Key Takeaways
- How to update your ISA 315 risk assessment when a client runs cloud accounting software, including the specific IT general control questions that change
- When ISA 402 applies to a cloud accounting provider (and when it does not)
- How to adapt your ISA 500 evidence-gathering procedures for data that exists only inside a SaaS platform
- What a worked example looks like for a Dutch SME that migrated from on-premise Exact Globe to Exact Online mid-year
Why the IT Environment Assessment Changes with Cloud Accounting
ISA 315.26(a) requires you to understand the IT environment relevant to the client’s financial reporting. When the client runs Exact Globe on a local server, that environment is the server itself, the client’s backup procedures, user access controls configured in the application, and the change management process for software updates.
You can inspect all of those directly. Walk into the server room, check the backup logs, review the Active Directory settings. That changes the moment the client goes cloud.
When the client runs Exact Online, most of those controls shift to Exact’s data centres. The client no longer manages backups. Exact pushes software updates on its own release schedule. User access administration happens through a browser portal instead of a locally installed application. Your understanding of the IT environment under ISA 315.26 now involves two parties: the client (who configures user roles and approval workflows within the platform) and the service organisation (which manages infrastructure and data segregation).
This split matters, and firms routinely get it wrong. ISA 315.A106 requires you to evaluate whether IT general controls relevant to the audit are operating effectively. For an on-premise system, all ITGCs sit with the client. For a cloud platform, some sit with the provider, and you cannot inspect them directly. The most common planning file deficiency in this area is treating the cloud platform as if the client controls it, which produces an IT environment section that describes controls nobody at the client actually operates.
What you document differently
Your planning file’s IT environment section needs to identify which ITGCs the client controls (user provisioning and deprovisioning, approval workflows, segregation of duties within the application) and which ITGCs the service organisation controls (server security, backup, disaster recovery, change management on the application code). ISA 315 does not require you to test the provider’s controls yourself. It requires you to understand the split and to evaluate whether you need additional evidence about the provider’s controls — which is where ISA 402 enters the picture.
When Does ISA 402 Apply to a Cloud Provider?
ISA 402.1 applies when the client uses a service organisation and that service organisation’s services are part of the client’s information system relevant to financial reporting. For a standard cloud accounting platform (Xero, Exact Online, QuickBooks Online), the answer is almost always yes. The platform processes transactions, maintains the general ledger, produces the trial balance, and generates the financial statements. It is the information system. ISA 402 applies.
But ISA 402.2 distinguishes between two situations. If the provider has a SOC 1 or ISAE 3402 Type II report available, you can use that report as audit evidence about the design and operating effectiveness of the provider’s controls (ISA 402.16). If the provider does not have such a report, you need alternative procedures under ISA 402.12: inquiry of the service organisation, inspection of available documentation, or contacting the service organisation directly.
The practical reality for non-Big 4 firms is this: Xero publishes an annual SOC 1 Type II report. Exact Online publishes an ISAE 3402 Type II report. QuickBooks Online has a SOC 1 report. AFAS publishes an ISAE 3402 Type II report. If your client uses one of these platforms, you can obtain the report and evaluate it. If your client uses a smaller provider without a Type II report, your documentation burden increases significantly.
Document this decision explicitly
Your ISA 402 assessment should state which provider the client uses, whether a Type II report exists, the period covered by that report, and whether any gaps between the report period and your audit period require additional procedures.
One detail firms frequently overlook: the Type II report includes complementary user entity controls (CUECs). These are controls that the service organisation assumes the client has in place for the service organisation’s controls to function as intended. Exact Online’s ISAE 3402 report, for instance, assumes the client restricts admin access to authorised personnel and reviews user permissions periodically. If the client doesn’t perform these CUECs, the assurance provided by the Type II report is weakened. Your file should document whether you verified the CUECs with the client and what you found.
How Evidence Gathering Changes Under ISA 500
ISA 500.6 requires audit evidence that is sufficient and appropriate. Cloud accounting doesn’t change that requirement. It changes where the evidence comes from and how you obtain it. Four specific procedures shift when the accounting system is cloud-based.
Journal Entry Testing
On a local system, you export the full journal entry population from the database, import it into your analytics tool, and run your ISA 240.32(a) filters. On a cloud platform, you export from the platform’s reporting module. The risk is that the export may not include all fields you need (posted by, posted date versus transaction date, reversal flags). Before you design your journal entry testing, verify what fields the platform’s export includes.
Exact Online’s audit export, for example, includes the user who posted, the entry date, and the document type. Xero’s general ledger export includes the user but not the approval status. Know your data before you design the test.
Run a test export during planning
If you wait until fieldwork, you lose the ability to request a custom report from the client or the platform’s support team. Discovering missing fields during week two of fieldwork puts you in a position where you’re redesigning procedures under time pressure.
Bank Confirmations
Many cloud platforms offer direct bank feeds. The client’s bank transactions appear in the platform automatically. This is convenient for the client but changes nothing about ISA 505.6’s requirement for external confirmation. A bank feed is not a bank confirmation. The bank feed runs through the client’s system (the cloud platform), which means it is client-generated data, not independent third-party evidence. You still send ISA 505 confirmations directly to the bank.
Access to Underlying Data
ISA 500.A11 notes that evidence reliability depends on its source. When the data sits in a cloud platform, you depend on the platform’s export functionality. If the platform restricts exports (some lower-tier subscriptions limit data exports), you may have an ISA 705 consideration. Document whether you verified the completeness of the export against the trial balance.
Audit Trail and Change Logs
Cloud platforms typically maintain automated change logs more detailed than most on-premise systems. Exact Online logs every modification to a posted entry with user and timestamp. Verify that the client hasn’t disabled logging (some platforms allow this at administrator level) and document that you inspected the settings.
A broader point about cloud evidence: some platforms offer API access that allows audit tools to pull data directly rather than relying on manual exports. If your firm uses data analytics software (CaseWare IDEA, Inflo, or similar), check whether the cloud platform has an API integration. API-pulled data is more reliable than a manually downloaded CSV because it eliminates the step where someone at the client selects export parameters. ISA 500.A11’s reliability hierarchy favours evidence obtained directly by the auditor over evidence obtained indirectly through the client.
Mid-Year Migration: What Happens to Your Testing Period?
When a client migrates from an on-premise system to a cloud platform during the financial year, your audit straddles two IT environments. This is more common than firms expect. The CBS reported that Dutch SME cloud adoption rose from 53% in 2020 to 69% in 2023, meaning a significant proportion of audit clients are migrating in any given year.
ISA 315.26 requires you to understand the IT environment. If that environment changed during the period, you understand both: the legacy system for the pre-migration period and the cloud platform for the post-migration period. Your ITGCs assessment, your controls testing (if applicable), and your substantive procedures may need to address both systems.
The opening balance on the cloud platform is the critical control point. Compare the closing trial balance from the old system (dated the migration cutoff) with the opening trial balance on the new platform. Document discrepancies. Even small rounding differences need explanation.
User access is the second critical migration risk. When the client set up the cloud platform, who received access? Were the access rights replicated from the old system, or did someone configure them from scratch? In practice, migrations are the moment when segregation of duties breaks down. The client’s IT manager (or external consultant) often receives administrator-level access to perform the migration, and that access may not have been revoked after go-live. Check the user access list on the cloud platform and compare it against the authorised user list from your planning.
Data completeness across the two systems is also worth testing explicitly. If both systems were briefly running in parallel, you need to verify that no transactions were recorded in both. A simple test: extract all transactions posted in the legacy system after the migration date and confirm they don’t also appear in the cloud platform. This takes ten minutes and eliminates a common source of undetected duplication.
Finally, consider the impact on your substantive analytical procedures under ISA 520. If you’re comparing current-year balances to prior-year balances, and the current-year data comes from two different systems, the comparability of your analytical base changes. Your ISA 520 expectation model should note which system produced the data for each period and whether the chart of accounts changed during migration. Many cloud platforms use a different account numbering structure than the legacy system, meaning your year-on-year comparison needs a mapping table.
Worked Example: Veldkamp Bouw B.V.
Veldkamp Bouw B.V. is a Dutch construction company with €28M revenue. Veldkamp migrated from Exact Globe (on-premise) to Exact Online on 1 July 2024. The financial year is the calendar year. The audit team is planning the 31 December 2024 year-end audit.
1. Identify the IT Environment Split
Veldkamp ran Exact Globe (installed on a local Windows Server 2019) from 1 January to 30 June 2024. From 1 July, all transactions were processed in Exact Online. The audit team documents both environments in the ISA 315 planning memo.
Documentation note
“IT environment. Pre-migration (1 Jan–30 Jun 2024): Exact Globe v250, hosted on-premise, Windows Server 2019. Backups managed by client IT manager (J. de Vries). Post-migration (1 Jul–31 Dec 2024): Exact Online, hosted by Exact (Amsterdam data centre). ISAE 3402 Type II report obtained, covering 1 Oct 2023–30 Sep 2024.”
2. Evaluate the ISAE 3402 Report Gap
The Exact Online ISAE 3402 report covers 1 October 2023 to 30 September 2024. The audit period extends to 31 December 2024. A three-month gap exists. The audit team assesses whether any changes occurred in the platform’s control environment after 30 September 2024 by reviewing Exact’s release notes for Q4 2024 and inquiring with the client about any platform issues.
Documentation note
“ISAE 3402 gap period (1 Oct–31 Dec 2024): No material changes to Exact Online platform controls identified. Release notes reviewed for Q4 2024. Client confirmed no service disruptions or access issues. Conclusion: no additional procedures required for the gap period under ISA 402.19.”
3. Verify Migration Completeness
The team exports the 30 June 2024 closing trial balance from Exact Globe and the 1 July 2024 opening trial balance from Exact Online. Total assets per Exact Globe: €14,221,486. Total assets per Exact Online opening: €14,221,486. Equity matches. The team traces ten individual account balances (selected on the basis of materiality and account type) to verify line-level accuracy.
Documentation note
“Migration completeness: Closing TB (Exact Globe, 30 Jun 2024) agreed to opening TB (Exact Online, 1 Jul 2024). Total assets: €14,221,486. Ten accounts traced at line level, no discrepancies. Refer WP E.2.1 for detailed comparison.”
4. Adapt Journal Entry Testing
For January to June, journal entries are exported from Exact Globe’s SQL database. For July to December, they are exported from Exact Online’s reporting module. The team verifies that Exact Online’s export includes the required fields (posted-by user, entry date, document type) before running ISA 240.32(a) filters. Both populations are tested separately because the data formats differ.
Documentation note
“Journal entry testing performed over two populations: Pre-migration (8,412 entries, Exact Globe) and post-migration (9,107 entries, Exact Online). ISA 240 criteria applied consistently. Refer WP F.1.1 and F.1.2.”
Practical Checklist for Cloud Accounting Engagements
- Update your ISA 315 IT environment section to distinguish between client-controlled and provider-controlled ITGCs. Name the platform and version.
- Check whether the cloud provider publishes an ISAE 3402 Type II or SOC 1 report. If yes, obtain it and note the period covered. If no, document the alternative procedures you performed under ISA 402.12.
- Verify what data fields the platform’s export includes before designing journal entry testing. Run a test export early in planning.
- Confirm that automated change logs are enabled and not overridden at the administrator level. Screenshot the settings page.
- If the client migrated mid-year, compare the closing trial balance on the old system with the opening trial balance on the new system, and document any discrepancies at the account level.
- Do not treat bank feeds as ISA 505 confirmation evidence. Send confirmations directly to the bank and document why the feed was excluded.
Common Mistakes
- Treating the cloud provider’s ISAE 3402 report as a blanket assurance over all controls. The report covers the provider’s controls only. User entity controls (configured by the client within the platform) are not covered and still require your own assessment under ISA 315.26.
- Failing to document the report gap period. The AFM expects firms to address any period between the end of the ISAE 3402 report and the end of the audit period. A Type II report covering January to September does not automatically extend to December.
- Using the bank feed as confirmation evidence. The FRC flagged this in its 2022 thematic review of technology in audit: bank feeds processed through the client’s system are internal evidence under ISA 500, not external confirmation under ISA 505.
Get practical audit insights, weekly.
No exam theory. Just what makes audits run faster.
No spam — we're auditors, not marketers.
Related Tools
Related Reading
Frequently Asked Questions
Does ISA 402 apply when a client uses cloud accounting software?
For standard cloud accounting platforms (Xero, Exact Online, QuickBooks Online), the answer is almost always yes. The platform processes transactions, maintains the general ledger, produces the trial balance, and generates the financial statements — it is the information system. ISA 402 applies.
Can I use a bank feed as ISA 505 confirmation evidence?
No. A bank feed runs through the client’s system (the cloud platform), which means it is client-generated data, not independent third-party evidence. You still need to send ISA 505 confirmations directly to the bank.
What should I do when a client migrates to cloud accounting mid-year?
Your audit straddles two IT environments. Document both in your ISA 315 planning memo. Compare the closing trial balance from the old system with the opening trial balance on the new platform. Test journal entries from both populations separately. Check that the migration consultant’s admin access has been revoked.
What are complementary user entity controls (CUECs) and why do they matter?
CUECs are controls that the service organisation assumes the client has in place for its own controls to function as intended. For example, restricting admin access to authorised personnel and reviewing user permissions periodically. If the client doesn’t perform these CUECs, the assurance provided by the ISAE 3402 Type II report is weakened.
How does cloud accounting affect journal entry testing under ISA 240?
On a cloud platform, you export journal entries from the platform’s reporting module rather than a local database. The risk is that the export may not include all fields you need. Run a test export during planning so you have time to request missing fields if needed.