ISA 402, Audit Considerations Relating to an Entity Using a Third Party Service Organization

Proposed revised and redrafted International Standard on Auditing issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants

Comments from ACCA
April 2008

Executive Summary

ACCA welcomes the opportunity to comment on the proposed International Standard on Auditing ISA 402 (Revised and Redrafted) Audit Considerations Relating to an Entity Using a Third Party Service Organization (proposed ISA 402), issued for comment by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants.

We are concerned that the overall approach of proposed ISA 402 is out of step with the way audits of smaller entities are generally conducted. This, coupled with the absence of specific guidance on the special considerations in the audit of smaller entities using service organisations, leads us to believe that a disproportionate cost burden would be placed on such audits.

In response to a specific question from the IAASB, we conclude that proposed ISA 402 could provide useful guidance where an entity uses a shared service center. We express concern, however, that auditors should not be expected to tailor its requirements to such circumstances.

We welcome the exclusion of requirements that would have made proposed ISA 402 applicable whether or not a service organisation was used, but suggest that the Scope section should restrict application to where the activities of the service organisation are significant to the entity and relevant to the audit.

We recommend a better alignment of the objectives to the requirements: to recognise that the latter include audit work in response to assessed risks.

General Comments

Overall approach and smaller entities

In the section of this response headed Scope , we comment on the need to restrict the application of proposed ISA 402 to circumstances where the use of a service organisation is significant to the entity and relevant to the audit.

Even if that were to be done, we would remain concerned that the overall approach of proposed ISA 402 is out of step with the way audits of smaller entities are generally conducted. This, coupled with the absence of specific guidance relevant to the audit of smaller entities, leads us to believe that a disproportionate cost burden would be placed on such audits.

Where a smaller entity uses a small service organisation, it is very unlikely that Type A or B reports would be available. Where a large service organisation is used, the cost of a Type A or B report can be as much as all the other costs of the audit. A large service organisation typically does not welcome auditors of smaller entities. Such auditors may, in any case, have to employ experts in order to make proper inquiries about, for example service organisation information security.

In practice, management of a smaller entity using a service organisation (for example to manage a payroll service) relies on several factors to provide it with comfort that the service organisation's operation is reliable. In addition to formal controls - such as reconciling reports to data submitted - these include:

Experience from before (and after) the financial reporting period
Informal press monitoring for reports of difficulties at the service organisation
'Word of mouth' - perhaps from the party recommending the service organisation, or the auditor which may have several clients using the same organisation
Employee and personal experience of receiving payroll payments and documentation
The fact that the tax authorities will 'monitor' the service organisation

A contract with a service organisation will normally included commitments on service levels and a smaller entity can expect compensation if there are any serious shortcomings. Such compensation would be applied against any related misstatements that affect the financial statements.

ISA 315 (Redrafted) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315) contains extensive guidance on considerations specific to smaller entities that could be considered for inclusion in proposed ISA 402 where particularly relevant to the use of a service organisation. In addition, we suggest that for smaller entities management takes into account factors in addition to those listed in paragraph A12. This, taken together with the fact that the use of a report from the service auditor may not be practicable, argues strongly that material should be included to recognise that it will be rare for auditors of smaller entities to find the requirements in paragraphs 12 through 17 relevant.

Matters on which Specific Comments are Requested

In this section of our response we address the issues identified for specific comment in the Explanatory Memorandum forming part of the Exposure Draft.

Adaptation of proposed ISA 402 for shared Service centers

The practical differences between a third party service organisation and a shared service center could be few, for example if a one component receives services from another component audited by a separate auditor. Conversely, if one auditor is involved throughout, the differences may be substantial. We consider that proposed ISA 402 may, nevertheless, provide useful guidance where an entity uses a shared service center.

We are concerned, however, with the possible effect of the wording in the Scope section that proposed ISA 402 '... may also be applicable, adapted as necessary in the circumstances, to situations where an entity uses a shared service center which provides services to a group of related entities.'

It should be made clear that proposed ISA 402 does not apply in such circumstances. If this is not done, there is a risk that auditors will be expected to have regard to the objective of proposed ISA 402 and to adapt its requirements to the circumstances of a shared service center.

Changes made to Enhance the Clarity of Proposed ISA 402

Scope

We are pleased to note¹ that the Scope section restricts the application of proposed ISA 402 to circumstances '... when an entity uses one or more third party service organizations.'

We remain concerned, however, that proposed ISA 402 shifts too much audit emphasis onto the use of third party service organisations. As a consequence, audit effort will be diverted into complying with its requirements in circumstances where the activities of the service organisation are neither significant to the audited entity nor relevant to the audit. This will impose a considerable cost burden which will fall disproportionately on audits of smaller entities.

Extant ISA 402 (which already incorporates conforming amendments resulting from the 'risk assessment standards' ) incorporates an important condition precedent such that obtaining an understanding of the service organisation is only necessary 'If the auditor concludes that the activities of the service organisation are significant to the entity and relevant to the audit.'²

We recommend reintroducing this so as to restrict the application of proposed ISA 402 to circumstances where the use of a third party service organisation is significant to the entity and relevant to the audit.³

Objective

In conformity with our comment under the heading Scope immediately above, we recommend altering the objective to refer to when the use of a service organisation is significant to the entity and relevant to the audit, as follows:

'The objective of the auditor, when the entity's use of a [third party]⁴ service organization is significant to the entity and relevant to the audit, is to obtain an understanding of the nature and significance of the services provided and their effect on the user entity's internal control relevant to the audit sufficient to identify, assess and respond to the risks of material misstatement.'

The requirement in paragraph 18 is not encompassed by the objective. If that requirement is retained, the objective should be altered to refer to the actual making of an appropriate response.

Requirements

Paragraphs 12 to 15

We suggest changing the order of these paragraphs so as to:

Deal with aspects affecting both Type A and Type B reports together
Present requirements for Type A reports before those for Type B

Other Matters

The Explanatory Memorandum forming part of the Exposure Draft invites comments on the following other matters:

Special considerations in the audit of small entities
Special considerations in the audit of public sector entities
Developing nations
Translation

Our response contains comments that are relevant to the above except we have not made a distinction between developing nations and others, as the audit of small entities may be present in both. We have no separate comments on public sector aspects of the proposed standard.

Our comments on the special considerations in the audit of smaller entities are made in the section of this response headed Overall approach and smaller entities .

1. The reasons for this are set out in our response of February 2008 to proposed ISA 620 Using the Work of an Auditor's Expert .

2. Paragraph 7 of extant ISA 402.

3. The wording in the Scope section of proposed ISA 402, '... when an entity uses one or more third party service organizations.' Could have the effect, where there are more than one, of applying the requirements of proposed ISA 402 to several insignificant service centers.

4. We note that the title of proposed ISA 402 refers to a 'third party service organization' while the objective (which is before the Definitions section) omits 'third party' (and the Scope section includes both forms). It would be better to avoid artificial definitions and such inconsistency by reverting to the approach in the title of extant ISA 402 (ie omit 'third party' ).

top stories