Syllabus D. Audit of Historical Financial Information D4. Using the work of others

D4d. Auditing an outsourced function 8 / 8

Syllabus D4d)

Assess the appropriateness and sufficiency of the work of internal auditors and the extent to which reliance can be placed on it.

The auditor has no direct contractual relationship with the service organisation


  1. Potential problems with access and confidentiality

    Although the service organisation should co-operate with us as it is in their interests

  2. Obtain an understanding of the nature and significance of the services provided by the service organisation

Service limited to recording and processing?

Client does all the authorising

  • Client uses own control policies and procedures

Service provider is accountable

  • Client relies on their control policies

  • Audit risk is now higher - new procedures required

Things to Consider

  1. Nature of services provided and relationship between client and service organisation

    Regulations involved?

  2. Contractual terms 

    Oral or legal contract?

  3. Material financial statements assertions affected ?

  4. Extent to which client's accounting and internal control systems interact with service organisations

  5. Client's internal controls (to ensure completeness, accuracy, validity). Are they the same as if processing were done "in house"?

  6. Service organisation's capability and financial standing. Consider the effect of business failure on the client entity

  7. Information available in user and technical manuals

  8. Existence of third party reports about the operation and effectiveness of the service organisation's accounting and control systems.

Evidence when client can't get sufficient evidence

  • Use the service organisations auditor's reports - on their controls

  • Contact or visit the service organisation (via the user entity) to obtain specific information

  • Engage the services of another auditor