Page 184 - Internal Auditing Standards
P. 184
Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts
Paragraph # Relevant Extracts from ISAs
402.19 The user auditor shall inquire of management of the user entity whether the service
organization has reported to the user entity, or whether the user entity is otherwise aware of,
any fraud, non-compliance with laws and regulations or uncorrected misstatements aff ecting
the financial statements of the user entity. The user auditor shall evaluate how such matters
affect the nature, timing and extent of the user auditor’s further audit procedures, including
the effect on the user auditor’s conclusions and user auditor’s report. (Ref: Para. A41)
In responding to the assessed risks, the auditor would consider the following matters.
Exhibit 15.3-3
Address Description
Can Necessary If yes, obtain sufficient appropriate audit evidence concerning the relevant fi nancial
Evidence Be statement assertions involved.
Obtained from
within Entity? If no, perform additional procedures to obtain evidence, such as using another auditor
to perform procedures at the service organization on the user auditor’s behalf.
Determine Extent • Consider the auditor’s professional competence and independence and
of Reliance That adequacy of standards under which the report was issued;
Can Be Placed on • Evaluate whether the description and design of controls at the service organization
the Type 1 or Type is at a date or for a period that is appropriate for the user auditor’s purposes;
2 Report
• Evaluate the sufficiency and appropriateness of the evidence provided by the report
for the understanding of the user entity’s internal control relevant to the audit; and
• Determine whether complementary user-entity controls identified by the service
organization are relevant to the user entity and, if so, obtain an understanding of
whether the user entity has designed and implemented such controls.
Note that a type 1 report provides no evidence that the internal controls at the
service organization operated effectively over a period of time. If a type 2 report is
not available, it may be necessary for the auditor to perform tests of controls at the
service organization, or use another auditor to perform such tests.
Testing User Where possible, obtain sufficient appropriate audit evidence concerning the relevant
Records and financial statement assertions from the records held by the user entity.
Controls
Obtaining Audit If user records are not sufficient, obtain audit evidence about the operating
Evidence from effectiveness of controls at the service organization by:
the Service
Organization • Obtaining a type 2 report, if available;
• Performing appropriate tests of controls at the service organization; or
• Using another auditor to perform tests of controls at the service organization on
behalf of the user auditor.
Making Inquiries Inquire of management whether they have become aware (or received notice from
about Signifi cant the service organization) of any fraud, non-compliance with laws and regulations, or
Events (Fraud, etc.) uncorrected misstatements that could affect the fi nancial statements.
182
