Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Guide to Using International Standards on Auditing in - IFAC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
179<br />
<str<strong>on</strong>g>Guide</str<strong>on</strong>g> <str<strong>on</strong>g>to</str<strong>on</strong>g> <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> <str<strong>on</strong>g>Internati<strong>on</strong>al</str<strong>on</strong>g> <str<strong>on</strong>g>Standards</str<strong>on</strong>g> <strong>on</strong> <strong>Audit<strong>in</strong>g</strong> <strong>in</strong> the Audits of Small- and Medium-Sized Entities Volume 1—Core C<strong>on</strong>cepts<br />
There are two types of reports that service organizati<strong>on</strong>s can provide <str<strong>on</strong>g>to</str<strong>on</strong>g> their users:<br />
• Type 1 reports — descripti<strong>on</strong> and design of c<strong>on</strong>trols at a service organizati<strong>on</strong><br />
These reports provide evidence about the design and implementati<strong>on</strong> of c<strong>on</strong>trols, but not their<br />
operat<strong>in</strong>g effectiveness. Such reports may be <strong>in</strong>formative, but are of limited use <str<strong>on</strong>g>to</str<strong>on</strong>g> the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <strong>in</strong><br />
understand<strong>in</strong>g whether the key c<strong>on</strong>trols at the service organizati<strong>on</strong> operated effectively dur<strong>in</strong>g the<br />
period be<strong>in</strong>g audited.<br />
• Type 2 reports — descripti<strong>on</strong>, design, and operat<strong>in</strong>g effectiveness of c<strong>on</strong>trols<br />
These reports can be used by the audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <str<strong>on</strong>g>to</str<strong>on</strong>g> c<strong>on</strong>sider whether:<br />
– The c<strong>on</strong>trols tested by the service organizati<strong>on</strong> audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r are relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the entity’s transacti<strong>on</strong>s,<br />
account balances, disclosures, and related asserti<strong>on</strong>s, and<br />
– The service organizati<strong>on</strong> audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s tests of c<strong>on</strong>trols and the results are adequate (i.e., the length<br />
of the period covered by the service organizati<strong>on</strong> audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r’s tests, and the time elapsed s<strong>in</strong>ce the<br />
performance of those tests).<br />
Risk Assessment<br />
Paragraph #<br />
Relevant Extracts from ISAs<br />
402.9 When obta<strong>in</strong><strong>in</strong>g an understand<strong>in</strong>g of the user entity <strong>in</strong> accordance with ISA 315, the user<br />
audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall obta<strong>in</strong> an understand<strong>in</strong>g of how a user entity uses the services of a service<br />
organizati<strong>on</strong> <strong>in</strong> the user entity’s operati<strong>on</strong>s, <strong>in</strong>clud<strong>in</strong>g: (Ref: Para. A1-A2)<br />
(a) The nature of the services provided by the service organizati<strong>on</strong> and the significance of<br />
those services <str<strong>on</strong>g>to</str<strong>on</strong>g> the user entity, <strong>in</strong>clud<strong>in</strong>g the effect thereof <strong>on</strong> the user entity’s <strong>in</strong>ternal<br />
c<strong>on</strong>trol; (Ref: Para. A3-A5)<br />
(b) The nature and materiality of the transacti<strong>on</strong>s processed or accounts or f<strong>in</strong>ancial report<strong>in</strong>g<br />
processes affected by the service organizati<strong>on</strong>; (Ref: Para. A6)<br />
(c) The degree of <strong>in</strong>teracti<strong>on</strong> between the activities of the service organizati<strong>on</strong> and those of<br />
the user entity; and (Ref: Para. A7)<br />
(d) The nature of the relati<strong>on</strong>ship between the user entity and the service organizati<strong>on</strong>,<br />
<strong>in</strong>clud<strong>in</strong>g the relevant c<strong>on</strong>tractual terms for the activities undertaken by the service<br />
organizati<strong>on</strong>. (Ref: Para. A8-A11)<br />
402.10 When obta<strong>in</strong><strong>in</strong>g an understand<strong>in</strong>g of <strong>in</strong>ternal c<strong>on</strong>trol relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the audit <strong>in</strong> accordance<br />
with ISA 315, the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall evaluate the design and implementati<strong>on</strong> of relevant<br />
c<strong>on</strong>trols at the user entity that relate <str<strong>on</strong>g>to</str<strong>on</strong>g> the services provided by the service organizati<strong>on</strong>,<br />
<strong>in</strong>clud<strong>in</strong>g those that are applied <str<strong>on</strong>g>to</str<strong>on</strong>g> the transacti<strong>on</strong>s processed by the service organizati<strong>on</strong>.<br />
(Ref: Para. A12-A14)<br />
402.11 The user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall determ<strong>in</strong>e whether a sufficient understand<strong>in</strong>g of the nature and<br />
significance of the services provided by the service organizati<strong>on</strong> and their effect <strong>on</strong> the user<br />
entity’s <strong>in</strong>ternal c<strong>on</strong>trol relevant <str<strong>on</strong>g>to</str<strong>on</strong>g> the audit has been obta<strong>in</strong>ed <str<strong>on</strong>g>to</str<strong>on</strong>g> provide a basis for the<br />
identificati<strong>on</strong> and assessment of risks of material misstatement.<br />
402.12 If the user audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r is unable <str<strong>on</strong>g>to</str<strong>on</strong>g> obta<strong>in</strong> a sufficient understand<strong>in</strong>g from the user entity, the user<br />
audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r shall obta<strong>in</strong> that understand<strong>in</strong>g from <strong>on</strong>e or more of the follow<strong>in</strong>g procedures:<br />
(a) Obta<strong>in</strong><strong>in</strong>g a type 1 or type 2 report, if available;<br />
(b) C<strong>on</strong>tact<strong>in</strong>g the service organizati<strong>on</strong>, through the user entity, <str<strong>on</strong>g>to</str<strong>on</strong>g> obta<strong>in</strong> specific <strong>in</strong>formati<strong>on</strong>;<br />
(c) Visit<strong>in</strong>g the service organizati<strong>on</strong> and perform<strong>in</strong>g procedures that will provide the<br />
necessary <strong>in</strong>formati<strong>on</strong> about the relevant c<strong>on</strong>trols at the service organizati<strong>on</strong>; or<br />
(d) <str<strong>on</strong>g>Us<strong>in</strong>g</str<strong>on</strong>g> another audi<str<strong>on</strong>g>to</str<strong>on</strong>g>r <str<strong>on</strong>g>to</str<strong>on</strong>g> perform procedures that will provide the necessary <strong>in</strong>formati<strong>on</strong><br />
about the relevant c<strong>on</strong>trols at the service organizati<strong>on</strong>. (Ref: Para. A15-A20)