Auditing Section Research Summaries Space

A Database of Auditing Research - Building Bridges with Practice

This is a public Custom Hive  public

research summary

    Obtaining Assurance for Financial Statement Audits and...
    research summary posted December 3, 2014 by Jennifer M Mueller-Phillips, tagged 14.0 Corporate Matters 
    Obtaining Assurance for Financial Statement Audits and Control Audits When Aspects of the Financial Reporting Process Are Outsourced
    Practical Implications:

    Regulators could consider extending guidance on OIS-specific risks (e.g., general risks, process-specific risks) in AU 324 Service Organizations and AU-C 402 Audit Considerations Relating to an Entity Using a Service Organization. For example, to assist user auditors in assessing OIS-risks and determining the appropriate procedures to perform, this guidance could include examples of judgmental processes (such as valuations), how these processes affect inherent and control risk when outsourced, controls that should reside at the service organization (and potentially be included within a SOC 1 report), and controls that should reside at the user organization.

    User auditors would also benefit from a discussion of how user organization and service organization competence and objectivity could affect the SOC 1 report. Evidence from PCAOB inspection reports and from private interviews with practitioners suggests that OIS-risks are often inappropriately addressed within audits. We would caution regulators to refrain from updating standards until a better understanding of the causes of this inappropriate reliance are identified to avoid potential negative and unintended side effects. We encourage regulators, audit firms, and academics to partner together to research the underlying causes of this inappropriate reliance.

    For more information on this study, please contact Margaret Christ, Assistant Professor, University of Georgia.


    J. Bierstaker, L. Chen, M. Christ, M. Ege, N. Minchik. 2013. “A Synthesis of Research on the Use of Service Organizations: Implications for Auditors and Standard Setters and Directions for Future Research.” Auditing: A Journal of Practice & Theory, (Supplement): 209-251.

    outsourcing; SAS 70/SSAE 16/SOC report; service organizations; audit quality
    Purpose of the Study:

    Businesses increasingly outsource organizational functions that have financial reporting implications.  As a result, auditors must learn how to adjust their risk assessment and audit procedures for this practice. However, PCAOB inspection reports cite deficiencies indicating that external auditors frequently do not perform proper procedures before relying on controls maintained by service organizations. In this paper, we examine the audit implications of client use of service organizations. Applying the audit risk and control risk models and drawing on the extant research on using the work of others and internal audit outsourcing, we develop a framework that describes how clients’ use of service organizations affects financial statement and internal control audits.  We propose that characteristics of the outsourcing process, the client, the service organization, and the auditor of the service organization affect the inherent, control, and control detection risk for clients who outsource these functions. Based on this model, we develop specific research questions to guide future auditing research.

    Design/Method/ Approach:

    We build on the literatures addressing the audit risk model, the control risk models and auditors’ reliance on the work of third parties, including internal auditors and specialists. We develop a model that links factors related to outsourcing the information system (OIS) to specific components of the audit risk and control risk models. This new model should provide a framework for user auditors, audit researchers and regulators to properly consider how OIS affects both the financial statement and control audits. We use this model to: (1) describe factors user auditors should consider when assessing the inherent and control risk of clients who employ OIS (e.g., service organization and service auditor competence and objectivity, the content of assurance reports provided by service auditors), and (2) develop specific testable research questions that can contribute to both the academic literature and auditing practice. 


    The primary objective of this paper is to stimulate future research on the audit implications of OIS, and we identify 26 research questions to guide future inquiry. Many of our proposed research questions relate to user auditors’ assessments of the competence, objectivity, and work performed by the user organization, the service organization and the service auditor. These factors should directly influence the user auditor’s assessment of control risk and the extent of control and substantive testing required.

    Additionally, we pose a variety of questions related to the user auditor’s reliance on the SOC 1 (Type II) report prepared by the service auditor. Given that this is often the primary source of evidence regarding the controls maintained by the service organization, future academic research related to user auditors’ use of the SOC 1 report will help to highlight the specific challenges posed by these reports, improve user auditors’ use of the reports, and inform standard setters of improvements that could be made to related standards.

    Next, we suggest research questions related to specific considerations user auditors should give to service organizations and service auditors from foreign jurisdictions. Cultural factors, such as societal trust and investor protection regimes, vary widely across nations and therefore can greatly affect the internal control system of the service organization and/or control evaluations of the service auditor. Thus, future academic research could improve the way user auditors attend to the challenges arising from the use of foreign service organizations.

    Finally, we provide research questions related to outsourced internal audit functions. While internal audit functions are not within the scope of OIS, our model has direct implications for user auditors’ considerations of the use of outsourced internal audit functions and should facilitate future academic studies along this path as well.

    Corporate Matters