Auditing and Assurance Standard - 24
Audit Considerations relating to entities using service organizations

[Submitted by Mr. Aditya Kumar S,
CA (Final),
Bangalore, Karnataka]

October 5, 2007

Businesses around the world are getting more sophisticated than ever it was in the history. Corporate houses no longer have geographical limitations to market their goods or services to get a better share in the market, improve profits and optimize the resources.

Due to increased competition, business houses need to concentrate more on core areas, i.e., their actual business of manufacturing, marketing, supply chain management rather than non-core areas like accounting, human resource management. The reason is, "do what you know the best" so, who is going to do ancillary functions of accounting, HR management, etc., it can be outsourced i.e., these functions would be carried out by an expert.

Further, the cost of outsourcing is much less when compared to having a department dedicated to a function. This reduction of cost will reflect in the bottom line of the entity.

An Auditor's role is challenging in this type of environment given that books of accounts are not maintained by the client but by an outsider. So, the auditor's scope of work is not limited to client's business but also extends to the service organization's business also.

The outsourcing of the accounting function could be partial or in entirety. In both the scenarios, it is imperative for the auditor to understand:

1. The extent of outsourcing,
2. Areas of work outsourced like recording and processing transactions, documentation, authorizations, etc.,
3. Mode of collecting the source data,
4. Internal Control Systems of the service organization.

At times, the client may authorize the service organization with some powers to issue cheques, place orders with suppliers, collect receivables etc.,. Apart from doing the regular accounting function, the service organization is given to handle the resource of the client which requires great level of accountability and responsibility.

Therefore, an auditor should also gain knowledge of the following:

1. Business of the service organization,
2. Experience in providing the services,
3. Terms of contract with special emphasis on confidentiality, data management and documentation,
4. Internal control systems of the service organization and whether it is sufficient and appropriate in relation to the client's business,
5. The extent of use of service organizations data in preparation of financial statements,
6. Time and resource allotted to the client's accounts.

An auditor may also interact with the person-in-charge of the client's business and get necessary details on:

1. Ideally, every service organization should have departments catering to specific clients, therefore the auditor should ascertain about the existence of such procedures, which helps in maintaining confidentiality,
2. Delegation of work,
3. Work Allotment among the staff,
4. MIS reports on number of transactions processed, time required to process, ratio analysis of various financial variables etc.,
5. Information Security Concerns, Back-up plans, Disaster Recovery Management,
6. Communication with the client on timely basis to report on the scope and objective of work, areas of improvement etc.,
7. Whether the procedure adopted by the service organization is customized for the client is a standard procedure adopted, and how far it is relevant and conducive to the client's business etc.

An auditor should also consider audit report of the service organization, with respect to the client's business. Usually the report is of two types.

Type - A report is about the suitability of design of accounting and internal control system. The auditor of the service organization would have described:

1. The accounting and internal control systems,
2. Opinion whether the systems are accurate, is functioning and is designed to meet the requirements of the contract.

Type - B report is not only about the suitability of design of accounting and internal control system, but also about operational efficiency, which is a result of various tests conducted by the auditor.

The control risk being higher in case of use of service organization, but the assessment of the control risk can be lowered by documenting the service organizations reports as evidence and also by requesting the auditor of the service organization to perform additional substantive tests in specific areas, where the auditor has concerns or assesses greater risks.

Go to "Articles" Listings

Read our disclaimer and privacy policy
In case of problems viewing CAalley, please inform us