Welcome

IT controls and internal audit - Service organisations and u...

ResourcesIT controls and internal audit - Service organisations and u...

Learning Outcomes

By the end of this article, you should be able to explain how the use of service organisations affects audit risks and internal controls, identify the types of IT controls at the service provider and user entity in line with ISA 402, and describe how an external auditor obtains and evaluates evidence relating to systems outsourced to third parties. You will also understand the key responsibilities of internal audit regarding outsourced services and user controls, and be able to recommend procedures when controls or access are limited.

ACCA Audit and Assurance (AA) Syllabus

For ACCA Audit and Assurance (AA), you are required to understand how outsourcing to service organisations impacts the assessment of internal control and the auditor’s evidence gathering. In particular, this article addresses:

  • The implications of using service organisations for an entity’s internal control system and audit risk. (ISA 402)
  • The distinction between general IT controls, information processing controls, and user entity controls over outsourced processes.
  • The sources and evaluation of audit evidence when dealing with service organisations, including reliance on service auditor reports (type 1 and 2).
  • Procedures for risk assessment and audit response when access to controls or records is limited by outsourcing.
  • Internal audit’s role in reviewing outsourced processes and evaluating controls.
  • Procedures to communicate deficiencies and make recommendations regarding user controls.

Test Your Knowledge

Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.

  1. What are two types of reports a service auditor can provide, and what is the main difference between them?
  2. If key payroll processing is outsourced, what user controls should the client maintain, and why are they important?
  3. True or false? The external auditor can include a reference to the work of a service auditor in an unmodified auditor’s report if sufficient evidence is obtained.
  4. Identify one risk to the audit if the service organisation refuses auditor access to relevant records.

Introduction

Many entities outsource functions such as payroll, IT, pension management, or receivables collection to service organisations. When a key part of the accounting system lies outside the client’s direct environment, the auditor must understand not only the entity’s IT controls, but also those in operation at the service provider—and how much control remains with the user.

The audit approach under ISA 402 requires an understanding of relevant controls at both the user entity and the service organisation. Sufficient, appropriate evidence must still be obtained, even if the records are held by a third party.

Key Term: service organisation
A third-party provider contracted to process transactions or manage specific functions (such as payroll or data hosting) for an entity.

Understanding Service Organisations and the Audit of Controls

Outsourcing and Audit Risk

When a system or function is outsourced, there is a risk that:

  • The user entity has decreased visibility over record-keeping, access controls, or systems changes.
  • The outsourced provider might not maintain control standards required for financial reporting.
  • Access to records, or testing of internal controls, may be restricted or lost.

Key Term: user controls
Internal controls maintained by the client entity to ensure completeness, accuracy, and validity of transactions processed by an external service provider.

Key Term: general IT controls
Policies and procedures relating to the overall IT environment, such as access management, change control, and data backup, which underpin application processing controls.

Key Features of Service Organisation Arrangements

The following elements must be understood by the auditor:

  • Nature of the services outsourced and their impact on internal controls.
  • Materiality and complexity of transactions affected.
  • Extent of reliance placed by the client on the service organisation.
  • Existence and effectiveness of user entity controls (e.g., review of reports, reconciliations, authorisation procedures).

When planning, auditors must assess risk and design evidence-gathering procedures accordingly.

Worked Example 1.1

Scenario: ValueForm Ltd outsources payroll processing to PaySphere, a national payroll bureau. ValueForm provides monthly input data (new joiners, hours worked), receives payroll reports and final payslips.

Question: As auditor of ValueForm, what main controls should ValueForm retain, and what evidence would you seek regarding the service organisation?

Answer:
ValueForm should reconcile payroll summaries and payslips received from PaySphere to internal records, review exception reports, and authorise payment batches. The auditor would inspect user review procedures, query access controls at PaySphere through a service auditor report, and perform analytical procedures if possible evidence is limited.

Applying ISA 402: Auditor Responsibilities and Evidence

Understanding the Service Organisation

ISA 402 states that the external auditor must:

  • Obtain an understanding of how a service organisation’s activities affect the user entity’s controls and accounting records.
  • Assess whether these controls are relevant to the auditor’s risk assessment and design of procedures.
  • Determine whether sufficient, appropriate evidence is available from the user entity, and if not, seek further evidence from the service organisation or its auditor.

Key Term: service auditor’s report
A report issued by an independent auditor on the controls (and, for Type 2, their operating effectiveness) at the service organisation, which may provide evidence for the user entity’s external auditor.

Key Term: type 1 report
Describes the design and implementation of controls at a service provider as at a point in time; does not provide assurance on operating effectiveness.

Key Term: type 2 report
Covers both design and operating effectiveness of controls at a service provider over a defined period, including results of tests performed.

Sources of Audit Evidence

The auditor may obtain evidence from:

  • Reports and information prepared by the service organisation and provided to the user entity.
  • A type 1 or type 2 service auditor’s report—Type 2 giving higher assurance for most purposes.
  • Visiting the service organisation or using another auditor to perform specific procedures.
  • Direct access to records or controls, if contractually permitted.

Where evidence from the client is insufficient, reliance on a type 2 report is common—provided the service auditor is independent and the report covers the relevant period and controls.

Worked Example 1.2

Scenario: Alcano Ltd outsources its accounts receivable ledger to EzyData Services. The external auditor reviews the year-end debtor listing generated by EzyData but finds that some entries are unclear. EzyData’s last type 2 report was issued nine months ago.

Question: What limitations exist in using this type 2 report as evidence, and what additional steps should the auditor take?

Answer:
The report may not cover the relevant accounting period, and control deficiencies since the last report would not be reported. The auditor should seek confirmation of current controls from the client, request a more up-to-date service auditor report, or consider alternative substantive procedures where possible.

User Controls: The Client’s Responsibilities

Service providers often rely on user entity controls for completeness and accuracy. Examples:

  • Input validation before submitting data to the service provider.
  • Review and reconciliation of reports produced by the service organisation.
  • Maintaining authorisation protocols for changes or exceptions.

Lack of activity in these areas increases the risk of error or fraud passing undetected.

Worked Example 1.3

Scenario: Optimate Ltd’s pension contributions are administered by PensionCare Ltd, including investment transfers and benefit calculations. Optimate receives monthly activity statements.

Question: What should the auditor verify to assess the adequacy of user controls over pension processing?

Answer:
The auditor should check that Optimate independently reviews PensionCare’s statements for accuracy, investigates differences, and retains authority to approve material disbursements or investments.

Exam Warning

Audit reports should not reference the work of a service auditor unless relevant to a modified opinion. In unmodified reports, reliance on service auditor evidence is implicit and not mentioned.

Communication and Reporting Implications

If sufficient and appropriate audit evidence cannot be obtained (e.g., the service provider denies access and no adequate type 2 report is available), the auditor must consider modifying the audit opinion due to a limitation of scope.

If deficiencies in user controls or in the service organisation’s controls are identified, these should be reported to management and those charged with governance.

Key Term: limitation of scope
A restriction that prevents the auditor from gathering all the evidence needed to form an opinion on the financial statements.

Internal Audit and Service Organisations

The internal audit function can assess the risks associated with outsourced services, review external reports (including service auditor reports), and test user controls. Large or complex organisations may engage internal audit to perform interim reviews of outsourced systems and coordinate remedial improvements.

Summary

When clients outsource key processes to service organisations, the auditor must understand how these arrangements affect internal control, risk, and audit evidence. Evidence sources include service auditor reports (preferably type 2), user controls, and direct or third-party investigation. Where sufficient evidence cannot be gathered, the auditor may need to modify the audit opinion. Both external and internal audit functions must communicate deficiencies to management and maintain oversight of user controls.

Key Point Checklist

This article has covered the following key knowledge points:

  • Define a service organisation and summarise key audit risks for outsourced systems.
  • Explain the importance and examples of user controls.
  • Outline general IT controls and information processing controls at service providers.
  • Distinguish between type 1 and type 2 service auditor’s reports and describe their audit uses.
  • Identify sources of evidence and procedures when access to controls/records is limited.
  • State auditor communication and reporting requirements for control deficiencies and scope limitations.
  • Describe the internal audit function’s role in monitoring outsourced arrangements and reporting on user controls.

Key Terms and Concepts

  • service organisation
  • user controls
  • general IT controls
  • service auditor’s report
  • type 1 report
  • type 2 report
  • limitation of scope

Assistant

How can I help you?
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode
Expliquer en français
Explicar en español
Объяснить на русском
شرح بالعربية
用中文解释
हिंदी में समझाएं
Give me a quick summary
Break this down step by step
What are the key points?
Study companion mode
Homework helper mode
Loyal friend mode
Academic mentor mode

Responses can be incorrect. Please double check.