New Standards for Audits of Organizations Using Outsourcing

Many nonprofit organizations utilize a third-party service provider to assist them with various administrative functions, including accounting and bookkeeping, assistance with conference registration, dues collections, and publication fulfillment. This arrangement is commonly referred to as outsourcing. Currently, Statement on Auditing Standards (SAS) no. 70, Service Organizations, is the source of the requirements and guidance for CPAs:
  • reporting on controls at service organizations
  • auditing the financial statements of entities using service organizations to accomplish tasks that may affect their financial statements
SAS no. 70 has been divided and replaced by two new standards:
  1. Statement on Standards for Attestation Engagements (SSAE) also known as an attestation standard
  2. SAS (an auditing standard)

The requirements for reporting on controls at service organizations have been placed in SSAE no. 16, Reporting on Controls at a Service Organization. The requirements for auditing the financial statements of entities that use service organizations remains in the auditing standards in a new SAS, Audit Considerations Relating to an Entity Using a Service Organization. The new SAS has not yet been issued and is effective for audits of periods ending on or after December 15, 2010.

For the auditors of the user entity's financial statements, the responsibility for auditing the information generated by a service provider is the same as it would be for auditing the other financial statement information generated by the organization themselves. The auditors must find a way to obtain evidence supporting the assertions in the financial statements that include or are affected by the information generated by the service provider. SSAE no. 16 identifies an entity that performs a specialized task or function for other entities as a service organization and the entities that outsource a task or function to a service organization as user entities. The auditors auditing the financial statements of user entities are known as user auditors.

A key factor for the user auditor to understand is the level of monitoring and review the user entity performs over the information received from the service provider. In some cases, management of a user entity is able to monitor the quality of the data it receives from a service organization. This would be the case if the user entity initiates and records the transactions it submits to the service organization for processing. In other cases, the user entity relies on the service organization to initiate, execute, and record the transactions. Even though such controls are located and operating at the service organization, they are relevant to the user entity's internal control over financial reporting because they are designed to prevent, or detect and correct, errors in the information provided to user entities.

As part of the risk assessment process the user auditor must consider the controls at the service provider as well as the controls at the user entity. These controls and their impact on the amounts reported in the financial statements may have a significant impact on the auditor's risk assessment and ultimate determination of audit procedures that need to be performed. Additionally, recent guidance from certain government agencies has stressed that the auditor cannot rely on the service auditor's report to eliminate testing only to reduce the assessed risk level.

Given that the usage of service organizations by nonprofit entities is likely to increase, it is important that user entities and user auditors have an in-depth understanding of the new guidance when it is released. In addition, it is important that all organizations remember the ultimate responsibility for the financial statements rests on the organization's management, regardless of the level of work that is outsourced.