Page 49 - CA Final PARAM Digital Book.
P. 49
significance of SO & SSO controls. Interaction will include interaction between UE
/ SO / SSO
A user auditor may need to consider controls at the sub-service organisation. In situations where
one or more sub-service organisations are used, the interaction between the activities of the user
entity and those of the service organisation is expanded to include the interaction between the
user entity, the service organisation and the sub-service organisations. The degree of this
interaction, as well as the nature and materiality of the transactions processed by the service
organisation and the sub-service organisations are the most important factors for the user auditor
to consider in determining the significance of the service organisation’s and sub-service
organisation’s controls to the user entity’s controls.
➢ Sufficient Understanding: - Nature of Services / Significance of Services / Effect
of Services on ICS
Further, the user auditor shall determine whether a sufficient understanding of the nature and
significance of the services provided by the service organisation and their effect on the user entity's
internal control relevant to the audit has been obtained to provide a basis for the identification and
assessment of risks of material misstatement.
➢ If Sufficient understanding is not obtained from User Entity, then Type 1 / Type
2 can give auditor better understanding.
Two Methods of Reporting: - SO Auditor may either include or exclude control
objectives & controls of SSO. These 2 methods of reporting are called inclusive &
carve out method respectively.
It is mandatory for SO to include description of controls at SSO in its description
of controls. If carve out method of reporting is used and controls at SSO are
relevant then auditor needs to apply requirements of SA 402 in respect of SSO
If the user auditor is unable to obtain a sufficient understanding from the user entity, the user
auditor shall obtain that understanding by application of the following two methods of presenting
description of internal controls i.e. (i) Type 1 report; or (ii) Type 2 report.
If a service organisation uses a subservice organisation, the service auditor's report may either
include or exclude the subservice organisation's relevant control objectives and related controls
in the service organisation's description of its system and in the scope of the service auditor's
engagement.
These two methods of reporting are known as the inclusive method and the carve-out method
respectively.
In either method, the service organisation includes in its description of controls a description of the
functions and nature of the processing performed by the subservice organisation. If the Type 1 or
Type 2 report excludes the control at a subservice organization and the services provided by the
subservice organization are relevant to the audit of the user entity’s financial statements, the user
auditor is required to apply the requirements of the SA 402 in respect of the subservice organization.
The nature and extent of work to be performed by the user auditor regarding the services provided
by a subservice organization depend on the nature and significance of those services to the user
entity and relevance of those services to the audit.
QNO Giving Reference of Type 1 & Type 2 report Old Course–(N20R, N21M, M21M, N22M)
53.050 TITANIUM CNO--SA402.280
ENN Limited is availing the services of APP Private Limited for its payroll operations. Payroll cost accounts
for 65% of total cost for ENN Limited. APP Limited has provided the type 2 report as specified under SA
402 for its description, design and operating effectiveness of control.
APP Private Limited has also outsourced a material part of payroll operation M/s SMP & Associates in such
a way that M/s SMP & Associates is sub-service organization to ENN Limited. The Type 2 report which
was provided by APP Private Limited was based on carve-out method as specified under SA 402.
www.auditguru.in PARAM 2.28 | P a g e
