Page 180 - Internal Auditing Standards
P. 180

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts






            Paragraph #           Relevant Extracts from ISAs
            402.8                 (d)  Service auditor—An auditor who, at the request of the service organization, provides an
            (continued)              assurance report on the controls of a service organization.
                                  (e)  Service organization—A third-party organization (or segment of a third-party
                                     organization) that provides services to user entities that are part of those entities’
                                     information systems relevant to fi nancial reporting.
                                  (f)  Service organization’s system—The policies and procedures designed, implemented and
                                     maintained by the service organization to provide user entities with the services covered
                                     by the service auditor’s report.
                                  (g)  Subservice organization—A service organization used by another service organization to
                                     perform some of the services provided to user entities that are part of those user entities’
                                     information systems relevant to fi nancial reporting.
                                  (h)  User auditor—An auditor who audits and reports on the financial statements of a user entity.


                                  (i)  User entity—An entity that uses a service organization and whose financial statements are
                                     being audited.



        Many entities (including very small ones) often outsource certain financial processing activities such as:

        •     Payroll;

        •     Internet sales;
        •     IT services;

        •     Asset management (inventory warehousing, investments, etc.); and
        •     Bookkeeping services.  This would include processing of transactions, maintaining accounting records,

              and preparing financial statements.

        These third-party organizations (providing services relevant to financial reporting) are referred to as “service
        organizations.”


        Where service organizations are used, the auditor needs to consider the effect of such arrangements on the
        entity’s internal control. This includes:
        •     Obtaining sufficient information to assess the risks of material misstatement; and


        •     Designing an appropriate response.

        In smaller entities, the outsourced services may well be important to the ongoing operation of the entity,

        but may not be relevant to the audit. This would occur where there are sufficient internal controls within the

        entity to address the risks of material misstatement, or where substantive audit procedures can be performed
        to address the identifi ed risks.


           CONSIDER POINT
           Using a service organization to prepare financial statements does not relieve management (and those

           charged with governance) of their responsibilities for the fi nancial statements.









   178
   175   176   177   178   179   180   181   182   183   184   185