Synopsis :
The concept of oursourcing has
taken deep roots in our economy. Practical difficluties arise in
conducting audit of books and records of a client, who has outsourced its
functions to outside experts. This article takes a look at the procedures
to be followed in the context of the new ‘Auditing and Assurance Standard
— 24’ issed by the Institute on the subject.
Introduction :
‘Core competence’ is the
buzz-word today. It really means in simple terms, ‘do what you know best’.
The buzzword has taken a new derivative now to mean, ‘concentrate on your
primary/backbone activity and outsource the rest’.
Outsourcing basically involves
permitting some outsiders expert to undertake a part (major or minor)
of the work of an organi-sation. Examples of outsourcing as we find today
are :
1. maintenance of accounting
records
2. information
processing
3. safe custody of assets,
and so on.
The scope of outsourcing has
enlarged ever since the introduction of the concept. From mere
maintenance of records, the concept has reached a stage where execution of
transactions itself is being outsourced. We come across our clients
increasingly subscribing to the concept.
Implications of outsourcing on
auditing :
What are the implications of
this on the profession of auditing ? It is pertinent here to note the
issues involved. Some of them are :
1. Entry of an outsider into
the organisation’s system.
2. Policies and procedures of
the service organisation which may be different from that of the
organisation.
3. Efficiency and the
effectiveness of the accounting and internal controls of the service
organisation, which will have an impact on the financial statements of
the organisation.
4. Relevance of the above on
audit and extent of audit risk involved.
These factors increase the
scope of the audit. In addition to auditing the books and records of the
client, it will be necessary to gain understanding of the systems and
procedures operating at the service organisation and assess their
effectiveness. This is more so when the execution and accountability of
the transactions are outsourced, which may have a material effect on the
assertions in the financial statement of the client.
Auditing and Assurance Standard
— 24 :
The Institute of Chartered
Accountants of India has rightly come up with an Auditing and Assurance
Standard (AAS) on the subject. The AAS numbered as 24 is titled ‘Audit
Considerations Relating to Entities Using Service Organisations’ and will
be effective from 1-4-2004.
Recommendations of
ICAI :
1. The Institute has used the
following terms in the standard, the understanding of which is
necessary :
-
Client — organisation which
has outsourced its functions
-
Auditor of the client
-
Service organisation — the
entity to which functions have been outsourced by the client
-
Auditor of the service
organisation.
2. Effect
of outsourcing on client’s
systems :
-
Policies and procedures
established and executed by the service organisation affect the
client’s accounting and internal controls. If the services provided
are limited to the recording and processing of transactions of the
client, and the client retains authorisation and maintenance of
accountability, the client will be able to implement suitable policies
and procedures within its organisation. Difficulties arise when the
execution and accountability in respect of the client’s transactions
are outsourced, in which case it may be necessary for the client to
rely on the policies and procedures at the service organisation.
-
This reliance will compel
the auditors to consider how the service organisation affects the
client’s accounting and internal control systems and accordingly plan
the audit approach.
-
Significance of the
activities of the service organisation to the client :
The activities of the service
organisation, if significant to the client, may become relevant to the
audit and call for specific audit procedures. The Institute has prescribed
consideration of the following aspects in deciding about the
significance :
-
Nature of services
-
Terms of contract
-
Relationship with the
service organisation
-
Material financial
statement assertions affected due to this
-
Inherent risk involved
-
Interaction with the
systems at the service organisation
-
Client’s internal control
applied to the transactions processed by the service organisation
-
Capability and financial
strength of the service organisation
-
Possible effect of the
failure of the service organisation
-
Information available about
the service organisation
-
Information available about
the general and computer system controls relevant to the client’s
applications
-
Availability of third party
reports from service organi-sation’s auditors, internal auditors, or
regulatory agencies on the operation and effectiveness of the systems
and controls at the service organisation
-
The auditor, based on the
above considerations, may conclude that the assessment of control risk
will not be affected by controls at the service organisation. If so,
he need not further consider the prescriptions in this standard.
3. Service
rendered is
significant and relevant to
the audit :
-
The auditor may also
conclude that the activities of the service organisation are
significant to the client and relevant to the audit. In such a
scenario, he must obtain sufficient information to understand the
accounting and internal control systems of the service organisation
and to assess the control risk. Thereafter he may draw appropriate
conclusions and proceed with the audit.
-
It is quite possible that
the auditor may not be in a position to obtain sufficient
information. In such a case, he may :
-
Request the service
organisa-tion to have its auditor perform procedures and supply the
necessary information in the form of reports. If such reports are made
available he must further consider :
-
The professional
competence of the other auditor in the context of specific
assignment if the other auditor is not a member of ICAI. The
recommendations of the Institute in AAS 9 on ‘Using the work of an
expert’ should also be borne in mind.
-
The nature and content of
the reports
-
Scope of work performed
and the usefulness and appropriateness of the reports.
-
If such reports are not
made available within a reasonable time, he may consider visiting the
service organisation. He may advise the client to request the service
organisa-tion to give him access to the necessary information.
-
Nature and content of the
reports that may be furnished by the auditor of the service
organisation :
The Institute has prescribed
two types of reports that may be obtained from the auditor of the
service organi-sation and has indicated the broad contents of the
reports :
The report should, inter
alia, contain:
1. The above description is
accurate
2. The systems’ controls have
been placed in operation, and
3. The accounting and
internal control systems are suitably designed to achieve their stated
objectives.
The report should, inter
alia, contain :
1. The above description
is ac-curate
2. The systems’ controls
have been placed in operation
3. The accounting and
internal control systems are suitably designed to achieve their
stated objectives, and
4. The accounting and
internal control systems are operating effectively based on the results
from the tests of control. He has to identify the tests of controls
performed and the related results.
-
These reports unlike the
earlier one, can also be used for assessment of the control risk. In
such a case, the auditor of the client would do well to consider
that :
-
The controls tested by
the auditor of the service organisation are relevant to the client’s
transactions, and
-
The tests of controls and
results obtained are adequate, having due regard to the length of
the period covered and the time since the performance of those tests
-
In respect of the
relevant tests and results, the nature, timing and extent of the
tests provide sufficient appropriate evidence about the
effectiveness of the systems and the client auditor’s assessed level
of control risk.
-
The auditor of the service
organisation may restrict the use of his report generally to the
management, the customers of the service organisation and to the
specified client’s auditor.
4.
Performance of substantive
procedures :
5.
Reporting by the client’s
auditor :
Conclusion :
1. The recommendations of
ICAI relating to audit of an entity which has outsourced its functions
to a service organisation, can be sum-marised as
follows :
-
Step 1 :
Whether the services rendered are significant and relevant to audit
-
Step 2 : if
so, whether an understanding of the accounting and internal control
systems of the service organisation could be obtained, and the control
risk assessed with the information available with the client
-
Step 3 : if
not, advise the client to obtain a report from the auditor of the
service organisation on the accuracy, operation and effectiveness of
the accounting and internal control systems at the service
organisation
-
Step 4 :
review the report regarding the professional competence of the auditor
(if he is not a CA), for the relevance, appropriateness and adequacy
of the tests performed and the results obtained
-
Step 5 :
if such reports are not received, consider visiting the service
organisation, through the client, to obtain the relevant information
-
Step 6 :
Exercise professional judgement and draw conclusions
-
Step 7 :
Report suitably but without making a mention
about the report of the auditor of the
service organisation.
2. The Institute has come up with its
recommendations at the right time. We may face practical difficulties in
getting reports from the auditors of the service organisa-tions or in
gaining access to the service organisation’s premises for obtaining
information. These may be due to the cost, time and reluctance factors
involved there-in. But there appears to be no other way out considering
the significance to the client, of the services rendered by such service
organisations.
