What is a service organization?
ISA 402.3 establishes the principle: outsourcing a process does not outsource the audit risk. If a client uses a payroll bureau, fund administrator, or cloud-hosted ERP that generates journal entries, those services touch the financial statements. The user entity's auditor must understand and address the risks arising from those outsourced processes.
ISAE 3402.8(m) draws the boundary at services that form part of the user entity's information system relevant to financial reporting. The test is functional: does the service affect how transactions are initiated, recorded, processed, or reported? If yes, the provider is a service organization.
Common examples include payroll processors, fund administrators, managed IT hosting providers that run the accounting system, and payment processing services. A cleaning company is not a service organization under ISA 402 because its services do not affect the information system relevant to financial reporting.
Key Points
- A service organization processes transactions or holds data that directly affects a user entity's financial statements.
- The user entity's auditor retains full responsibility for the opinion, even when processes are outsourced.
- Collecting an ISAE 3402 report without evaluating it does not satisfy the user auditor's obligations.
- Failing to identify a service organization at planning is one of the most common ISA 402 inspection findings.
Why it matters in practice
The FRC's 2023 inspection report found teams that obtained ISAE 3402 reports but did not evaluate whether the control objectives in those reports were relevant to the specific assertions the team was testing. Collecting the report is step one. ISA 402.12 requires the user auditor to evaluate relevance, review the service auditor's findings, and address any period not covered by the report.
A second common failure: teams miss the gap period between the report's end date and the client's year-end. An ISAE 3402 Type II report covering January to October leaves November and December unaddressed. ISA 402.12(b) requires the auditor to obtain evidence about controls during that gap, whether through inquiry, observation, or additional testing.
Worked example: Jansen & De Vries Holding N.V.
Client: Belgian holding company, FY2024, revenue €87M, IFRS reporter. Outsources payroll for 420 employees to LoonWijs N.V.
Services provided: Gross-to-net pay calculation, tax withholding, payment file generation, monthly journal entries posted to the client's general ledger. Payroll cost €31M (36% of revenue).
ISAE 3402 report: LoonWijs provides a Type II report covering January–October 2024. The service auditor tested 14 control objectives, identified two exceptions (both low severity, corrected within the period).
User auditor's procedures: (1) Evaluate whether the 14 control objectives map to the assertions relevant to payroll expense and related liabilities. (2) Review the two exceptions and assess whether they indicate a systemic weakness. (3) Address the gap period (November–December): inquire of management about changes in LoonWijs's processing, perform payroll reconciliation for November and December, and test a sample of December payslips to source data.
Conclusion: Control objectives are relevant, exceptions are isolated, and gap period procedures provide sufficient evidence. No further action required.
Service organization vs user entity
| Dimension | Service organization | User entity |
|---|---|---|
| Role | Provides outsourced services | Receives and relies on services |
| Audit responsibility | Examined by service auditor under ISAE 3402 | Audited by user auditor under ISA 402 |
| Report direction | Commissions the ISAE 3402 report | Receives and uses the report |
| Control environment | Maintains controls over outsourced processes | Must operate CUECs |
What reviewers get wrong
The FRC found teams that obtained reports but did not evaluate whether control objectives were relevant to specific assertions. ISA 402.12 requires relevance evaluation. A payroll service organization's report may cover access controls and processing accuracy but not segregation of duties for payment authorisation. If the assertion being tested relates to completeness of payroll liabilities, the auditor must determine whether the report addresses that assertion.
Teams also miss the gap period between the report end date and the client year-end. ISA 402.12(b) requires evidence about controls during the gap. Relying on a report that ends in October for a December year-end leaves two months unaddressed.
Key standard references
- ISAE 3402.8(m): Defines a service organization.
- ISA 402.9(e): Defines a service organization in the context of the user auditor's responsibilities.
- ISA 402.3: Outsourcing does not outsource audit risk.
- ISA 402.12: User auditor must evaluate the ISAE 3402 report for relevance and address gap periods.
Related terms
Related reading
Frequently asked questions
How do you identify a service organization?
Ask whether the third party's services affect how transactions are initiated, recorded, processed, or reported in the client's financial statements. If yes, it is a service organization under ISA 402.
Is collecting an ISAE 3402 report enough?
No. ISA 402.12 requires the user auditor to evaluate whether the control objectives are relevant to the assertions being tested, review the service auditor's findings, and address any gap period between the report and the client's year-end.