Cost optimisation – the genesis of outsourcingMany enterprises operate more efficiently and profitably by outsourcing certain functions to other organisations that have the personnel, expertise or infrastructure to accomplish these tasks. The past several years have seen rapid growth in outsourcing of various business functions to service organisations. This growth has been fueled by a number of factors, including economic recession, pressure to improve operational costs, an increasingly virtual workforce and lack of internal resources to support a process or function. Traditionally the term ‘outsourcing services’ would elicit reference to services such as book keeping, payroll processing, clearing house services, mortgage services and medical claims processing amongst others. However, with advancement of information technology, the outsourcing space has witnessed emergence of a plethora services such as Software as a Service (SaaS), Application Service Providers (ASP), Cloud Computing, Credit Card Processing platforms, Internet Service Providers (ISP), Data Centers, Tax processing etc.
How is an outsourced function relevant to audit?
In some cases the outsourced work generates information that is included in the outsourcer’s financial statements. Consider the example of a claims processor (third party administrator (TPA)) who processes claims for an insurance company. When the claims processing function is outsourced to a TPA, health plan customers are instructed to submit their claims directly to the TPA, which processes the claims based on rules established by the insurance company, such as rules related to eligibility and the amount to be paid against each claim. The claims processor provides the insurers with data, such as the cost of claims processed during a period, and this information flows through to the insurance company’s financial statements i.e., the expense claims and the related liability. Even though this information is generated by the claims processor, the insurance company is responsible for the accuracy of that information because the same is included in its financial statements.
For the auditors of the insurance company, the responsibility for auditing the information generated by the claims processor is the same as it would have been for auditing other financial statement information generated by the insurance company itself. The auditors must find a way to obtain evidence that supports the assertions in the insurers’ financial statements that include or are affected by the information generated by the claims processor. Under auditing parlance, the claim processor is termed as a ‘service organisation’, the insurance company would be a ‘user organisation’ whereas the auditor of the user organisation would be called as ‘user auditor’.
Auditors’ Responsibilities under SA 402
SA 402 – ‘Audit Considerations Relating to an Entity Using a Service Organisation’ expands on the factors that an auditor needs to bear in mind while auditing the financial statements of an entity that outsources functions that affect its financial statements. Services provided by a service organisation are relevant to the audit of a user entity’s financial statements when those services, and the controls over them, are part of the user entity’s information system, including related business processes, relevant to financial reporting.
In some cases, management of a user entity is able to monitor the quality of the data it receives from a service organisation by establishing controls to prevent, or detect and correct, misstatements in its financial statements resulting from errors in the data received from a service organisation. This would be the case if the user entity initiates and records the transactions it submits to the service organisation for processing. A good example of such services are payroll processing services.
In other cases, the user entity relies on the service organisation to initiate, execute and record the transactions. Consider for example where a user entity that grants an investment manager the authority to purchase and sell investments on its behalf based on written guidelines provided by the user entity.
Even though such controls are located and operating at the service organisation, they are relevant to the user entity’s internal control over financial reporting because they are designed to prevent, or detect and correct, errors in the information provided to user entities. The question is whether the auditor of a user organisation is required to test these controls and if yes, what approach would enable the user auditor to obtain sufficient information that such controls are designed and are operating effectively. Testing of controls at a service organisation.
SA 402 requires that where a user entity establishes controls over the services provided by a service organisation, the user auditor should test those controls which impact financial reporting to evaluate whether the same are operating effectively. Where the user auditor is satisfied that such controls at the user entity are operating effectively, he is not required to test controls established by the service organisation in relation to the services outsourced by the user entity. This may usually be the case where the process is less complex and the transaction volume is not substantial, for e.g., payroll processing for a small/medium sized enterprise.
Where the services provided by a service organisation involve highly automated processing, a user entity may not be able to implement effective controls over the transactions processed by the service organisation and may need to rely on the controls at the service organisation. From the user auditor’s perspective, he may be unable to obtain sufficient evidence by performing substantive procedures alone at the user entity. In such cases, the user auditor shall obtain an understanding through one or more of the following procedures:
a) O btaining a Type 1 or Type 2 report, if available
b) Contacting the service organisation, through the user entity, to obtain specific information
c) Visiting the service organisation and performing procedures that will provide the necessary information about the relevant controls at the service organisation; or
d) U sing another auditor to perform procedures that will provide the necessary information about the relevant controls at the service organisation.
A Type I report is a report by the service auditor on the design of the controls whereas a Type II report is a report on the design and operating effectiveness of controls at the service organisation.
The following case study highlights the procedures that a user auditor would perform to obtain sufficient evidence for risk assessment in relation to the services performed by a service organisation.
Case Study
World Wanderers Private Limited (WWPL) a wholly owned Indian subsidiary of World Wanderers Inc. USA (WWI) is an online travel company offering outbound and inbound travel services. WWI commenced operations in India in June 20X0. In order to rationalise the operating costs, the parent company, WWI outsourced the accounting for accounts payable function for all its subsidiaries including WWPL to Rapidex Accounting Services (RAS), an outsourcing firm based out of Philippines. The processing of accounts payable for WWPL happened at RAS whereas the general ledger was maintained by WWPL in India. WWI and all its subsidiaries used a globally renowned ERP system called ‘Apex’. Access to the Apex accounts payable module was provided by WWI to RAS. RAS used Apex for its other clients as well.
Under the accounts payable process, raising of purchase orders in Apex and approval of receipt of goods and services against these purchase orders was performed by authorised staff of WWPL. RAS accounts payable team was responsible for invoice and payment processing, reconciliations, journal posting in Apex and vendor helpdesk services. WWPL maintained a documentation imaging database called OMNI to which the designated accounts personnel from RAS accounts were given access. Scanned images of the invoices duly authorized by WWPL would be uploaded on OMNI. WWPL would provide a list of scanned images of specimen signatures of WWPL staff who were authorised to approve invoices. A designated team leader (TL) authorised by RAS would need to match the signatures on the invoices with the specimen provided and where these matched, the invoices were to be processed in Apex. A quality check was performed by RAS QC team on a test check basis.
Apex generated details of payments to be released to vendors based on due date which were compared by RAS accounts payable team with the payment authorisation received from personnel of WWPL. The request was then uploaded on the bank’s website by RAS Team Leader and payments released after sign off by WWPL. The contractual terms agreed by WWI with RAS included the requirement of RAS furnishing a Type 2 report on a calendar year basis for all the subsidiaries by an independent firm of IT auditors.
RAS engaged a service auditor ABC & Co. (‘ABC’) a firm based in Philippines to provide his opinion on the design and effectiveness of controls over the accounts payable function. The period of coverage was from 1st January 20X0 to 31st December 20X0. The significant controls tested by ABC inter alia included the following critical controls:
a. Controls provide reasonable assurance that invoices posted by RAS are authorised and accurate.
b. Controls provide reasonable assurance that only authorised payments are processed accurately by RAS.
c. Controls provide reasonable assurance that RAS IT resources used to provide services to WWPL are restricted to authorised personnel only.
ABC provided a Type 2 report stating that all controls related to accounts payable process were designed and operated effectively, other than the following controls:
• For 3 out of 25 samples, the verification of the payments uploaded on bank website by RAS was done using the ID of a resigned Team Leader of RAS.
• For 1 out of 25 samples, the verification of payment uploaded on the bank website was done using an ID which could not be associated with any of the Team Leaders of RAS assigned to WWPL.
• For 2 out of 25 samples, the evidence for verification by the TL on the bank website was not available.
ABC & Co. qualified their opinion on the above count.
WWPL had also outsourced its tax planning and processing function to XYZ & Co. (‘XYZ’), an Indian firm of chartered accountants. XYZ was responsible for filing of all statutory returns such as Service tax returns, withholding tax returns, and income-tax returns as well as providing assistance in tax assessments.
The accounting period for WWPL ended on 31st March 20X1. M/s.PQR & Associates (‘PQR’) were appointed as auditors of WWPL.
Let us now examine what procedures would PQR would need to perform to ensure compliance with the requirements of SA 402:
1. PQR may need to enquire whether WWPL has maintained independent detailed records or documentation of invoices processed and payments made by RAS on its behalf. It could be possible that no independent records could be maintained by WWPL on account of costs and operational efficiency.
2. Auditors generally have broad rights of access established by legislation. PQR would need to obtain an understanding of the legislation applicable in Philippines to determine whether appropriate access rights can be obtained to RAS systems. PQR could consider requesting WWPL to incorporate rights of access in the contractual arrangements between the WWPL and RAS. PQR may need to consider Inspecting records and documents held by RAS.
3. PQR may need to obtain evidence as to the adequacy of controls operated by RAS over the completeness and integrity of WWPL’s accounts payable data for which RAS is responsible.
4. If independent records of accounts payable are being maintained by WWPL, PQR could consider obtaining confirmations of balances and transactions from RAS for corroborating WWPL’s records. This may constitute reliable evidence confirming existence of transactions and balances.
5. Given the significant volume of payments, performing substantive procedures or testing of operating effectiveness of controls at WWPL by PQR would not be sufficient. It would be imperative that the design and operative effectiveness of controls over processing of invoices as well as payments which occurred at RAS were tested by PQR.
6. As ABC is a firm based out of Philippines and assuming that ABC is not registered with ICAI, PQR would need to evaluate the professional competence of ABC, its independence from WWPL and the adequacy of the standards under which ABC has issued the Type 2 Report. PQR may need to make enquiries about ABC to ABC’s professional organization and enquire whether ABC is subject to regulatory oversight.
7. (a) If PQR is satisfied as to the professional competence of ABC, PQR could use ABC to perform procedures on the WWPL on its behalf such as testing of controls at RAS (other than those covered by the Type 2 Report) or substantive testing on WWPL financial statement transactions and balances maintained by RAS.
(b) Alternatively, PQR could use another auditor to perform test of controls or substantive procedures at RAS on its behalf. The results of such procedures performed could be used by PQR to support its audit opinion. In such a case, it would be essential for ABC and PQR to agree to the form of and access to audit documentation.
(c) PQR may visit RAS to perform tests of relevant controls if RAS agrees to it.
8. As far as reliance on Type 2 Report is concerned, the controls tested by ABC and the results thereof would need to be evaluated by PQR to determine whether these support PQR’s risk assessment. In the present case it is pertinent to note that:
(a) The period covered by the Type 2 report is until 31st December 20X0 whereas the period under audit ended on 31st March 20X1. PQR would need to discuss with WWPL or where permissible with RAS whether there were any significant changes to the relevant controls at WWPL outside of the period covered by ABC’s Type 2 report. PQR could consider extending tests of controls over the remaining period or testing WWPL’s monitoring of controls. PQR may also review current documentation of such controls as provided by RAS
(b) PQR would need to evaluate the scope of work performed by ABC, i.e., the controls tested, the appropriateness of the sample sizes and whether there were significant changes to the relevant controls beyond the period covered by the Type 2 Report.
(c) The service was designed with the assumption that WWPL user will have controls in place for authorizing invoices before they are sent to RAS for processing. Other control to consider would be whether an updated list of signatories authorized to approve invoices was sent by WWPL to RAS. PQR would need to consider whether such complementary controls at WWPL were relevant to the service provided to WWPL.
(d) Merely because ABC had issued a qualified opinion does not imply that ABC’s report will not be useful for the audit of WWPL’s financial statements in assessing the risks of material misstatement. Subject to considerations explained in paragraph 7(a) above, the exceptions giving rise to the qualified opinion in ABC’s report should be considered in PQR’s assessment of the testing of controls performed by ABC.
(e) The exceptions pertained to inconsistency in the login IDs used by RAS team to process transactions on Apex. PQR would need to evaluate how these exceptions impacted the overall control environment around accounts payable processing, any remedial was taken post 31 December 20X0 and whether alternative checks were available to prevent or detect and correct errors in misstatement.
(f) The involvement of ABC or another auditor does not alter PQR’s responsibility to obtain sufficient appropriate audit evidence as a basis for forming his opinion. PQR would not be in a position to make a reference to ABC’s report as a basis for PQR’s opinion on WWPL’s financial statements. However, if PQR were to modify its opinion based on ABC’s opinion, then PQR could refer to the ABC’s report in its own audit opinion with prior consent of ABC.
9. As regards tax processing services performed by XYZ, a report on controls at XYZ may not be available and visiting XYZ may be the most effective procedure for PQR to gain an understanding of controls XYZ as there is likely to be direct interaction of WWPL’s management with XYZ.
The above is an illustrative inventory of procedures that SA 402 mandates auditors to perform. The procedures may be customised to meet the requirements of an actual scenario.
CONCLUDING REMARKS
Increasingly, enterprises are outsourcing their business functions to achieve cost efficiencies. The rise of cloud computing has played a key role in the number of businesses that outsource functions to service organisations. Cloud computing providers offer user entities access to applications, data storage, and numerous other computing functions on a pay-as-you- go basis. Controls at a service organisation that are related not only to user entities’ internal control over financial reporting but also to other critical aspects such as data privacy of customers and other stakeholders have gained prominence. User entity would continue to remain responsible for such data though the same resides with the service organisation.
SA 402 provides useful guidance to auditors to understand the nature and significance of services provided by service organisations and to design and perform procedures to respond to risk of material misstatements related thereto.
