What is a user entity?
Governed by: ISAE 3402.8(o) and ISA 402.9(f)
ISA 402.3 is direct: the user entity's auditor owns the opinion. Outsourcing changes the audit approach, not the responsibility. When a user entity sends processes to a service organization, the user auditor must understand what has been outsourced, how those services affect internal controls over financial reporting, and what evidence is available about those controls.
Every ISAE 3402 report lists complementary user entity controls (CUECs) — controls the service organization assumes are in place at the user entity's end. ISA 402.14 requires the user auditor to test those CUECs. If the user entity has not implemented them, the control chain is broken regardless of what the service organization's report says.
ISA 402.12(a) requires four distinct evaluations of the service auditor's report: relevance of the description, relevance of the control objectives, appropriateness of the tests performed, and sufficiency of the evidence obtained. User auditors who skip any of these four steps have an incomplete assessment.
Key Takeaways
- A user entity outsources processes but keeps all audit risk related to its financial statements.
- The user auditor must understand the outsourced services and their effect on internal controls.
- Complementary user entity controls listed in the ISAE 3402 report must actually be in place.
- If no service organization report exists, the user auditor needs another way to get evidence.
Worked example: Mayr Einzelhandel GmbH
Client: Austrian retail group, FY2024, revenue €145M, UGB.
Mayr outsources warehouse management and logistics billing to Translog Solutions GmbH. Translog processes warehouse receipts, generates dispatch records, calculates freight charges, and provides billing summaries that feed directly into Mayr's revenue and cost of goods sold.
The user auditor obtains Translog's ISAE 3402 Type II report for the period April 2023 to March 2024. The report covers the relevant control objectives over logistics billing and warehouse data. The user auditor then tests the four CUECs listed in the report: monthly billing reconciliation against Mayr's purchase orders, approval of new supplier set-ups, review of exception reports, and quarterly inventory count reconciliation.
The Type II report period ends in March 2024, but Mayr's financial year runs to December 2024. The user auditor performs roll-forward procedures for April to December 2024: inquiry of Translog management about system changes, re-performance of the monthly billing reconciliation for two months in the gap period, and review of Mayr's exception reports for the same period.
What reviewers get wrong
- Failing to test CUECs: The AFM's 2022 thematic review found user auditors consistently failed to test complementary user entity controls. ISA 402.14 requires this testing — without it, the control environment assessment is incomplete.
- Ignoring the gap period: Teams accept the Type II report without performing gap period procedures. ISA 402.12(b) requires evidence about controls operating during the period not covered by the service auditor's report.
User entity vs service organization
| Dimension | User entity | Service organization |
|---|---|---|
| Financial statements | Prepares and presents | Does not present to user entity's stakeholders |
| Audit opinion | User auditor issues opinion | Service auditor issues ISAE 3402 report |
| Control responsibility | Operates CUECs and overall environment | Controls over outsourced processes only |
| Risk ownership | Retains all risk of material misstatement | Bears operational risk |
Key standard references
- ISAE 3402.8(o): Defines user entity as an entity that uses the services of a service organization.
- ISA 402.9(f): Defines user entity in the context of the user auditor's responsibilities.
- ISA 402.3: The user entity's auditor retains full responsibility for the audit opinion.
- ISA 402.14: Requires the user auditor to test complementary user entity controls.
- ISA 402.12(a): Four evaluations required when using a service auditor's report.
Related terms
Related reading
Frequently asked questions
Does outsourcing reduce the user auditor's responsibility?
No. ISA 402.3 is clear: the user entity's auditor retains full responsibility for the audit opinion regardless of what has been outsourced.
What are CUECs and why do they matter?
Complementary user entity controls are controls the service organization assumes the user entity has in place. Without testing them under ISA 402.14, the control chain has an untested link.