When a service organization is part of an entity’s internal control, an auditor performing an integrated audit should:
A. Obtain an understanding of all controls related to the service organization.
B. Test the entity’s relevant controls over the activities of the service organization.
C. Perform substantive procedures at the service organization.
D. Reference the service auditor’s report in the auditor’s report on internal control.
The correct answer and explanation is:
The correct answer is: B. Test the entity’s relevant controls over the activities of the service organization.
Explanation:
When a service organization is part of an entity’s internal control system, the auditor performing an integrated audit of the entity’s financial statements and internal control over financial reporting must consider the service organization’s impact. The service organization often performs processes or controls that are relevant to the entity’s financial reporting.
The auditor’s responsibility is to gain an understanding of the controls the entity uses to monitor and oversee the service organization. This includes the controls implemented by the entity to manage the risks associated with the services provided. Therefore, the auditor tests the entity’s controls that relate to the service organization’s activities, not directly all controls at the service organization.
Option A, obtaining an understanding of all controls related to the service organization, is incorrect because the auditor does not need to test every control at the service organization. Instead, the focus is on controls relevant to the entity’s financial reporting.
Option C, performing substantive procedures at the service organization, is not typically required. The auditor primarily tests the controls of the entity that manage and monitor the service organization. Performing substantive procedures directly at the service organization is generally outside the auditor’s scope unless deemed necessary.
Option D, referencing the service auditor’s report in the auditor’s report on internal control, is also incorrect. The auditor cannot simply refer to or rely on the service auditor’s report as part of their own internal control audit opinion. Instead, the auditor incorporates their own testing of the entity’s controls related to the service organization.
In summary, the auditor tests the entity’s controls over the service organization’s activities to evaluate how effectively the entity manages the risks related to those outsourced services. This approach aligns with audit standards for integrated audits, ensuring the auditor obtains sufficient evidence about the internal control environment as it relates to service organizations.