Sie sind auf Seite 1von 20

ISA 402, ISA 520, ISAE 3402

AUDITING 2 PROJECT

by
Gede Widya Suta Puspantara (008201600020)
Irene Christy (008201600053)

FACULTY OF BUSINESS
ACCOUNTING STUDY PROGRAM
PRESIDENT UNIVERSITY
CIKARANG, BEKASI
2019
ISA 402
AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING
A SERVICE ORGANIZATION
Scope of ISA 402
1. This International Standard on Auditing (ISA) deals with the user auditor’s responsibility
to obtain sufficient appropriate audit evidence when a user entity uses the services of one
or more service organizations. Specifically, it expands on how the user auditor applies ISA
315 and ISA 330 in obtaining an understanding of the user entity, including internal control
relevant to the audit, sufficient to identify and assess the risks of material misstatement and
in designing and performing further audit procedures responsive to those risks.
2. Many entities outsource aspects of their business to organizations that provide services
ranging from performing a specific task under the direction of an entity to replacing an
entity’s entire business units or functions, such as the tax compliance function.
3. Services provided by a service organization are relevant to the audit of a user entity’s
financial statements when those services, and the controls over them, are part of the user
entity’s information system, including related business processes, relevant to financial
reporting. A service organization’s services are part of a user entity’s information system,
including related business processes, relevant to financial reporting if these services affect
any of the following:
a. The classes of transactions in the user entity’s operations that are significant to the
user entity’s financial statements;
b. The procedures, within both information technology (IT) and manual systems, by
which the user entity’s transactions are initiated, recorded, processed, corrected as
necessary, transferred to the general ledger and reported in the financial statements;
c. The related accounting records, either in electronic or manual form, supporting
information and specific accounts in the user entity’s financial statements that are
used to initiate, record, process and report the user entity’s transactions; this
includes the correction of incorrect information and how information is transferred
to the general ledger;
d. How the user entity’s information system captures events and conditions, other than
transactions, that are significant to the financial statements;
e. The financial reporting process used to prepare the user entity’s financial
statements, including significant accounting estimates and disclosures; and
f. Controls surrounding journal entries, including non-standard journal entries used
to record non-recurring, unusual transactions or adjustments.
4. The nature and extent of work to be performed by the user auditor regarding the services
provided by a service organization depend on the nature and significance of those services
to the user entity and the relevance of those services to the audit.
5. This ISA does not apply to services provided by financial institutions that are limited to
processing, for an entity’s account held at the financial institution, transactions that are
specifically authorized by the entity. In addition, this ISA does not apply to the audit of
transactions arising from proprietary financial interests in other entities.

Effective Date
6. This ISA is effective for audits of financial statements for periods beginning or after: (i) 1
January 2013 (for the issuer), or (ii) 1 January 2014 (for entities other than the issuer).
Objectives
7. The objectives of the user auditor, when the user entity uses the services of a service
organization, are:
a. To obtain an understanding of the nature and significance of the services provided
by the service organization and their effect on the user entity’s internal control
relevant to the audit, sufficient to identify and assess the risks of material
misstatement; and
b. To design and perform audit procedures responsive to those risks.
Definitions
8. For purposes of the ISAs, the following terms have the meanings attributed below:
a. Complementary user entity controls – Controls that the service organization
assumes, in the design of its service, will be implemented by user entities.
b. Report on the description and design of controls at a service organization (referred
to in this ISA as a type 1 report) – A report that comprises:
i. A description, prepared by management of the service organization, of the
service organization’s system, control objectives and related controls that
have been designed and implemented as at a specified date; and
ii. A report by the service auditor with the objective of conveying reasonable
assurance that includes the service auditor’s opinion on the description of
the service organization’s system, control objectives and related controls
and the suitability of the design of the controls to achieve the specified
control objectives.
c. Report on the description, design, and operating effectiveness of controls at a
service organization (referred to in this ISA as a type 2 report) – A report that
comprises:
i. A description, prepared by management of the service organization, of the
service organization’s system, control objectives and related controls, their
design and implementation as at a specified date or throughout a specified
period and, in some cases, their operating effectiveness throughout a
specified period; and
ii. A report by the service auditor with the objective of conveying reasonable
assurance that includes:
a) The service auditor’s opinion on the description of the service
organization’s system, control objectives and related controls, the
suitability of the design of the controls to achieve the specified
control objectives, and the operating effectiveness of the controls;
and
b) A description of the service auditor’s tests of the controls and the
results thereof.
d. Service auditor – An auditor who, at the request of the service organization,
provides an assurance report on the controls of a service organization.
e. Service organization – A third-party organization (or segment of a third-party
organization) that provides services to user entities that are part of those entities’
information systems relevant to financial reporting.
f. Service organization’s system – The policies and procedures designed,
implemented and maintained by the service organization to provide user entities
with the services covered by the service auditor’s report.
g. Subservice organization – A service organization used by another service
organization to perform some of the services provided to user entities that are part
of those user entities’ information systems relevant to financial reporting.
h. User auditor – An auditor who audits and reports on the financial statements of a
user entity.
i. User entity – An entity that uses a service organization and whose financial
statements are being audited.
Requirements
Obtaining an Understanding of the Services Provided by a Service Organization, Including
Internal Control
9. When obtaining an understanding of the user entity in accordance with ISA 315, the user
auditor shall obtain an understanding of how a user entity uses the services of a service
organization in the user entity’s operations, including:
a. The nature of the services provided by the service organization and the significance
of those services to the user entity, including the effect thereof on the user entity’s
internal control;
b. The nature and materiality of the transactions processed or accounts or financial
reporting processes affected by the service organization;
c. The degree of interaction between the activities of the service organization and
those of the user entity; and
d. The nature of the relationship between the user entity and the service organization,
including the relevant contractual terms for the activities undertaken by the service
organization.
10. The user auditor shall evaluate the design and implementation of relevant controls at the
user entity that relate to the services provided by the service organization.
11. The user auditor shall determine whether a sufficient understanding of the nature and
significance of the services provided by the service organization and their effect on the user
entity’s internal control relevant to the audit has been obtained to provide a basis for the
identification and assessment of risks of material misstatement.
12. If the user auditor is unable to obtain a sufficient understanding from the user entity, the
user auditor shall obtain that understanding from one or more of the following procedures:
a. Obtaining a type 1 or type 2 report, if available;
b. Contacting the service organization, through the user entity, to obtain specific
information;
c. Visiting the service organization and performing procedures that will provide the
necessary information about the relevant controls at the service organization; or
d. Using another auditor to perform procedures that will provide the necessary
information about the relevant controls at the service organization.
Using a Type 1 or Type 2 Report to Support the User Auditor’s Understanding of the Service
Organization
13. In determining the sufficiency and appropriateness of the audit evidence provided by a type
1 or type 2 report, the user auditor shall be satisfied as to:
a. The service auditor’s professional competence and independence from the service
organization; and
b. The adequacy of the standards under which the type 1 or type 2 report was issued.
14. If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the
user auditor’s understanding about the design and implementation of controls at the service
organization, the user auditor shall:
a. Evaluate whether the description and design of controls at the service organization
is at a date or for a period that is appropriate for the user auditor’s purposes;
b. Evaluate the sufficiency and appropriateness of the evidence provided by the report
for the understanding of the user entity’s internal control relevant to the audit; and
c. Determine whether complementary user entity controls identified by the service
organization are relevant to the user entity and, if so, obtain an understanding of
whether the user entity has designed and implemented such controls.
Responding to the Assessed Risks of Material Misstatement
15. In responding to assessed risks in accordance with ISA 330, the user auditor shall:
a. Determine whether sufficient appropriate audit evidence concerning the relevant
financial statement assertions is available from records held at the user entity; and,
if not,
b. Perform further audit procedures to obtain sufficient appropriate audit evidence or
use another auditor to perform those procedures at the service organization on the
user auditor’s behalf.
Tests of Controls
16. When the user auditor’s risk assessment includes an expectation that controls at the service
organization are operating effectively, the user auditor shall obtain audit evidence about
the operating effectiveness of those controls from one or more of the following procedures:
a. Obtaining a type 2 report, if available;
b. Performing appropriate tests of controls at the service organization; or
c. Using another auditor to perform tests of controls at the service organization on
behalf of the user auditor.
Using a Type 2 Report as Audit Evidence that Controls at the Service Organization Are Operating
Effectively
17. If, in accordance with paragraph 16(a), the user auditor plans to use a type 2 report as audit
evidence that controls at the service organization are operating effectively, the user auditor
shall determine whether the service auditor’s report provides sufficient appropriate audit
evidence about the effectiveness of the controls to support the user auditor’s risk
assessment by:
a. Evaluating whether the description, design and operating effectiveness of controls
at the service organization is at a date or for a period that is appropriate for the user
auditor’s purposes;
b. Determining whether complementary user entity controls identified by the service
organization are relevant to the user entity and, if so, obtaining an understanding of
whether the user entity has designed and implemented such controls and, if so,
testing their operating effectiveness;
c. Evaluating the adequacy of the time period covered by the tests of controls and the
time elapsed since the performance of the tests of controls; and
d. Evaluating whether the tests of controls performed by the service auditor and the
results thereof, as described in the service auditor’s report, are relevant to the
assertions in the user entity’s financial statements and provide sufficient
appropriate audit evidence to support the user auditor’s risk assessment.
Type 1 and Type 2 Reports that Exclude the Services of a Subservice Organization
18. If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided
by a subservice organization and those services are relevant to the audit of the user entity’s
financial statements, the user auditor shall apply the requirements of this ISA with respect
to the services provided by the subservice organization.
Fraud, Non-Compliance with Laws and Regulations and Uncorrected Misstatements in
Relation to Activities at the Service Organization
19. The user auditor shall inquire of management of the user entity whether the service
organization has reported to the user entity, or whether the user entity is otherwise aware
of, any fraud, non-compliance with laws and regulations or uncorrected misstatements
affecting the financial statements of the user entity. The user auditor shall evaluate how
such matters affect the nature, timing and extent of the user auditor’s further audit
procedures, including the effect on the user auditor’s conclusions and user auditor’s report.
Reporting by the User Auditor
20. The user auditor shall modify the opinion in the user auditor’s report in accordance with
ISA 705 if the user auditor is unable to obtain sufficient appropriate audit evidence
regarding the services provided by the service organization relevant to the audit of the user
entity’s financial statements.
21. The user auditor shall not refer to the work of a service auditor in the user auditor’s report
containing an unmodified opinion unless required by law or regulation to do so. If such
reference is required by law or regulation, the user auditor’s report shall indicate that the
reference does not diminish the user auditor’s responsibility for the audit opinion.
22. If reference to the work of a service auditor is relevant to an understanding of a
modification to the user auditor’s opinion, the user auditor’s report shall indicate that such
reference does not diminish the user auditor’s responsibility for that opinion.
ISA 520
ANALYTICAL PROCEDURES
Scope of ISA 520
1. This International Standard on Auditing (ISA) deals with the auditor’s use of analytical
procedures as substantive procedures (“substantive analytical procedures”). It also deals
with the auditor’s responsibility to perform analytical procedures near the end of the audit
that assist the auditor when forming an overall conclusion on the financial statements.
Effective Date
2. This ISA is effective for audits of financial statements for periods beginning or after: (i) 1
January 2013 (for the issuer), or (ii) 1 January 2014 (for entities other than the issuer).
Objectives
3. The objectives of the auditor are:
a. To obtain relevant and reliable audit evidence when using substantive analytical
procedures; and
b. To design and perform analytical procedures near the end of the audit that assist the
auditor when forming an overall conclusion as to whether the financial statements
are consistent with the auditor’s understanding of the entity.
Definitions
4. For the purposes of the ISAs, the term “analytical procedures” means evaluations of
financial information through analysis of plausible relationships among both financial and
non-financial data.
Requirements
Substantive Analytical Procedures
5. When designing and performing substantive analytical procedures, either alone or in
combination with tests of details, as substantive procedures in accordance with ISA 330,
the auditor shall:
a. Determine the suitability of particular substantive analytical procedures for given
assertions, taking account of the assessed risks of material misstatement and tests
of details, if any, for these assertions;
b. Evaluate the reliability of data from which the auditor’s expectation of recorded
amounts or ratios is developed, taking account of source, comparability, and nature
and relevance of information available, and controls over preparation;
c. Develop an expectation of recorded amounts or ratios and evaluate whether the
expectation is sufficiently precise to identify a misstatement that, individually or
when aggregated with other misstatements, may cause the financial statements to
be materially misstated; and
d. Determine the amount of any difference of recorded amounts from expected values
that is acceptable without further investigation.
Analytical Procedures that Assist When Forming an Overall Conclusion
6. The auditor shall design and perform analytical procedures near the end of the audit that
assist the auditor when forming an overall conclusion as to whether the financial statements
are consistent with the auditor’s understanding of the entity.
Investigating Results of Analytical Procedures
7. If analytical procedures performed in accordance with this ISA identify fluctuations or
relationships that are inconsistent with other relevant information or that differ from
expected values by a significant amount, the auditor shall investigate such differences by:
a. Inquiring of management and obtaining appropriate audit evidence relevant to
management’s responses; and
b. Performing other audit procedures as necessary in the circumstances.
Application and Other Explanatory Material
Definition of Analytical Procedures (Ref: Para. 4)
A.1 Analytical procedures include the consideration of comparisons of the entity’s financial
information with, for example:
 Comparable information for prior periods.
 Anticipated results of the entity.
 Similar industry information.
A.2 Analytical procedures also include consideration of relationships, for example:
 Among elements of financial information that would be expected to conform to a
predictable pattern based on the entity’s experience.
 Between financial information and relevant non-financial information.
A.3 Various methods may be used to perform analytical procedures. These methods range
from performing simple comparisons to performing complex analyses using advanced
statistical techniques. Analytical procedures may be applied to consolidated financial
statements, components and individual elements of information.
Substantive Analytical Procedures (Ref: Para. 5)
A.4 The auditor’s substantive procedures at the assertion level may be tests of details,
substantive analytical procedures, or a combination of both. The decision about which
audit procedures to perform, including whether to use substantive analytical procedures,
is based on the auditor’s judgment about the expected effectiveness and efficiency of
the available audit procedures to reduce audit risk at the assertion level to an acceptably
low level.
A.5 The auditor may inquire of management as to the availability and reliability of
information needed to apply substantive analytical procedures, and the results of any
such analytical procedures performed by the entity.
Suitability of Particular Analytical Procedures for Given Assertions (Ref: Para. 5(a))
A.6 Substantive analytical procedures are generally more applicable to large volumes of
transactions that tend to be predictable over time. The application of planned analytical
procedures is based on the expectation that relationships among data exist and continue
in the absence of known conditions to the contrary.
A.7 In some cases, even an unsophisticated predictive model may be effective as an
analytical procedure. The use of widely recognized trade ratios can often be used
effectively in substantive analytical procedures to provide evidence to support the
reasonableness of recorded amounts.
A.8 Different types of analytical procedures provide different levels of assurance. Analytical
procedures involving, for example, the prediction of total rental income on a building
divided into apartments, taking the rental rates, the number of apartments and vacancy
rates into consideration, can provide persuasive evidence and may eliminate the need
for further verification by means of tests of details, provided the elements are
appropriately verified. In contrast, calculation and comparison of gross margin
percentages as a means of confirming a revenue figure may provide less persuasive
evidence, but may provide useful corroboration if used in combination with other audit
procedures.
A.9 The determination of the suitability of particular substantive analytical procedures is
influenced by the nature of the assertion and the auditor’s assessment of the risk of
material misstatement.
A.10 Particular substantive analytical procedures may also be considered suitable when tests
of details are performed on the same assertion.
Considerations Specific to Public Sector Entities
A.11 The relationships between individual financial statement items traditionally considered
in the audit of business entities may not always be relevant in the audit of governments
or other non-business public sector entities.
The Reliability of the Data (Ref: Para. 5(b))
A.12 The reliability of data is influenced by its source and nature and is dependent on the
circumstances under which it is obtained. Accordingly, the following are relevant when
determining whether data is reliable for purposes of designing substantive analytical
procedures:
 Source of the information available.
 Comparability of the information available.
 Nature and relevance of the information available.
 Controls over the preparation of the information that are designed to ensure its
completeness, accuracy and validity.
A.13 The auditor may consider testing the operating effectiveness of controls, if any, over the
entity’s preparation of information used by the auditor in performing substantive
analytical procedures in response to assessed risks. When such controls are effective,
the auditor generally has greater confidence in the reliability of the information and,
therefore, in the results of analytical procedures. The operating effectiveness of controls
over non-financial information may often be tested in conjunction with other tests of
controls.
A.14 The matters discussed in paragraphs A12(a)–A12(d) are relevant irrespective of whether
the auditor performs substantive analytical procedures on the entity’s period-end
financial statements, or at an interim date and plans to perform substantive analytical
procedures for the remaining period. ISA 330 establishes requirements and provides
guidance on substantive procedures performed at an interim date.
Evaluation Whether the Expectation Is Sufficiently Precise (Ref: Para. 5(c))
A.15 Matters relevant to the auditor’s evaluation of whether the expectation can be developed
sufficiently precisely to identify a misstatement that, when aggregated with other
misstatements, may cause the financial statements to be materially misstated, include:
 The accuracy with which the expected results of substantive analytical procedures
can be predicted.
 The degree to which information can be disaggregated.
 The availability of the information, both financial and non-financial.
Amount of Difference of Recorded Amounts from Expected Values that Is Acceptable (Ref: Para.
5(d))
A.16 The auditor’s determination of the amount of difference from the expectation that can
be accepted without further investigation is influenced by materiality and the
consistency with the desired level of assurance, taking account of the possibility that a
misstatement, individually or when aggregated with other misstatements, may cause the
financial statements to be materially misstated. ISA 330 requires the auditor to obtain
more persuasive audit evidence the higher the auditor’s assessment of risk. Accordingly,
as the assessed risk increases, the amount of difference considered acceptable without
investigation decreases in order to achieve the desired level of persuasive evidence.
Analytical Procedures that Assist When Forming an Overall Conclusion (Ref: Para. 6)
A.17 The conclusions drawn from the results of analytical procedures designed and
performed in accordance with paragraph 6 are intended to corroborate conclusions
formed during the audit of individual components or elements of the financial
statements. This assists the auditor to draw reasonable conclusions on which to base the
auditor’s opinion.
A.18 The results of such analytical procedures may identify a previously unrecognized risk
of material misstatement. In such circumstances, ISA 315 requires the auditor to revise
the auditor’s assessment of the risks of material misstatement and modify the further
planned audit procedures accordingly.
A.19 The analytical procedures performed in accordance with paragraph 6 may be similar to
those that would be used as risk assessment procedures.
Investigating Results of Analytical Procedures (Ref: Para. 7)
A.20 Audit evidence relevant to management’s responses may be obtained by evaluating
those responses taking into account the auditor’s understanding of the entity and its
environment, and with other audit evidence obtained during the course of the audit.
A.21 The need to perform other audit procedures may arise when, for example, management
is unable to provide an explanation, or the explanation, together with the audit evidence
obtained relevant to management’s response, is not considered adequate.
ISAE 3402
ASSURANCE REPORTS ON CONTROLS AT A SERVICE
ORGANIZATION
Scope of this ISAE
This International Standard on Assurance Engagements (ISAE) deals with assurance
engagements undertaken by a professional accountant in public practice to provide a report for
use by user entities and their auditors on the controls at a service organization that provides a
service to user entities that is likely to be relevant to user entities’ internal control as it relates
to financial reporting.
The “International Framework for Assurance Engagements” (the Assurance Framework)
states that an assurance engagement may be a “reasonable assurance” engagement or a “limited
assurance” engagement; that an assurance engagement may be either an “assertion-based”
engagement or a “direct reporting” engagement; and, that the assurance conclusion for an
assertion based engagement can be worded either in terms of the responsible party’s assertion
or directly in terms of the subject matter and the criteria.
This ISAE applies only when the service organization is responsible for, or otherwise able
to make an assertion about, the suitable design of controls.
Effective Date
1. This ISAE is effective for audits of financial statements for periods beginning or after 1
July 2017.
Objectives
The objectives of the service auditor are:
a. To obtain reasonable assurance about whether, in all material respects.
b. To report on the matters in (a) above in accordance with the service auditor’s findings.
Requirements
The service auditor shall not represent compliance with this ISAE unless the service auditor
has complied with the requirements of this ISAE and ISAE 3000.
The service auditor shall comply with relevant ethical requirements, including those
pertaining to independence, relating to assurance engagements.
Where this ISAE requires the service auditor to inquire of, request representations from,
communicate with, or otherwise interact with the service organization, the service auditor shall
determine the appropriate person(s) within the service organization’s management or
governance structure with whom to interact. This shall include consideration of which
person(s) have the appropriate responsibilities for and knowledge of the matters concerned.
For identifying the risks that threaten achievement of the control objectives stated in the
description of its system, and designing and implementing controls to provide reasonable
assurance that those risks will not prevent achievement of the control objectives stated in the
description of its system, and therefore that the stated control objectives will be achieved
If the service organization requests a change in the scope of the engagement before the
completion of the engagement, the service auditor shall be satisfied that there is a reasonable
justification for the change.
As required by ISAE 3000, the service auditor shall assess whether the service organization
has used suitable criteria in preparing the description of its system, in evaluating whether
controls are suitably designed, and, in the case of a type 2 report, in evaluating whether controls
are operating effectively.
When planning and performing the engagement, the service auditor shall consider
materiality with respect to the fair presentation of the description, the suitability of the design
of controls and, in the case of a type 2 report, the operating effectiveness of controls.
The service auditor shall obtain an understanding of the service organization’s system,
including controls that are included in the scope of the engagement.
The service auditor shall determine which of the controls at the service organization are
necessary to achieve the control objectives stated in the service organization’s description of
its system, and shall assess whether those controls were suitably designed.
When determining the extent of tests of controls, the service auditor shall consider matters
including the characteristics of the population to be tested, which includes the nature of
controls, the frequency of their application (for example, monthly, daily, a number of times
per day), and the expected rate of deviation.
When the service auditor uses sampling, the service auditor shall Consider the purpose of
the procedure and the characteristics of the population from which the sample will be drawn
when designing the sample.
In the extremely rare circumstances when the service auditor considers a deviation
discovered in a sample to be an anomaly and no other controls have been identified that allow
the service auditor to conclude that the relevant control objective is operating effectively
throughout the specified period, the service auditor shall obtain a high degree of certainty that
such deviation is not representative of the population.
If the service organization has an internal audit function, the service auditor shall obtain an
understanding of the nature of the responsibilities of the internal audit function and of the
activities performed in order to determine whether the internal audit function is likely to be
relevant to the engagement.
In determining the planned effect of the work of the internal auditors on the nature, timing
or extent of the service auditor’s procedures, the service auditor shall consider The nature and
scope of specific work performed, or to be performed, by the internal auditors.
In order for the service auditor to use specific work of the internal auditors, the service
auditor shall evaluate and perform procedures on that work to determine its adequacy for the
service auditor’s purposes.
If the work of the internal audit function has been used, the service auditor shall make no
reference to that work in the section of the service auditor’s assurance report that contains the
service auditor’s opinion.
The written representations shall be in the form of a representation letter addressed to the
service auditor. The date of the written representations shall be as near as practicable to, but
not after, the date of the service auditor’s assurance report.
The service auditor shall read the other information, if any, included in a document
containing the service organization’s description of its system and the service auditor’s
assurance report, to identify material inconsistencies, if any, with that description.
The service auditor shall inquire whether the service organization is aware of any events
subsequent to the period covered by the service organization’s description of its system up to
the date of the service auditor’s assurance report that could have a significant effect on the
service auditor’s assurance report.
If the service auditor uses specific work of the internal auditors, the service auditor shall
document the conclusions reached regarding the evaluation of the adequacy of the work of the
internal auditors, and the procedures performed by the service auditor on that work.
A statement that the service auditor’s responsibility is to express an opinion on the service
organization’s description, on the design of controls related to the control objectives stated in
that description and, in the case of a type 2 report, on the operating effectiveness of those
controls, based on the service auditor’s procedures.
If the service auditor becomes aware of non-compliance with laws and regulations, fraud,
or uncorrected errors attributable to the service organization that are not clearly trivial and may
affect one or more user entities, the service auditor shall determine whether the matter has been
communicated appropriately to affected user entities.
Application and Other Explanatory Material
A.1 Internal control is a process designed to provide reasonable assurance regarding the
achievement of objectives related to the reliability of financial reporting, effectiveness
and efficiency of operations and compliance with applicable laws and regulations.
Controls related to a service organization’s operations and compliance objectives may
be relevant to a user entity’s internal control as it relates to financial reporting. Such
controls may pertain to assertions about presentation and disclosure relating to account
balances, classes of transactions or disclosures, or may pertain to evidence that the user
auditor evaluates or uses in applying auditing procedures.
A.2 The service organization may not be able to assert that the system is suitably designed
Because of the inextricable link between the suitable design of controls and their
operating effectiveness, the absence of an assertion with respect to the suitability of
design will likely preclude the service auditor from concluding that the controls provide
reasonable assurance that the control objectives have been met and thus from opining
on the operating effectiveness of controls.
A.3 The definition of “controls at the service organization” includes aspects of user entities’
information systems maintained by the service organization, and may also include
aspects of one or more of the other components of internal control at a service
organization.
A.4 When the inclusive method is used, the requirements in this ISAE also apply to the
services provided by the subservice organization, including obtaining agreement
regarding the matters in paragraph 13(b)(i)–(v) as applied to the subservice organization
rather than the service organization. Performing procedures at the subservice
organization entails coordination and communication between the service organization,
the subservice organization, and the service auditor.
A.5 The service auditor is subject to relevant independence requirements, which ordinarily
comprise Parts A and B of the IESBA Code together with national requirements that are
more restrictive.
A.6 Management and governance structures vary by jurisdiction and by entity, reflecting
influences such as different cultural and legal backgrounds, and size and ownership
characteristics.
A.7 Relevant capabilities and competence to perform the engagement.
A.8 Refusal, by a service organization, to provide a written assertion, subsequent to an
agreement by the service auditor to accept, or continue, an engagement, represents a
scope limitation that causes the service auditor to withdraw from the engagement.
A.9 The service organization accomplishes monitoring of controls through ongoing
activities, separate evaluations, or a combination of both. The greater the degree and
effectiveness of ongoing monitoring activities, the less need for separate evaluations.
Ongoing monitoring activities are often built into the normal recurring activities of a
service organization and include regular management and supervisory activities.
A.10 The service organization is responsible for identifying the risks that threaten
achievement of the control objectives stated in the description of its system. The service
organization may have a formal or informal process for identifying relevant risks. A
formal process may include estimating the significance of identified risks, assessing the
likelihood of their occurrence, and deciding about actions to address them.
A.11 A request to change the scope of the engagement may not have a reasonable justification
the service organization will not provide the service auditor with a written assertion and
the request is made to perform the engagement under ISAE 3000.
A.12 A request to change the scope of the engagement may have a reasonable justification
the engagement a subservice organization when the service organization cannot arrange
for access by the service auditor, and the method used for dealing with the services
provided by that subservice organization is changed from the inclusive method to the
carve-out method.
A.13 Criteria need to be available to the intended users to allow them to understand the basis
for the service organization’s assertion about the fair presentation of its description of
the system, the suitability of the design of controls and, in the case of a type 2 report,
the operating effectiveness of the controls related to the control objectives.
A.14 ISAE 3000 requires the service auditor, among other things, to assess the suitability of
criteria, and the appropriateness of the subject matter. The subject matter is the
underlying condition of interest to intended users of an assurance report.
A.15 These elements may not be appropriate if the system being described is not a system
that processes transactions.
A.16 In an engagement to report on controls at a service organization, the concept of
materiality relates to the system being reported on, not the financial statements of user
entities. The service auditor plans and performs procedures to determine whether the
service organization’s description of its system is fairly presented in all material
respects, whether controls at the service organization are suitably designed in all
material respects.
A.17 Materiality with respect to the fair presentation of the service organization’s description
of its system, and with respect to the design of controls, includes primarily the
consideration of qualitative factors.
A.18 The concept of materiality is not applied when disclosing, in the description of the tests
of controls, the results of those tests where deviations have been identified. This is
because, in the particular circumstances of a specific user entity or user auditor, a
deviation may have significance beyond whether or not, in the opinion of the service
auditor, it prevents a control from operating effectively.
A.19 Obtaining an understanding of the service organization’s system.
A.20 The service auditor’s procedures to obtain this understanding Inquiring of those within
the service organization who, in the service auditor’s judgment, may have relevant
information.
A.21 Considering the questions may assist the service auditor in determining whether those
aspects of the description included in the scope of the engagement are fairly presented
in all material.
A.22 The service auditor’s procedures to evaluate the fair presentation of the description.
A.23 Paragraph 21(a) requires the service auditor to evaluate whether the control objectives
stated in the service organization’s description of its system are reasonable in the
circumstances.
A.24 The service auditor’s procedures to determine whether the service organization’s system
has been implemented may be similar to, and performed in conjunction with, procedures
to obtain an understanding of that system.
A.25 From the viewpoint of a user entity or a user auditor, a control is suitably designed if,
individually or in combination with other controls, it would, when complied with
satisfactorily, provide reasonable assurance that material misstatements are prevented,
or detected and corrected.
A.26 A service auditor may consider using flowcharts, questionnaires, or decision tables to
facilitate understanding the design of the controls.
A.27 Controls may consist of a number of activities directed at the achievement of a control
objective. Consequently, if the service auditor evaluates certain activities as being
ineffective in achieving a particular control objective, the existence of other activities
may allow the service auditor to conclude that controls related to the control objective
are suitably designed.
A.28 From the viewpoint of a user entity or a user auditor, a control is operating effectively
if, individually or in combination with other controls, it provides reasonable assurance
that material misstatements, whether due to fraud or error, are prevented, or detected
and corrected.
A.29 Obtaining an understanding of controls sufficient to opine on the suitability of their
design is not sufficient evidence regarding their operating effectiveness, unless there is
some automation that provides for the consistent operation of the controls as they were
designed and implemented.
A.30 To be useful to user auditors, a type 2 report ordinarily covers a minimum period of six
months. If the period is less than six months, the service auditor may consider it
appropriate to describe the reasons for the shorter period in the service auditor’s
assurance report.
A.31 Certain control procedures may not leave evidence of their operation that can be tested
at a later date and, accordingly, the service auditor may find it necessary to test the
operating effectiveness of such control procedures at various times throughout the
reporting period.
A.32 The service auditor provides an opinion on the operating effectiveness of controls
throughout each period, therefore, sufficient appropriate evidence about the operation
of controls during the current period is required for the service auditor to express that
opinion.
A.33 In some circumstances, it may be necessary to obtain evidence supporting the effective
operation of indirect controls.
A.34 Because of the inherent consistency of IT processing, evidence about the
implementation of an automated application control, when considered in combination
with evidence about the operating effectiveness of the service organization’s general
controls (in particular, change controls), may also provide substantial evidence about its
operating effectiveness.
A.35 The means of selecting items for testing available to the service auditor is Selecting all
items (100% examination). This may be appropriate for testing controls that are applied
infrequently.
A.36 While selective examination of specific items will often be an efficient means of
obtaining evidence, it does not constitute sampling. The results of procedures applied to
items selected in this way cannot be projected to the entire population; accordingly,
selective examination of specific items does not provide evidence concerning the
remainder of the population.
A.37 An internal audit function may be responsible for providing analyses, evaluations,
assurances, recommendations, and other information to management and those charged
with governance.
A.38 In determining the planned effect of the work of the internal auditors on the nature,
timing or extent of the service auditor’s procedures, the following factors may suggest
the need for different or less extensive procedures than would otherwise be the case The
nature and scope of specific work performed, or to be performed, by the internal auditors
is quite limited.
A.39 The nature, timing and extent of the service auditor’s procedures on specific work of the
internal auditors will depend on the service auditor’s assessment of the significance of
that work to the service auditor’s conclusions
A.40 Irrespective of the degree of autonomy and objectivity of the internal audit function,
such function is not independent of the service organization as is required of the service
auditor when performing the engagement.
A.41 The service auditor’s description of work performed by the internal audit function may
be presented in a number of ways.
A.42 The written representations required by paragraph 38 are separate from, and in addition
to, the service organization’s assertion, as defined at paragraph 9(o).
A.43 If the service organization does not provide the written representations requested in
accordance with paragraph 38(c) of this ISAE, it may be appropriate for the service
auditor’s opinion to be modified in accordance with paragraph 55(d) of this ISAE.
A.44 The IESBA Code requires that a service auditor not be associated with information
where the service auditor believes that the information Contains a materially false or
misleading statement.
A.45 If the service organization refuses to remove or restate the other information, further
actions that may be appropriate include.
A.46 An appropriate time limit within which to complete the assembly of the final
engagement file is ordinarily not more than 60 days after the date of the service auditor’s
report.
A.47 Illustrative examples of service auditors’ assurance reports and related service
organizations’ assertions are contained in Appendices 1 and 2.
A.48 The criteria used for engagements to report on controls at a service organization are
relevant only for the purposes of providing information about the service organization’s
system, including controls, to those who have an understanding of how the system has
been used for financial reporting by user entities.
A.49 In describing the nature of the tests of controls for a type 2 report, it assists readers of
the service auditor’s assurance report.
A.50 Illustrative examples of elements of modified service auditor’s assurance reports are
contained in Appendix 3.
A.51 Even if the service auditor has expressed an adverse opinion or disclaimed an opinion,
it may be appropriate to describe in the basis for modification paragraph the reasons for
any other matters of which the service auditor is aware that would have required a
modification to the opinion, and the effects thereof.
A.52 When expressing a disclaimer of opinion because of a scope limitation, it is not
ordinarily appropriate to identify the procedures that were performed nor include
statements describing the characteristics of a service auditor’s engagement; to do so
might overshadow the disclaimer of opinion.
A.53 Appropriate actions to respond to the circumstances identified in paragraph 56 may
include Obtaining legal advice about the consequences of different courses of action.