SA 402 — Audit Considerations for an Entity Using a Service Organisation — CA Inter Microlesson

Think of a company — let's say Rajesh & Co. Pvt. Ltd. — that outsources its entire payroll processing to a third-party firm called PayPro Solutions. Rajesh & Co.'s auditor now has a problem: a significant chunk of financial data flows through a system the auditor has zero direct access to. That's exactly the situation SA 402 addresses.

SA 402 kicks in whenever your audit client (the user entity) uses a service organisation — a third party that executes transactions or maintains records that are part of the client's information system relevant to financial reporting. Common examples in India: payroll processors, cloud ERP hosts (like a SaaS-based Tally or SAP provider), share transfer agents, or loan servicing companies for NBFCs. If that service organisation's work affects how the financial statements are prepared, you as the auditor cannot ignore it.

Your job under SA 402 has two key steps. First, understand the nature of the services and whether they create a significant risk. You do this by reading the contract, talking to management, and reviewing user manuals or system descriptions. Second, gather sufficient appropriate evidence about controls at the service organisation. You have two routes here: (a) get a Type 1 or Type 2 Service Auditor's Report (think of it as an independent report on the service org's controls — Type 1 covers design only, Type 2 covers design + operating effectiveness, so Type 2 is far more useful for you), or (b) perform your own tests at the service organisation if permitted. If you can't get evidence either way, you may need to modify your audit opinion.

Don't overlook complementary user entity controls — these are controls that the service org assumes Rajesh & Co. is running on their own side (e.g., reviewing the payroll output file before uploading). If these aren't actually in place, the entire control environment breaks down, and you must test for that gap. SA 402 is frequently tested as a 4–5 mark theory question — examiners love asking you to distinguish Type 1 vs Type 2 reports and what the user auditor should do when a service auditor's report is unavailable.

📊 Worked example

Example 1: Payroll outsourced to a service organisation

Setup: Ms. Iyer is the auditor of Bharat Textiles Pvt. Ltd. The company outsources payroll for 500 employees (monthly payroll: ₹45,00,000) to QuickPay Ltd. The payroll data directly feeds into the financial statements. Ms. Iyer needs to decide how to audit this area.

Step 1 — Identify relevance: QuickPay processes transactions that affect salary expense and payables in the financial statements. SA 402 applies.

Step 2 — Understand the service: Ms. Iyer reads the service contract and QuickPay's system description. She identifies that QuickPay relies on Bharat Textiles to verify the final payroll register before payment — this is a complementary user entity control.

Step 3 — Get evidence on controls: Ms. Iyer obtains QuickPay's Type 2 Service Auditor's Report covering the April 2024–March 2025 period. The report confirms controls over payroll processing are designed and operating effectively.

Step 4 — Test complementary controls: She verifies whether Bharat Textiles actually reviewed and signed off the payroll register each month. She finds 3 months where no sign-off exists.

Conclusion: Controls at the user entity level have a gap. Ms. Iyer extends substantive procedures — she recalculates payroll for those 3 months manually. Total salary tested: ₹1,35,00,000 (3 × ₹45,00,000). No misstatement found, but she documents the control weakness.

---

Example 2: Service Auditor's Report unavailable

Setup: Mr. Sharma audits an NBFC that uses a third-party loan management system hosted by FinServ Cloud Pvt. Ltd. The loan book is ₹12 crores. FinServ refuses to provide a service auditor's report or allow direct testing.

Step 1: Mr. Sharma cannot obtain evidence about IT controls at FinServ.

Step 2: He assesses whether he can compensate through user-entity controls or substantive procedures alone. Given the loan book represents ~80% of total assets, this is a significant limitation.

Step 3: He is unable to satisfy himself about the completeness and accuracy of loan data.

Result: Mr. Sharma issues a qualified opinion due to limitation of scope. This is the correct SA 402 outcome when evidence cannot be obtained and the matter is material.

⚠️ Common exam mistakes

Students think SA 402 only applies to IT outsourcing — Wrong. It applies to any service organisation that processes transactions or maintains records relevant to financial reporting: payroll, share transfer agents, investment managers, loan servicers, etc.
Confusing Type 1 and Type 2 reports — Don't say both are equally useful. A Type 1 report only confirms that controls are suitably designed as of a point in time. A Type 2 report confirms controls were operating effectively over a period — that's what actually helps you reduce substantive testing.
Ignoring complementary user entity controls — Students often assume if a Type 2 report exists, the job is done. Wrong. Always check whether the service org's controls depend on the client running their own controls, and test those separately.
Assuming the user auditor can always rely on the service auditor's report without evaluation — You must assess whether the service auditor is competent and independent, and whether the report covers the relevant period and controls before placing reliance on it.
Forgetting the implication of no evidence — If you cannot get a service auditor's report and cannot perform direct testing, and the area is material, the result is a modified opinion (qualified or disclaimer). Don't write "the auditor should inform management" as the final step — that alone is not sufficient.

📖 Reference: SA 402 — Institute of Chartered Accountants of India

← Previous

SA 330

SA 450

Test yourself

Practice questions on this section, AI-graded with citations.

⚡ Practice now →