Guide to Using International Standards on Auditing in - IFAC

17.03.2014 Views
178 ong>Guideong> ong>toong> ong>Usingong> ong>Internationalong> ong>Standardsong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts Paragraph # 402.8 (continued) Relevant Extracts from ISAs (d) Service audiong>toong>r—An audiong>toong>r who, at the request of the service organization, provides an assurance report on the controls of a service organization. (e) Service organization—A third-party organization (or segment of a third-party organization) that provides services ong>toong> user entities that are part of those entities’ information systems relevant ong>toong> financial reporting. (f) Service organization’s system—The policies and procedures designed, implemented and maintained by the service organization ong>toong> provide user entities with the services covered by the service audiong>toong>r’s report. (g) Subservice organization—A service organization used by another service organization ong>toong> perform some of the services provided ong>toong> user entities that are part of those user entities’ information systems relevant ong>toong> financial reporting. (h) User audiong>toong>r—An audiong>toong>r who audits and reports on the financial statements of a user entity. (i) User entity—An entity that uses a service organization and whose financial statements are being audited. Many entities (including very small ones) often outsource certain financial processing activities such as: • Payroll; • Internet sales; • IT services; • Asset management (invenong>toong>ry warehousing, investments, etc.); and • Bookkeeping services. This would include processing of transactions, maintaining accounting records, and preparing financial statements. These third-party organizations (providing services relevant ong>toong> financial reporting) are referred ong>toong> as “service organizations.” Where service organizations are used, the audiong>toong>r needs ong>toong> consider the effect of such arrangements on the entity’s internal control. This includes: • Obtaining sufficient information ong>toong> assess the risks of material misstatement; and • Designing an appropriate response. In smaller entities, the outsourced services may well be important ong>toong> the ongoing operation of the entity, but may not be relevant ong>toong> the audit. This would occur where there are sufficient internal controls within the entity ong>toong> address the risks of material misstatement, or where substantive audit procedures can be performed ong>toong> address the identified risks. CONSIDER POINT ong>Usingong> a service organization ong>toong> prepare financial statements does not relieve management (and those charged with governance) of their responsibilities for the financial statements.

179 ong>Guideong> ong>toong> ong>Usingong> ong>Internationalong> ong>Standardsong> on Auditing in the Audits of Small- and Medium-Sized Entities Volume 1—Core Concepts There are two types of reports that service organizations can provide ong>toong> their users: • Type 1 reports — description and design of controls at a service organization These reports provide evidence about the design and implementation of controls, but not their operating effectiveness. Such reports may be informative, but are of limited use ong>toong> the audiong>toong>r in understanding whether the key controls at the service organization operated effectively during the period being audited. • Type 2 reports — description, design, and operating effectiveness of controls These reports can be used by the audiong>toong>r ong>toong> consider whether: – The controls tested by the service organization audiong>toong>r are relevant ong>toong> the entity’s transactions, account balances, disclosures, and related assertions, and – The service organization audiong>toong>r’s tests of controls and the results are adequate (i.e., the length of the period covered by the service organization audiong>toong>r’s tests, and the time elapsed since the performance of those tests). Risk Assessment Paragraph # Relevant Extracts from ISAs 402.9 When obtaining an understanding of the user entity in accordance with ISA 315, the user audiong>toong>r shall obtain an understanding of how a user entity uses the services of a service organization in the user entity’s operations, including: (Ref: Para. A1-A2) (a) The nature of the services provided by the service organization and the significance of those services ong>toong> the user entity, including the effect thereof on the user entity’s internal control; (Ref: Para. A3-A5) (b) The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organization; (Ref: Para. A6) (c) The degree of interaction between the activities of the service organization and those of the user entity; and (Ref: Para. A7) (d) The nature of the relationship between the user entity and the service organization, including the relevant contractual terms for the activities undertaken by the service organization. (Ref: Para. A8-A11) 402.10 When obtaining an understanding of internal control relevant ong>toong> the audit in accordance with ISA 315, the user audiong>toong>r shall evaluate the design and implementation of relevant controls at the user entity that relate ong>toong> the services provided by the service organization, including those that are applied ong>toong> the transactions processed by the service organization. (Ref: Para. A12-A14) 402.11 The user audiong>toong>r shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control relevant ong>toong> the audit has been obtained ong>toong> provide a basis for the identification and assessment of risks of material misstatement. 402.12 If the user audiong>toong>r is unable ong>toong> obtain a sufficient understanding from the user entity, the user audiong>toong>r shall obtain that understanding from one or more of the following procedures: (a) Obtaining a type 1 or type 2 report, if available; (b) Contacting the service organization, through the user entity, ong>toong> obtain specific information; (c) Visiting the service organization and performing procedures that will provide the necessary information about the relevant controls at the service organization; or (d) ong>Usingong> another audiong>toong>r ong>toong> perform procedures that will provide the necessary information about the relevant controls at the service organization. (Ref: Para. A15-A20)

Page 1 and 2: Guide to</

Page 3 and 4: 3 Guide to


Page 7 and 8: Disclaimer This Guide</stro


Page 11 and 12: 11 Guide t

Page 13 and 14: 13 2. Clarified ISAs In March 2009,



Page 19 and 20: Volume 1 Core Concepts
















Page 51 and 52: 51 5. Internal Control — Purpose













Page 77 and 78: 77 6. Financial Statement Assertion












Page 101 and 102: 101 Guide







Page 115 and 116: 115 10. Further Audit Procedures Ch















Page 145 and 146: 145 12. Related Parties Chapter Con








Page 161 and 162: 161 14. Going Concern Chapter Conte





Page 171 and 172: 171 15. Summary of Other ISA Requir



Page 177: 177 Guide













Page 205 and 206: 205 16. Audit Documentation Chapter
















audit

auditor

procedures

statements

controls

relevant

entities

auditing

volume

audits

ifac

www.kacr.cz

Guide to Using International Standards on Auditing in - IFAC

Guide to Using International Standards on Auditing in - IFAC ... View more Guide to Using International Standards on Auditing in - IFAC

Delete template?

Save as template ?

Guide to Using International Standards on Auditing in - IFAC Guide to Using International Standards on Auditing in - IFAC