Federal Register of Legislation - Australian Government

Primary content

ASA 402 Standards/Accounting & Auditing as made
Auditing Standard ASA 402 establishes mandatory requirements and provides explanatory guidance to an auditor where the entity uses a service organisation(s).
Administered by: Treasury
General Comments: This Auditing Standard is operative for financial reporting periods commencing on or after 1 July 2006.
Exempt from sunsetting by the Legislation (Exemptions and Other Matters) Regulation 2015 s12 item 18
Registered 12 May 2006
Tabling HistoryDate
Tabled HR22-May-2006
Tabled Senate13-Jun-2006
Table of contents.
 

ASA 402

(April 2006)

 

 

 

 

Auditing Standard ASA 402
Audit Considerations Relating to Entities Using Service Organisations

 

 

Issued by the Auditing and Assurance Standards Board



Obtaining a Copy of this Auditing Standard

This Auditing Standard is available on the AUASB website: www.auasb.gov.au.

Alternatively, printed copies of this Auditing Standard are available by contacting:

Auditing and Assurance Standards Board

Level 4

530 Collins Street

Melbourne   Victoria   3000

AUSTRALIA

Phone:    (03) 8080 7400

Fax:          (03) 8080 7450

E-mail:                 enquiries@auasb.gov.au

 

Postal Address:

PO Box 204

Collins Street West

Melbourne   Victoria   8007

AUSTRALIA

 

 

 

COPYRIGHT

© Commonwealth of Australia 2006. The text, graphics and layout of this Auditing Standard are protected by Australian copyright law and the comparable law of other countries. Reproduction within Australia in unaltered form (retaining this notice) is permitted for personal and non-commercial use subject to the inclusion of an acknowledgment of the source. Requests and enquiries concerning reproduction and rights for commercial purposes within Australia should be addressed to the Principal Executive, Auditing and Assurance Standards Board, PO Box 204, Collins Street West, Melbourne Victoria 8007. Otherwise, no part of the Auditing Standard may be reproduced, stored or transmitted in any form or by any means without the prior written permission of the AUASB except as permitted by law.

 

 

 

ISSN 1833-4393


CONTENTS

PREFACE

AUTHORITY STATEMENT

Paragraphs

Application........................................................................................................ 1-2

Operative Date..................................................................................................... 3

Introduction...................................................................................................... 4-6

Considerations of the Auditor..................................................................... 7-18

Service Organisation Auditor’s Reports.................................................. 19-27

Conformity with International Standards on Auditing................................ 28

 


Preface

Reasons for Issuing Auditing Standard ASA 402 Audit Considerations Relating to Entities Using Service Organisations

The Auditing and Assurance Standards Board (AUASB) issues Auditing Standard ASA 402 Audit Considerations Relating to Entities Using Service Organisations due to the requirements of the legislative provisions explained below.

The Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (the CLERP 9 Act) established the AUASB as an independent statutory body under section 227A of the Australian Securities and Investments Commission Act 2001, as from 1 July 2004. Under section 336 of the Corporations Act 2001, the AUASB may make Auditing Standards for the purposes of the corporations legislation. These Auditing Standards are legislative instruments under the Legislative Instruments Act 2003.

Main Features

This Auditing Standard establishes mandatory requirements and provides explanatory guidance to an auditor where the entity uses a service organisation.

Operative Date

This Auditing Standard is operative for financial reporting periods commencing on or after 1 July 2006.


Main changes from AUS 404 (July 2002) Audit Implications Relating to Entities Using a Service Entity

The main differences between this Auditing Standard and the Auditing Standard issued by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation, AUS 404 (July 2002) Audit Implications Relating to Entities Using a Service Entity, are that in this Auditing Standard:

1.                   The word ‘shall’, in the bold-type paragraphs, is the terminology used to describe an auditor’s mandatory requirements, whereas an auditor’s degree of responsibility is described in AUS 404 by the word ‘should’.

2.                   The explanatory guidance paragraphs provide guidance and illustrative examples to assist the auditor in fulfilling the mandatory requirements, whereas in AUS 404 some obligations are implied within certain explanatory paragraphs. Accordingly, such paragraphs have been redrafted to clarify that the matter forms part of the explanatory guidance.

3.                   The application is extended to cases where the service organisation uses the services of a sub-service organisation.

4.                   The following additional mandatory requirements are included (these mandatory requirements are either not contained in AUS 404 or have been expanded or re-worded in this Auditing Standard):

(a)                 The auditor shall consider how an entity’s use of a service organisation affects the entity’s internal control so as to identify and assess the risk of material misstatement and to design and perform further audit procedures (paragraph 5). In AUS 404, the auditor should assess the effect that a service entity has on audit risk to enable the auditor to plan and develop an effective audit approach.

(b)                 In obtaining an understanding of the entity and its environment, the auditor shall determine the significance of service organisation activities to the entity and the relevance to the audit (paragraph 9).

(c)                 If the auditor concludes that the activities of the service organisation are significant to the entity and relevant to the audit, the auditor shall obtain a sufficient understanding of the entity and its environment, including its internal control, to identify and assess the risks of material misstatement and design further audit procedures in response to the assessed risk (paragraph 13).

(d)                 If the auditor uses the report of a service organisation auditor, the auditor shall consider the professional competence of that auditor in the context of the specific assignment undertaken by the service organisation auditor (paragraph 17).

(e)                 When using a service organisation auditor’s report, the auditor shall consider the nature of and content of that report (paragraph 19).

(f)                  The auditor shall consider the scope of work performed by the service organisation auditor and shall evaluate the usefulness and appropriateness of reports issued by the service organisation auditor (paragraph 21). In AUS 404, when the auditor uses a report issued by the service entity auditor, the user auditor should consider the scope of the work performed and assess whether the report is sufficient and appropriate for its intended use by the user auditor.

(g)                 For those specific tests of control and results that are relevant, the auditor shall consider whether the nature, timing and extent of such tests provide sufficient appropriate audit evidence about the operating effectiveness of the internal control to support the auditor’s assessed risks of material misstatement (paragraph 24). In AUS 404, for those specific tests of control that are relevant, the user auditor should consider whether the nature, timing and extent of such tests by the service entity auditor provide sufficient appropriate audit evidence about the effectiveness of the design and operation of the internal control structure to support the user auditor’s assessed level of control risk.

(h)                 When the auditor uses a report from the auditor of a service organisation, no reference shall be made in the entity’s auditor’s report to the auditor’s report on the service organisation (paragraph 27).

5.                   The mandatory requirements contained in paragraphs .21, .25 and .30 of AUS 404 are not included.


AUTHORITY STATEMENT

The Auditing and Assurance Standards Board (AUASB) makes Auditing Standard ASA 402 Audit Considerations Relating to Entities Using Service Organisations as set out in paragraphs 1 to 28, pursuant to section 227B of the Australian Securities and Investments Commission Act 2001 and section 336 of the Corporations Act 2001.

This Auditing Standard is to be read in conjunction with the Preamble to AUASB Standards, which sets out the intentions of the AUASB on how the Auditing Standards are to be understood, interpreted and applied.

The mandatory requirements of this Auditing Standard are set out in bold-type paragraphs.

 

 

 

 

Dated 28 April 2006                                                                                   M H Kelsall
                                                                                                        Chairman - AUASB

 


AUDITING STANDARD ASA 402

Audit Considerations Relating to Entities Using Service Organisations

Application

1                    This Auditing Standard applies to:

(a)                 an audit of a financial report for a financial year, or an audit of a financial report for a half-year, in accordance with Part 2M.3 of the Corporations Act 2001; and

(b)                 an audit of a financial report for any other purpose.

2                     This Auditing Standard also applies, as appropriate, to an audit of other financial information.

Operative Date

3                    This Auditing Standard is operative for financial reporting periods commencing on or after 1 July 2006.

Introduction

4                     The purpose of this Auditing Standard is to establish mandatory requirements and to provide explanatory guidance to an auditor where the entity uses a service organisation(s). This Auditing Standard also describes the service organisation auditor’s reports which may be obtained by the entity’s auditors. In certain cases, the service organisation may, in turn, use the services of another service organisation(s) (sub-service organisation). Although this Auditing Standard does not specifically refer to a sub-service organisation, it applies to the services provided by the sub-service organisation.

5                    The auditor shall consider how an entity’s use of a service organisation affects the entity’s internal control so as to identify and assess the risk of material misstatement and to design and perform further audit procedures.

6                     An entity may use a service organisation such as one that executes transactions and maintains related accountability, or records transactions and processes related data (for example, a computer systems service organisation). If the entity uses a service organisation, certain policies, procedures and records maintained by the service organisation may be relevant to the audit of the financial report of the entity.

Considerations of the Auditor

7                     A service organisation may establish and execute policies and procedures that affect the entity’s internal control. These policies and procedures are physically and operationally separate from the entity. When the services provided by the service organisation are limited to recording and processing the entity’s transactions and the entity retains authorisation and maintenance of accountability, the entity may be able to implement effective policies and procedures within its organisation. When the service organisation executes the entity’s transactions and maintains accountability, the entity may deem it necessary to rely on policies and procedures at the service organisation.

8                     An auditor appointed to provide an opinion on an entity’s financial report may also have additional statutory or regulatory responsibilities, which may be affected by the entity’s use of a service organisation. For example, sections 307(c) and 307(d) of the Corporations Act 2001 require the auditor to form an opinion on whether the entity has kept proper financial records, and other records and registers as required by that Act.

9                    In obtaining an understanding of the entity and its environment, the auditor shall determine the significance of service organisation activities to the entity and the relevance to the audit.

10                  In doing so, the auditor ordinarily obtains an understanding of the following, as appropriate:

·                     the nature of the services provided by the service organisation;

·                     the terms of contract and relationship between the entity and the service organisation;

·                     the extent to which the entity’s internal control interacts with the systems at the service organisation;

·                     the entity’s internal control relevant to the service organisation activities such as:

                    those that are applied to the transactions processed by the service organisation; and

                    how the entity identifies and manages risks related to use of the service organisation;

·                     the service organisation’s capability and financial strength, including the possible effect of the failure of the service organisation on the entity;

·                     information about the service organisation such as that reflected in user and technical manuals; and

·                     information available on controls relevant to the service organisation’s information systems such as general IT controls and application controls.

11                  The auditor would ordinarily consider the existence of third-party reports from service organisation auditors, internal auditors, or regulatory agencies as a means of obtaining information about the internal control of the service organisation and about its operation and effectiveness. When the auditor intends to use work of the internal auditor, ASA 610 Considering the Work of Internal Audit provides mandatory requirements and explanatory guidance on evaluating the adequacy of the internal auditor’s work for the auditor’s purposes.

12                  The understanding obtained may lead the auditor to decide that the control risk assessment of the risk of material misstatement will not be affected by controls at the service organisation; if so, further consideration of this Auditing Standard is unnecessary.

13                 If the auditor concludes that the activities of the service organisation are significant to the entity and relevant to the audit, the auditor shall obtain a sufficient understanding of the entity and its environment, including its internal control, to identify and assess the risks of material misstatement and design further audit procedures in response to the assessed risk.

14                  Under ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, the auditor needs to assess the risks of material misstatement at the financial report level and at the assertion level for classes of transactions, account balances and disclosures. Under ASA 330 The Auditor’s Procedures in Response to Assessed Risks, the auditor needs to determine overall responses to assessed risks at the financial report level, and to design and perform further audit procedures to respond to assessed risks at the assertion level, in order to reduce audit risk to an acceptably low level.

15                  If the understanding of the entity and its environment obtained is insufficient to identify and assess risks and design further audit procedures, the auditor ordinarily considers the need to request the service organisation to have its auditor perform such risk assessment procedures to supply the necessary information, or the need to visit the service organisation to obtain the information. An auditor wishing to visit a service organisation may advise the entity to request the service organisation to give the auditor access to the necessary information.

16                  The auditor may be able to obtain a sufficient understanding of internal control affected by the service organisation by reading the third-party report of the service organisation auditor. In addition, when assessing the risks of material misstatement, for assertions affected by the service organisation’s internal controls, the auditor may also use the service organisation auditor’s report.

17                 If the auditor uses the report of a service organisation auditor, the auditor shall consider the professional competence of that auditor in the context of the specific assignment undertaken by the service organisation auditor.

18                  Under ASA 330, the auditor needs to obtain audit evidence about the operating effectiveness of controls when the auditor’s risk assessment includes an expectation of the operating effectiveness of the service organisation’s controls or when substantive procedures alone do not provide sufficient appropriate audit evidence at the assertion level. The auditor may also conclude that it would be efficient to obtain audit evidence from tests of controls. Audit evidence about the operating effectiveness of controls may be obtained by the following:

·                     performing tests of the entity’s controls over activities of the service organisation;

·                     obtaining a service organisation auditor’s report that expresses an opinion as to the operating effectiveness of the service organisation’s internal control for the service organisation activities relevant to the audit; and/or

·                     visiting the service organisation and performing tests of controls.


Service Organisation Auditor’s Reports

19                 When using a service organisation auditor’s report, the auditor shall consider the nature of and content of that report.

20                  The report of the service organisation auditor will ordinarily be one of two types as follows:

Type A — Report on the Design and Implementation of Internal Control

(a)                 a description of the service organisation’s internal control, ordinarily prepared by the management of the service organisation; and

(b)                 an opinion by the service organisation auditor that:

(i)                  the above description is accurate;

(ii)                 the internal controls are suitably designed to achieve their stated objectives; and

(iii)               the internal controls have been implemented.

Type B — Report on the Design, Implementation and Operating Effectiveness of Internal Control

(a)                 a description of the service organisation’s internal control, ordinarily prepared by the management of the service organisation; and

(b)                 an opinion by the service organisation auditor that:

(i)                  the above description is accurate;

(ii)                 the internal controls are suitably designed to achieve their stated objectives;

(iii)               the internal controls have been implemented; and

(iv)               the internal controls are operating effectively based on the results from the tests of controls. In addition to the opinion on operating effectiveness, the service organisation auditor would ordinarily identify the tests of controls performed and related results.

The report of the service organisation auditor will ordinarily contain restrictions as to its use (generally to management, the service organisation and its customers, and the entity’s auditors).

21                 The auditor shall consider the scope of work performed by the service organisation auditor and shall evaluate the usefulness and appropriateness of reports issued by the service organisation auditor.

22                  Type A reports may be useful to the auditor in obtaining an understanding of internal control. However, under paragraph 21 of this Auditing Standard, the auditor needs to disregard such reports as audit evidence about the operating effectiveness of controls.

23                  In contrast, Type B reports may provide such audit evidence since tests of control have been performed. When a Type B report is to be used as audit evidence about operating effectiveness of controls, under paragraph 21 of this Auditing Standard, the auditor needs to consider whether the controls tested by the service organisation auditor are relevant to the entity’s transactions, account balances, and disclosures, and related assertions, and whether the service organisation auditor’s tests of control and the results are adequate (for example, the auditor considers the length of the period covered by the service organisation auditor’s tests and the time since the performance of those tests).

24                 For those specific tests of control and results that are relevant, the auditor shall consider whether the nature, timing and extent of such tests provide sufficient appropriate audit evidence about the operating effectiveness of the internal control to support the auditor’s assessed risks of material misstatement.

25                  In circumstances where the auditor concludes that the work of the service organisation auditor cannot be used, and the auditor has been unable to obtain sufficient appropriate audit evidence about the operating effectiveness of the internal control to support the auditor’s assessed risks of material misstatement, the auditor may conclude that a limitation on the scope of the auditor’s work exists. ASA 701 Modifications to the Auditor’s Report, provides mandatory requirements and explanatory guidance in relation to circumstances where a limitation on the scope of the auditor’s work exists.

26                  The auditor of a service organisation may be engaged to perform substantive procedures that are of use to the entity’s auditor. Such engagements may involve the performance of procedures agreed upon by the entity and its auditor and by the service organisation and its auditor.

27                 When the auditor uses a report from the auditor of a service organisation, no reference shall be made in the entity’s auditor’s report to the auditor’s report on the service organisation.

Conformity with International Standards on Auditing

28                  Except as noted below, this Auditing Standard conforms with International Standard on Auditing ISA 402 Audit Considerations Relating to Entities Using Service Organizations, issued by the International Auditing and Assurance Standards Board of the International Federation of Accountants. The main differences between this Auditing Standard and ISA 402 are:

·                     This Auditing Standard applies to sub-service organisations, whereas ISA 402 does not (paragraph 4).

·                     This Auditing Standard contains a mandatory requirement for the auditor to consider the professional competence of the service organisation auditor, where the auditor uses the report of that auditor, in the context of the specific assignment undertaken by the service organisation auditor (paragraph 17). Where the auditor uses the report of a service organisation auditor, ISA 402 requires the auditor to consider making enquiries concerning the auditor’s professional competence in the context of the specific assignment undertaken by the service organisation auditor.

·                     This Auditing Standard contains explanatory guidance relating to circumstances where the auditor concludes that the work of the service organisation cannot be used, and the auditor has been unable to obtain sufficient appropriate audit evidence about the operating effectiveness of the internal control to support the auditor’s assessed risks of material misstatement, whereas, ISA 402 does not (paragraph 25).

Compliance with this Auditing Standard enables compliance with ISA 402.