Audit evidence considerations when an entity uses a service organisation
Proposed Statement of Auditing Standards issued by the Auditing Practices Board
Comments from the Association of Chartered Certified Accountants
General
1. The Association of Chartered Certified Accountants (ACCA) is pleased to have the opportunity to comment on the Exposure Draft Statement of Auditing Standards 480, Audit evidence considerations when an entity uses a service organisation.
2. This is the first time that the Auditing Practices Board (APB) has used a questionnaire to elicit views on specific issues. We have used the questionnaire as the framework for our comments, although we did not find the subject matter really susceptible to the 'opinion survey' approach of stating whether we agreed or disagreed "strongly" or just moderately with the proposals in the Exposure Draft.
Status of the document
3. Paragraph 37 in the Preface points out that the impact of outsourcing on the audit environment, and practical issues which may arise, can be difficult to predict. The variety of activity is enormous, so that it is difficult to cover the issues satisfactorily in a single document. In addition, we are concerned that there is much useful material in the Preface to the Exposure Draft, which will, presumably, be lost when the document is published as a Statement of Auditing Standards (SAS). What we have in mind in particular is the discussion under the 'Issues' headings in paragraphs 11 to 37. We recommend, therefore, that a Practice Note be issued as soon as possible, to supplement the SAS with practical guidance on the different types of outsourcing which the auditor might encounter. Such a Practice Note should also include material from the Preface to the Exposure Draft. An alternative to a Practice Note would be to include additional material in an appendix to the SAS.
Small entities
4. We are concerned that the guidance for auditors of smaller entities such as charities and pension schemes may be inadequate. Proposed SAS 480.3 requires auditors to obtain an understanding of the way that the user entity monitors the outsourced activities so as to ensure that it meets its fiduciary and other legal responsibilities. SAS 480.6 requires auditors to assess whether the necessary audit evidence is available from the records held at the user entity and, if not, to determine procedures to obtain such evidence either by direct access to records kept by service organisations or through information obtained from the service organisations or their auditors. Auditors of small pension schemes may consider that the material in paragraph 38, in particular, is more appropriate for large than small entities, and that trustees are unlikely to be able to implement the sort of controls over service organisations envisaged by the draft SAS.
5. In practice, investment managers, for example, are unlikely to afford direct access to every auditor of what could be a very large number of individual user schemes. Paragraph 38(f) could, therefore, usefully include a reference to statement AUDIT 4/97 issued by the Audit Faculty of the Institute of Chartered Accountants in England and Wales, entitled Reports on internal controls made available to third parties. This document provides a common format for reports which may provide the evidence needed by the auditor to support auditor reliance on the assertions made by the investment manager. In the absence of such a report, the auditor may not consider it safe to place reliance on the integrity and reputation of the investment manager, since the only evidence concerning transactions undertaken and closing investment assets at the year end will be the user entity's record of the original instruction and transfer of funds to the manager, and a year end certificate.
Other points 6. We consider that more authoritative guidance on the content of internal control certificates from service organisations, such as investment custodians, would be useful. We are aware, however, that APB's paper on providing assurance on internal control is still at consultation stage, so there is no suitable material to which the SAS could be cross-referenced. In the absence of such material, we recommend that an appendix, with an outline of points for inclusion in an internal control certificate, could be added to the SAS.
7. We should like to see more guidance on the audit of those entities which outsource a substantial part of their activities. Where the directors of such companies are required under the Cadbury Code to report on their systems of internal control, it follows that they should be able to report on the systems they have established to control relevant operations undertaken by those service organisations whose activities are significant to the achievement of their goals.
8. The main outsourced activities envisaged in the proposed SAS are investment manager/custodian services, and accounting. The SAS might be clearer if the two types of activity were dealt with separately: paragraphs 26 to 29 are headed 'Accounting records', but this is the only stage at which separate considerations are set out for a particular outsourced activity. The sections on designing audit procedures and obtaining audit evidence are intended to cover any outsourced activities relevant to the external audit, and this detracts from the clarity of the guidance. A Practice Note, as suggested in paragraph 3 above, could give detailed guidance on practical approaches to different types of outsourced activity, enabling more general headings to be used in the SAS itself.
9. We recommend that consideration be given to audit procedures (including cut-off tests) to be adopted where the user entity first outsources part or all of its accounting function in the course of the accounting period.
Response to questionnaire
Question 1: Do you consider that activities which relate directly to the preparation of financial statements (or major items within them) provide the right focus for the detailed requirements of the SAS?
We agree that this is the right focus.
We might, however, query the definition of "relevant activities" in paragraph 9 of the draft. A rather broader definition is implied in paragraph 14, which refers to service organisations "undertaking or making arrangements for transactions as agent of the user entity". For some entities or sectors, key non-accounting activities may be outsourced; for example, local authorities or charities may use other organisations to provide services on their behalf. Failure to ensure that such services are carried out in accordance with statutory or similar obligations could be fundamental to the user entity's ability to continue its activities. We consider that the definition of 'relevant activities' needs to be wider than in the current paper, to go beyond activities which relate directly to the preparation of the user entity's financial statements or the reporting of matters therein.
Question 2: Do you agree that information contained in returns from service organisations may only be regarded as providing sufficient appropriate evidence for audit purposes if it confirms, or is confirmed by, other independently produced information?
On balance we agree that this requirement is acceptable, provided that it is made clear that "independently produced information" means information produced independently of that contained in returns from the service organisation, and so can include the user entity's own records, for example. An example of independently produced information in relation to a bank certificate would be a client's own cash book - there can be no question of third party verification being needed as well. The text contained in the Preface on 'independent' verification of information supplied by service organisations is quite helpful on this point: we suggest that the material should either be transferred to the main text, or included in a separate Practice Note.
Question 3a: Do you agree that when a service organisation is responsible for activities involving preparation of a user entity's accounting records (i) direct inspection of records maintained by the service organisation is necessary when the service organisation maintains all the user entity's accounting records; and
(ii) when the records maintained by the service organisation relate only to a discrete area of the user entity's accounting records, the need for direct inspection of those records should be determined by the auditors in the light of their assessment of inherent risk in that area and the nature of evidence available at the user entity?
We agree with the principles outlined in this part. Auditors of companies and most other entities are required by law to consider whether proper accounting records have been kept by the entity under audit. It is unlikely to be possible for the auditor to conclude that records have been kept in accordance with applicable legislation without inspecting them at first hand. On the other hand, there may in practice be few instances where all the accounting records are maintained by a service organisation, except for some small entities where the accounting records are maintained by the auditor, so that this requirement may not be as onerous as would at first appear.
Where the client entity outsources only part of its accounting function, for example, the maintenance of plant register/leasing arrangements, or the credit control function, it may be appropriate for the auditor to consider the risk inherent to the particular class of transactions, and whether the user entity's own accounting records can be relied on to corroborate the information provided by the service organisation.
Question 3b: Do you consider that the SAS should require any further steps to be undertaken to determine whether the user entity's accounting records meet relevant legal requirements?
Paragraphs 17 to 20 provide guidance on this point which appears to strike the appropriate balance. We do not consider that any further steps should be required.
Question 4: Do you agree that auditors of user entities should not always be required to obtain an understanding of the service organisation's accounting and internal control systems?
We agree that there should not be a universal requirement for auditors to obtain an understanding of the service organisation's accounting and internal control systems. However, the auditors of the user entity may have to consider the service organisation's systems if their client has not established its own monitoring and control procedures - for example if the user is a much smaller entity than the service organisation. One factor in the need for auditors to obtain an understanding of the service organisation's systems may be the strength of evidence from other sources: it is not, after all, considered necessary for auditors to ascertain the control systems operated by their clients' bankers.
Question 5a: Do you support the view that auditors of a user entity can obtain valuable audit evidence from a controls report provided that (i) the report provides independent evidence concerning the operation of controls by the service organisation and
(ii) the work undertaken is sufficient to give reasonable assurance that the systems would prevent and detect misstatements that are material from the perspective of the user entity's financial statements?
We support this view. If a report given by the service organisation's auditors provided reasonable assurance that the systems would prevent or minimise misstatements which were material from the user entity auditor's point of view, the evidence would be useful. The usefulness of a controls report may depend on the nature of the service provided and the relevant controls: the system may be such that materiality is not a consideration.
Question 5b: If user entity auditors propose to rely on evidence from a controls report that does not cover the operation of controls over all of the user entity's financial year, do you support the view that
(i) the SAS should not prescribe a maximum acceptable gap between the period covered by the report and the user entity's financial year
(ii) auditors need to carry out additional procedures to determine whether such reliance is justified, taking into account the length of the gap? We support this view. If the user entity auditor considers a controls report to be useful, it follows that the report will need to cover the period of the financial statements audit, or otherwise be supplemented by other procedures. It would be helpful if the SAS were to suggest ways in which procedures might be adapted to cover a 'gap' period in respect of a controls report provided by a service organisation.
If APB accept our recommendation that a Practice Note be developed to provide more detailed, practical guidance on audit issues arising from outsourcing, further consideration could be given in that document as to what might constitute a maximum acceptable gap.
Question 6: Do you support the approach taken in the SAS to determining the extent to which regulation of a service organisation affects the auditors' work? We support the approach. This is another instance (see comments on question 2 above) where the Preface contains material which would be useful in the final document itself, or in a supplementary publication. Paragraph 32 of the Preface suggests that regulation of the service organisation is not in itself a factor on which auditors can rely in order to eliminate the need to obtain independent evidence.
Question 7: Do you agree that the existence of an indemnity is not directly relevant to the auditors' assessment of risk in relation to financial statement assertions?
We agree, although the relevance of an indemnity to the assessment of risk in an audit depends on the type of service provided. In the case of outsourced accountancy services, the indemnity is not directly relevant. In the case of assets held - e.g. by an investment custodian - the effect of the indemnity would be to replace any asset lost, so would, presumably, give the auditors a degree of assurance as to the existence of an asset of equal value in the event that the asset held was lost.
Question 8: Do you consider that there are any practical issues concerning implementation of the proposed SAS which the APB should take into account before its requirements are brought into force?
We do not consider that there are any further practical issues which need to be considered in the SAS itself. We do consider, however, that there is a need for further, more detailed guidance on the audit considerations arising from the many different ways in which outsourcing is operated, and that a Practice Note would be the appropriate vehicle for this guidance.