VSA 402 - Audit considerations relating to entities using service organizations

VVIC (VIETVALUES - HCMB)
EN| VN

  2. Insights
  3. Vietnamese Auditing Standards
  4. VSA 402 - Audit considerations relating to entities using service organizations

Insight

Our Insights articles cover important issues affecting the business environment in Vietnam. Get our view of unfolding situations and be informed.

VIETNAMESE STANDARDS ON AUDITING

STANDARD No. 402

AUDIT CONSIDERATIONS RELATING TO ENTITIES

USING SERVICE ORGANIZATIONS

(Issued in pursuance of the Finance Minister’s Decision No. 03/2005/QD-BTC dated 18 January 2005)

 

GENERAL PROVISIONS 

  1. The purpose of this Vietnamese Standard on Auditing (VSA) is to establish standards and provide guidance to the audit firm and the auditor whose client uses a service organization.  This VSA also describes the service organization auditor’s reports which may be obtained by the audit firm and auditor of the client entity.
  2. The auditor and the audit firm should consider how the services rendered by a service organization affects the client’s accounting and internal control systems so as to plan the audit and develop an effective audit approach.
  3. A client may use services of an organization or individual (hereinafter referred jointly to as service organization), such as record-keeping, financial information gathering and IT related services. If a client uses a service organization, certain policies, procedures and records maintained by the service organization may be relevant to the audit of the financial statements of the client entity.
  4. This VSA applies to audits of financial statements of entities using services organizations and also applies to an audit of other financial information and related services rendered by the audit firm.

The auditor and the audit firm should comply with this VSA in conducting an audit and rendering related services.

It is expected that the auditee (client) entity and users of the audit report should possess essential knowledge as to the objective and general principles set out in this VSA in working with the auditor and the audit firm and in dealing with relations maintained during the audit.

In this VSA, the following terms have the meaning attributed below:

05. Service organization refers an organization licensed or individual registered to do business in accordance with the provisions of law and liable to provide such services to other businesses and organizations on the basis of contract terms and conditions.

06.   Service organization auditor means the auditor who audits the financial statements of a service organization as a client.

Contents of the vsa

Considerations of the Client Audit Firm and Auditor

  1.  A service organization may establish and execute policies and procedures that affect a client organization’s accounting and internal control systems. These policies and procedures are physically and operationally separate from the client organization. When the services provided by the service organization are limited to recording and processing client transactions and the client retains authorization and maintenance of accountability, the client may be able to implement effective policies and procedures within its organization.  When the service organization executes the client’s transactions and maintains accountability, the client may deem it necessary to rely on policies and procedures at the service organization.
  2. The auditor and the audit firm should determine the significance of service organization activities to the client and the relevance to the audit. In doing so, the client auditor would need to consider the following, as appropriate:
    • Nature of the services provided by the service organization.
    • Terms of contract and relationship between the client and the service organization.
    • The material financial statement assertions that are affected by the use of the service organization.
    • Inherent risk associated with those assertions.
    • Extent to which the client’s accounting and internal control systems interact with the systems at the service organization.
    • Client’s internal controls that are applied to the transactions processed by the service organization.
    • Service organization’s capability and financial strength, including the possible effect of the failure of the service organization on the client.
    • Information about the service organization such as that reflected in user and technical manuals.
    • Information available on general controls and computer systems controls relevant to the client’s applications.

Consideration of the above may lead the auditor and the audit firm to decide that the control risk assessment will not be affected by controls at the service organization; if so, further consideration of this VSA is unnecessary.

  1. The client auditor would also consider the report of the service organization auditors, internal auditors, or regulatory agencies as a means of providing information about the accounting and internal control systems of the service organization and about its operation and effectiveness.
  2. If the client audit firm and the auditor concludes that the activities of the service organization are significant to the entity and relevant to the audit, the audit firm and the auditor should obtain sufficient information to understand the accounting and internal control systems and to assess control risk at either the maximum, or a lower level if tests of control are performed.
  3. If information is insufficient, the client auditor would consider the need to request the service organization to have its audit firm and auditor perform such procedures as to supply the necessary information, or the need to visit the service organization to obtain the information. A client auditor wishing to visit a service organization may advise the client to request the service organization to give the client auditor access to the necessary information.
  4. The client auditor may be able to obtain an understanding of the accounting and internal control systems affected by the service organization by reading the third-party report of the service organization auditor.  In addition, when assessing control risk for assertions affected by the systems’ controls of the service organization, the client auditor may also use the service organization auditor’s report. If the client auditor uses the report of a service organization auditor, the auditor should consider making inquiries concerning that auditor’s professional competence in the context of the specific assignment undertaken by the service organization auditor.
  5. The client auditor may conclude that it would be efficient to obtain audit evidence from tests of control to support an assessment of control risk at a lower level.  Such evidence may be obtained by:
    1. Performing tests of the client’s controls over activities of the service organization.
    2. Obtaining a service organization auditor’s report that expresses an opinion as to the operating effectiveness of the service organization’s accounting and internal control systems for the processing applications relevant to the audit.
    3. Visiting the service organization and performing tests of control.

Service Organization Auditors Reports

  1. When using a service organization auditor’s report, the client audit firm and auditor should consider the nature of and content of that report.
  2. The report of the service organization auditor will ordinarily be one of two types as follows:

Type A - Report on suitability of design

a)  a description of the service organization’s accounting and internal control systems, ordinarily prepared by the management of the service organization; and

b)  an opinion by the service organization audit firm and auditor that:

i) the above description is accurate;

ii) the systems’ controls have been placed in operation; and

iii) the accounting and internal control systems are suitably designed to achieve their stated objectives.

Type B - Report on suitability of design and operating effectiveness

a)  a description of the service organization’s accounting and internal control systems, ordinarily prepared by the management of the service organization; and

b)  an opinion by the service organization audit firm and auditor that:

i) the above description is accurate;

ii) the systems’ controls have been placed in operation;

iii) the accounting and internal control systems are suitably designed to achieve their stated objectives; and

iv) the accounting and internal control systems are operating effectively based on the results from the tests of control. In addition to the opinion on operating effectiveness, the service organization audit firm and auditor would identify the tests of control performed and related results.

The report of the service organization auditor will ordinarily contain restrictions as to use (generally to management, the service organization and its customers, and client audit firm and auditor).

  1.  The audit firm and the auditor should consider the scope of work performed by the service organization audit firm and auditor and should assess the usefulness and appropriateness of reports issued by the service organization audit firm and auditor.
  2.  While Type A reports may be useful to the audit firm and the auditor in gaining the required understanding of the accounting and internal control systems, an auditor would not use such reports as a basis for reducing the assessment of control risk.
  3.  In contrast, Type B reports may provide such a basis at a lower control risk assessment since tests of control have been performed. In this case, a client auditor would consider:
    1. whether the controls tested by the service organization audit firm and auditor are relevant to the client’s transactions (significant assertions in the client’s financial statements); and,
    2. whether the service organization auditor’s tests of control and the results are adequate.  With respect to the latter, two key considerations are the length of the period covered by the service organization auditor’s tests and the time since the performance of those tests.
  4. For those specific tests of control and results that are relevant, a client audit firm and auditor should consider whether the nature, timing and extent of such tests provide sufficient appropriate audit evidence about the effectiveness of the accounting and internal control systems to support the client auditor’s assessed level of control risk.
  5. The auditor of a service organization may be engaged to perform control procedures as requested by the client auditor. Such engagements should be subject to agreement between the client entity, its audit firm, the service organization and its audit firm.
  6. When the client audit firm and auditor use a report from the auditor of a service organization, no reference should be made in the client auditor’s report to the auditor’s report on the service organization.

 

Popular Topics
VSA 330 - The auditor's procedures in response to assessed risks
VSA 330 - The auditor's procedures in response to assessed risks VSA 330 - The auditor's procedures in response to assessed risks
Explore VSA 330 - The auditor's procedures in response to assessed risks
VSA 550 - Related parties
VSA 550 - Related parties
Explore VSA 550 - Related parties
VSA 520 - Analytical procedures
VSA 520 - Analytical procedures
Explore VSA 520 - Analytical procedures
VSA 510 - Initial engagements – opening balances
VSA 510 - Initial engagements – opening balances
Explore VSA 510 - Initial engagements – opening balances
VSA 705 Audit opinion is not an unqualified opinion
VSA 705 Audit opinion is not an unqualified opinion
Explore VSA 705 Audit opinion is not an unqualified opinion
VSA 700 Forming audit opinions and audit reports on financial statements
VSA 700 Forming audit opinions and audit reports on financial statements
Explore VSA 700 Forming audit opinions and audit reports on financial statements
VSA 320 - Materiality in planning and performing an audit
VSA 320 - Materiality in planning and performing an audit VSA 320 - Materiality in planning and performing an audit
Explore VSA 320 - Materiality in planning and performing an audit
VSA 315 - Identify and assess the risks of material misstatement through understanding the audited entity and its environment
VSA 315 - Identify and assess the risks of material misstatement through understanding the audited entity and its environment VSA 315 - Identify and assess the risks of material misstatement through understanding the audited entity and its environment
Explore VSA 315 - Identify and assess the risks of material misstatement through understanding the audited entity and its environment
VSA 620 Using the work of an expert
VSA 620 Using the work of an expert
Explore VSA 620 Using the work of an expert
VSA 610 Using the work of internal auditing
VSA 610 Using the work of internal auditing
Explore VSA 610 Using the work of internal auditing
VSA 580 Management representations
VSA 580 Management representations
Explore VSA 580 Management representations
VSA 570 Going concern
VSA 570 Going concern VSA 570 Going concern
Explore VSA 570 Going concern
VSA 230 - Audit documentation
VSA 230 - Audit documentation
Explore VSA 230 - Audit documentation
VSA 220 - Quality control of auditing activies
VSA 220 - Quality control of auditing activies
Explore VSA 220 - Quality control of auditing activies
VSA 210 - Audit engagements
VSA 210 - Audit engagements
Explore VSA 210 - Audit engagements
VSA 200 - Overall objectives of auditors and auditing firms when conducting audits according to Vietnamese auditing standards
VSA 200 - Overall objectives of auditors and auditing firms when conducting audits according to Vietnamese auditing standards
Explore VSA 200 - Overall objectives of auditors and auditing firms when conducting audits according to Vietnamese auditing standards
VSA 240 - Fraud and error
VSA 240 - Fraud and error
Explore VSA 240 - Fraud and error
VSA 250 - Considering the observance of laws and regulations in the audit of financial reports
VSA 250 - Considering the observance of laws and regulations in the audit of financial reports
Explore VSA 250 - Considering the observance of laws and regulations in the audit of financial reports
VSA 260 - Communications of audit matters with those charged with governance
VSA 260 - Communications of audit matters with those charged with governance
Explore VSA 260 - Communications of audit matters with those charged with governance
VSA 265
VSA 265
Explore VSA 265

Connect

INTRODUCE

REGISTERS

Subscribe to our latest newsletter, insights

Services

 

JPA VIETNAM

Address: No. 06-07 Phan Ton street, Tan Dinh ward, Ho Chi Minh city, Vietnam

Email: clientcare@jpa.vn

Hotline: +(84) 28 6652 6768

© 2025 JPA VIETNAM. All rights reserved

Map
Zalo
Hotline