Key Takeaways
- ISA 402 addresses the user auditor's responsibilities when an audit client (the user entity) outsources services to a third party (the service organisation) that are relevant to the user entity's financial reporting.
- The standard applies whenever outsourced services are part of the user entity's information system relevant to financial reporting — common examples include outsourced payroll, IT hosting, fund administration, claims processing, and transaction processing.
- Outsourcing does not transfer responsibility: the user entity remains responsible for its financial statements, and the user auditor remains responsible for the audit opinion. The auditor cannot simply disclaim responsibility because records are held elsewhere.
- The user auditor can obtain understanding and evidence through: direct procedures at the service organisation, using a Type 1 report (description and design of controls) or Type 2 report (description, design, and operating effectiveness of controls) issued under ISAE 3402 or equivalent standards.
- When using a Type 1 or Type 2 report, the user auditor must evaluate the report's sufficiency, timing, and relevance — and must understand and test the complementary user entity controls (CUECs) that the service organisation has identified as necessary for its controls to function.
- The user auditor must consider subservice organisations — service organisations used by the service organisation itself — and determine whether they are handled through the inclusive method (covered in the report) or the carve-out method (excluded and requiring separate consideration).
What is ISA 402?
ISA 402, titled "Audit Considerations Relating to an Entity Using a Service Organisation," addresses a practical reality of modern business: entities increasingly outsource functions that directly affect their financial statements. Payroll is processed by a bureau. Investment transactions are executed and settled by a custodian. IT systems are hosted by cloud providers. Insurance claims are administered by third-party administrators.
When these outsourced functions are part of the user entity's information system relevant to financial reporting, they fall within the scope of the audit — even though the user auditor may have no direct access to the service organisation, its records, or its personnel. ISA 402 provides the framework for how the user auditor navigates this challenge.
The standard works in conjunction with ISA 315 (understanding internal control) and ISA 330 (responding to assessed risks), essentially extending those standards' requirements into the outsourced environment.
Key Definitions
| Term | Definition |
|---|---|
| User entity | The entity whose financial statements are being audited — the audit client |
| Service organisation | A third-party organisation that provides services to user entities that are part of those entities' information systems relevant to financial reporting |
| User auditor | The auditor who audits the user entity's financial statements |
| Service auditor | The auditor who reports on controls at the service organisation (under ISAE 3402 or equivalent) |
| Subservice organisation | A service organisation used by another service organisation to provide services that are part of the user entity's information system |
| Complementary user entity controls (CUECs) | Controls that the service organisation's system design assumes will be implemented by the user entity — the service organisation's controls only work properly if these are in place |
| Type 1 report | A report on the description and design of controls at the service organisation at a specific date |
| Type 2 report | A report on the description, design, and operating effectiveness of controls at the service organisation for a specified period |
When Does ISA 402 Apply?
ISA 402 applies when the services provided by a service organisation are part of the user entity's information system relevant to financial reporting. ISA 402.A1 provides examples:
- Transaction processing — payroll bureaux, payment processing, custodian services, fund administration.
- Record-keeping — maintaining the general ledger or subsidiary records for the user entity.
- IT hosting — cloud-based accounting systems, ERP hosting, data centres that store financial data.
- Investment management — portfolio management, trade execution and settlement.
- Claims processing — insurance claims administration, benefits processing.
Not all outsourced services trigger ISA 402. Running the staff canteen, providing security services, or cleaning the office — while outsourced — are generally not part of the financial reporting information system and do not fall within scope.
The increasing relevance of ISA 402
With the shift to cloud-based systems, ISA 402 is more relevant than ever. An entity using cloud-hosted accounting software (Exact Online, Xero, QuickBooks Online, SAP Business ByDesign) is using a service organisation. An entity with payroll processed externally — extremely common in the Netherlands and across Europe — is using a service organisation. A pension fund with asset management outsourced to a fund manager is using a service organisation. Many auditors underestimate the prevalence of outsourced functions in their client base. During planning, systematically identify all outsourced functions and evaluate whether they are part of the financial reporting information system.
The User Auditor's Responsibilities
Obtaining an understanding
ISA 402.9–10 requires the user auditor to obtain an understanding of:
(a) The nature of the services provided by the service organisation and the significance of those services to the user entity, including their effect on internal control.
(b) The nature and materiality of the transactions processed or accounts and financial reporting processes affected by the service organisation.
(c) The degree of interaction between the service organisation's activities and those of the user entity — including the terms of the contract or service level agreement.
(d) The user entity's internal control as it relates to the services provided by the service organisation — specifically, the controls the user entity applies to transactions processed by the service organisation.
Sources of information
The user auditor may obtain this understanding from a variety of sources (ISA 402.A12):
- The service organisation's user manuals and system descriptions.
- The contract or service level agreement between the user entity and the service organisation.
- Reports by the service auditor (Type 1 or Type 2 reports).
- Inquiries of user entity management about their monitoring of the service organisation.
- Prior-year experience with the service organisation.
- Direct contact with the service organisation (subject to contractual and confidentiality constraints).
Type 1 and Type 2 Reports
The most common way for a user auditor to obtain information about controls at a service organisation is through a service auditor's report issued under ISAE 3402, "Assurance Reports on Controls at a Service Organisation."
Type 1 report
A Type 1 report provides the service auditor's opinion on:
- The description of the service organisation's system.
- The suitability of design of controls to achieve specified control objectives.
A Type 1 report is as of a specific date — it tells the user auditor what the controls looked like at that point in time, but provides no evidence that the controls actually operated effectively.
Use for the user auditor: A Type 1 report assists in obtaining an understanding of controls at the service organisation (ISA 315 purposes) but does not provide evidence for testing operating effectiveness (ISA 330 purposes).
Type 2 report
A Type 2 report includes everything in a Type 1 report plus:
- The operating effectiveness of the controls to achieve specified control objectives.
- A description of the service auditor's tests of controls and the results of those tests.
A Type 2 report covers a specified period — it provides evidence that controls operated effectively during that period.
Use for the user auditor: A Type 2 report can be used as audit evidence to support the user auditor's assessment of control risk — if the user auditor is satisfied with the service auditor's competence, the report's scope and timing, and the results of the tests.
| Type 1 Report | Type 2 Report | |
|---|---|---|
| What it covers | Description and design of controls | Description, design, and operating effectiveness |
| Period / date | As of a specific date | For a specified period |
| Tests of controls | None | Yes — with results |
| Useful for ISA 315 (understanding) | Yes | Yes |
| Useful for ISA 330 (reliance on controls) | No | Yes — if properly evaluated |
| Issued under | ISAE 3402 (or SOC 1 in US context) | ISAE 3402 (or SOC 1 in US context) |
Evaluating a Type 1 or Type 2 Report
ISA 402.12–13 requires the user auditor to evaluate the report before relying on it:
Evaluate the service auditor — the user auditor must satisfy themselves regarding the service auditor's professional competence and independence. This may involve checking the service auditor's credentials, firm reputation, and regulatory standing.
Evaluate the timing — the report's date (Type 1) or period (Type 2) must be appropriate for the user auditor's purposes. A Type 2 report covering January–September may not provide evidence for the October–December period. The user auditor must consider what additional evidence is needed for uncovered periods.
Evaluate the scope — the report must cover the services and controls relevant to the user entity's financial statements. A service organisation may provide many services, but only some may be relevant to the specific user entity.
Evaluate the results — for a Type 2 report, the user auditor must consider whether any deviations or exceptions identified by the service auditor affect the user auditor's planned reliance. A report with numerous exceptions may not provide the expected level of assurance.
Evaluate complementary user entity controls — the report will typically identify CUECs that the service organisation's controls assume are in place at the user entity. The user auditor must understand these and test whether the user entity has implemented them.
Complementary User Entity Controls (CUECs)
This is one of the most practically important — and most frequently missed — aspects of ISA 402. Service organisations design their controls on the assumption that the user entity will perform certain actions. Common examples:
- Authorisation of transactions — the service organisation processes transactions submitted by the user entity, but the user entity must ensure that only properly authorised transactions are submitted.
- Reconciliation of reports — the service organisation produces output reports, but the user entity must reconcile these reports to its own records to detect errors or omissions.
- Access controls — the service organisation may provide the system, but the user entity must manage user access rights and ensure appropriate segregation of duties.
- Review of processing results — the user entity must review the accuracy and completeness of processing performed by the service organisation.
If the user entity has not implemented the CUECs identified in the service organisation's report, the service organisation's controls may not be effective — even if the Type 2 report shows no deviations. The user auditor must test CUECs as part of the audit.
CUECs are where the real risk lies
In practice, control failures related to service organisations are far more likely to occur at the user entity level (through failure to implement CUECs) than at the service organisation level. The service organisation is typically a specialist that processes thousands of transactions for many clients — its controls are well-designed and well-tested. But the individual user entity may not understand or consistently perform the reconciliation, authorisation, and review activities that make the system work end-to-end. Always read the CUECs section of the service auditor's report carefully, and always test whether the user entity is actually performing them.
Subservice Organisations
ISA 402.18 addresses the situation where the service organisation itself outsources certain functions to a subservice organisation. For example, a payroll bureau may use a cloud hosting provider for its IT infrastructure, or a fund administrator may use a third-party for trade settlement.
The service auditor's report may handle the subservice organisation in two ways:
Inclusive method — the subservice organisation's controls are included in the service organisation's system description and covered by the service auditor's testing. The user auditor can rely on the report for both the service organisation and the subservice organisation.
Carve-out method — the subservice organisation's services are described in the report but its controls are excluded from testing. The user auditor must separately consider the subservice organisation's controls — by obtaining a separate report, performing direct procedures, or using another auditor.
When No Report Is Available
Not all service organisations provide ISAE 3402 reports. In these cases, ISA 402.A18 identifies alternative approaches:
- Visit the service organisation — the user auditor may contact the service organisation and perform procedures directly (subject to contractual arrangements).
- Use another auditor — the user auditor may engage another auditor to perform procedures at the service organisation.
- Alternative procedures at the user entity — the user auditor may design substantive procedures that provide sufficient evidence without relying on controls at the service organisation. This may involve obtaining and testing all output reports from the service organisation, reconciling to source data, and performing additional substantive procedures on the affected account balances.
ISA 402 in Your Jurisdiction
Netherlands. COS 402 follows ISA 402 closely. The Dutch market has high penetration of outsourced services — payroll bureaux (salarisadministratie) are used by the vast majority of SMEs, and investment fund administration is commonly outsourced. The NBA provides guidance on evaluating ISAE 3402 reports. The AFM's inspections have identified that some auditors insufficiently evaluate whether the scope and timing of Type 2 reports are adequate for their purposes and that CUEC testing is frequently incomplete.
Germany. IDW PS 402 adapts ISA 402. German practice also recognises the IDW PS 951 standard (Prüfung des internen Kontrollsystems bei Dienstleistungsunternehmen), which is the German equivalent of ISAE 3402 and was historically used before ISAE 3402 became widespread. The WPK's inspections focus on whether user auditors adequately consider the significance of outsourced functions during planning.
United Kingdom. ISA (UK) 402 is substantively aligned with ISA 402. The FRC has noted in inspections that the use of service organisations is increasing (particularly cloud-based IT), and that some auditors are slow to recognise the implications for their audit approach. UK-specific considerations include the financial services sector, where extensive outsourcing of fund administration, custody, and transfer agency functions makes ISA 402 considerations pervasive.
France. NEP 402 implements ISA 402 within the French statutory framework. French practice must also consider the specific requirements of the H3C regarding outsourced functions, particularly for PIE audits. The joint audit (co-commissariat aux comptes) structure adds an additional layer of coordination when service organisations are involved — both auditors must agree on the approach to the service organisation and the evaluation of reports.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
Does outsourcing affect the entity's responsibility for its financial statements?
No. ISA 402 is clear: the user entity's management remains responsible for the financial statements and for maintaining effective internal control, regardless of outsourcing. Similarly, the user auditor retains full responsibility for the audit opinion — outsourcing does not reduce or transfer audit responsibility.
What is the difference between an ISAE 3402 report and a SOC report?
ISAE 3402 is the international standard issued by the IAASB for assurance reports on controls at service organisations. SOC 1 (Service Organisation Controls) reports are issued under the US AICPA's SSAE 18 and serve the same purpose. In practice, many global service organisations issue both — or issue reports under a "bridge letter" that maps between the two standards. For European audits, ISAE 3402 is the directly applicable standard.
What if the Type 2 report doesn't cover the full audit period?
The user auditor must consider what additional evidence is needed for the uncovered period. Options include: obtaining a bridging letter from the service organisation (confirming no significant changes), performing additional procedures at the user entity to cover the gap period, or testing the user entity's monitoring controls over the service organisation for the remaining period.
Do cloud-based accounting systems trigger ISA 402?
Generally yes — if the cloud system is part of the user entity's information system relevant to financial reporting (which it almost always is, by definition, if it is the entity's accounting system). The user auditor must understand the controls at the cloud provider and consider whether a Type 1 or Type 2 report is available and appropriate.
What if the user auditor disagrees with the service auditor's conclusions?
The user auditor is responsible for their own conclusions. If the user auditor has concerns about the service auditor's report — due to scope limitations, qualifications, or concerns about the service auditor's competence — the user auditor must consider the implications for the audit and may need to perform additional procedures, modify the risk assessment, or seek additional evidence.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 402 text, including all application material.
- ISAE 3402 — Assurance Reports on Controls at a Service Organisation — the standard governing the service auditor's report.
- ISA 315 (Revised 2019) — Identifying and Assessing Risks — the risk assessment framework that ISA 402 extends to service organisations.
- ISA 330 — The Auditor's Responses to Assessed Risks — governs how the user auditor uses evidence from service organisation reports.
- ISA 600 — Special Considerations — Audits of Group Financial Statements — relevant where service organisations or shared service centres operate within group structures.