internal control systems of the service organisation and about its operation and effectiveness.

Consideration of the above may lead the auditor to decide that the control risk assessment will not be affected by controls at the service organisation; if so, further consideration of this SAP is unnecessary.

If the auditor of the client concludes that the activities of the service organisation are significant to the entity and relevant to the audit, the auditor should obtain sufficient information to understand the accounting and internal control systems of the service organisation and to assess control risk at either the maximum, or a lower level if tests of control are performed.

If the information is insufficient, the auditor of the client would consider the need to request the service organisation to have its auditor perform such procedures as to supply the necessary information in the forms of reports mentioned at paragraph 12. If such reports are not made available within a reasonable time, the auditor of the client would consider the need to visit the service organisation to obtain the relevant information. An auditor of the client wishing to visit a service organisation may advise the client to request the service organisation to give the auditor of the client access to the necessary information.

The auditor of the client may be able to obtain an understanding of the accounting and internal control systems affected by the service organisation by reading the third-party report of the service organisation's auditor. In addition, when assessing control risk for assertions affected by the systems, controls of the service organisation, the auditor of the client may also use the service organisation auditor's report. When the auditor of the client uses the report of a service organisation's auditor, the auditor of the client should consider the professional competence of the other auditor in the context of specific assignment if the other auditor is not a member of the Institute of Chartered Accountants of India.

The auditor of the client may conclude that it would be appropriate to obtain audit evidence from tests of control to support an assessment of control risk at a lower level.

When using a service organisation auditor's report, the auditor of the client should consider the nature of and content of that report.

The report of the service organisation's auditor will ordinarily be one of two types as follows:

an opinion by the service organisation's auditor that:

1. the above description is accurate;
   
    
2. the systems' controls have been placed in operation; and
   
    
3. the accounting and internal control systems are suitably designed to achieve their stated objectives.
   
    

a description of the service organisation's accounting and internal control systems, ordinarily prepared by the management of the service organisation; and

1. the above description is accurate;
   
    
2. the systems' controls have been placed in operation;
   
    
3. the accounting and internal control systems are suitably designed to achieve their stated objectives; and
   
    

4. the accounting and internal control systems are operating effectively based on the results from the tests of control. In addition to the opinion on operating effectiveness, the service organisation's auditor would identify the tests of control performed and related results.
   
    

The report of the service organisation's auditor will ordinarily contain restrictions as to its use (generally to management of the service organisation and its customers, and the specified client's auditor).

The auditor should consider the scope of work performed by the service organisation's auditor and should assess the usefulness and appropriateness of reports issued by the service organisation's auditor.

While Type A reports may be useful to an auditor of the client in gaining the required understanding of the accounting and internal control systems, an auditor would not use such reports as a basis for reducing the assessment of control risk.

In contrast, Type B reports may provide such a basis since tests of control have been performed. When a Type B report is to be used as evidence to support a lower control risk assessment, the auditor of the client would consider whether the controls tested by the service organisation's auditor are relevant to the client's transactions (significant assertions in the client's financial statements) and whether the service organisation auditor's tests of control and the results are adequate. With respect to the latter, two key considerations are the length of the period covered by the service organisation auditor's tests and the time since the performance of those tests.

For those specific tests of control and results that are relevant, the auditor of the client should consider whether the nature, timing and extent of such tests provide sufficient appropriate audit evidence about the effectiveness of the accounting and internal control systems to support the client auditor's assessed level of control risk.

The auditor of a service organisation may be engaged to perform substantive procedures that are of use to auditor of the client. Such engagements may involve the performance of procedures agreed upon by the client and its auditor and by the service organisation and its auditor.

When the auditor of the client uses a report from the auditor of a service organisation, no reference should be made in the client auditor's report to the service organisation's auditor's report.

This Statement on Standard Auditing Practices becomes operative for all audits related to accounting periods beginning on or after April 1, 2003. This means that the SAP will become effective w.e.f. April, 2004.

The auditing standards established in this Statement on Standard Auditing Practices are generally consistent in all material respects with those set out in ISA 402 "Audit Considerations Related to Entities Using Service Organisations"

¹ With the formation of the Auditing Practices Committee in 1982, the Council of the Institute has been issuing a series of Statements on Standard Auditing Practices (SAPs). Statements on Standard Auditing Practices lay down the principles governing an audit. These principles apply whenever an independent audit is carried out. Statements on Standard Auditing Practices become mandatory on the dates specified in the respective SAPs. Their mandatory status implies that, while discharging their attest function, it will be the duty of the members of the Institute to ensure that the SAPs are followed in the audit of financial information covered by their audit reports. If, for any reason, a member has not been able to perform an audit in accordance with the SAPs, his report should draw attention to the material departures therefrom.