Page 182 - Internal Auditing Standards
P. 182

Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts




        Where service organizations are used, the auditor would consider the matters set out in the exhibit below.

        Exhibit 15.3-2

         Address               Description

         What Services         •    Identify:
         (Relevant to               –     The nature of services provided,
         the Audit) are
         Provided?                  –     Materiality of transactions processed, and

                                    –     Accounts or financial reporting processes aff ected.
                               •    Review the terms of the contract or service-level agreement between the user
                                    entity and the service organization.
                               •    Determine the degree of interaction (activities) between the service
                                    organization and the entity.
                               •    Review reports by service organizations, service auditors (including
                                    management letters), internal auditors, or regulatory authorities on controls at
                                    the service organization.
         What Relevant         •    Are the controls at the service organization relevant to the audit?  If no, a
         Internal Controls          substantive approach is sufficient. If yes, the auditor must get comfort that


         are in Place?              the controls at the service organization are appropriately designed and
                                    implemented.
                               •    Are there controls established by the user (that could be tested) that mitigate
                                    material-processing risks, regardless of controls at the service organization? For
                                    example, user controls over payroll could include:
                                    –     Comparing data submitted to the service organization with reports from
                                          the service organization after data processing,
                                    –     Re-computing a sample of the payroll amounts for clerical accuracy, and
                                    –     Reviewing the total amount of the payroll for reasonableness.
         Extent of Reliance    •    Obtain any type 1 or type 2 reports available. Contracts with service
         Placed on Controls         organizations often include the provision of such reports;
         in Place at Service   •    Contact the service organization to obtain specifi c information;
         Organization?
                               •    Visit the service organization and perform required procedures; or

                               •    Use another auditor to perform required procedures.




           CONSIDER POINT

           Check the wording of service organization reports for possible restrictions as to use. Such restrictions
           can apply to management, the service organization and its customers, and the entity’s auditors.















   180
   177   178   179   180   181   182   183   184   185   186   187