Property Practitioners: Payment Processing Agents
Many property practitioners make use of payment processing agents. Payment processing agents meet the definition of a service organisation, and should be evaluated by the auditor, in terms of the requirements of ISA 402. However, in many instances, auditors omit to document how they considered these requirements for payment processing agents used by property practitioners. This article explains the key requirements of ISA 402, and how it applies to the payment processing agents.
ISA 402 requirements
The key requirements of ISA 402 may be summarised as follows: If the entity makes use of a service organisation, the auditor needs to consider the impact on the audit. The auditor needs to do the following:
• Identify outsourced services that are relevant to the audit.
• Sufficiently obtain an understanding of the nature and significance of such services to identify, and assess risk of material misstatement.
• Design and perform audit procedures responsive to those risks.
• If the user auditor is unable to obtain sufficient understanding/audit evidence from the user entity, they shall obtain an understanding/audit evidence from alternate procedures, one of which is to obtain a type 1 or type 2 report.
• If the user auditor does obtain a type 1 or type 2 report, there are further requirements for the auditor to consider.
• If the user auditor doesn’t obtain sufficient appropriate audit evidence, the audit report is modified accordingly.
Services provided by a service organisation are relevant to the audit of a user entity’s financial statements when those services, and the controls over them, are part of the user entity’s information system, including related business processes relevant to financial reporting.
Where service organisations are used, the auditor needs to consider the effect of such arrangements on the entity’s internal control. This includes obtaining sufficient information to assess the risks of material misstatement, and designing an appropriate response. Care should be taken to consider all the relevant assertions, control activities and control procedures.
In smaller entities, the outsourced services may well be important to the ongoing operation of the entity, but not relevant to the audit. This would occur where there are sufficient internal controls within the entity to address the risks of material misstatement, or where substantive audit procedures can be performed to address the identified risks.
Determine first whether the client (property practice/estate agency) has controls over input and output to, or from the service organisation. Then the client may have adequate control, so that reliance on the service organisation is not necessary. It is important to document these controls in sufficient detail, and specifically document how you have assessed design and implementation of these controls. Only if these controls are in place, can you use this option when assessing your approach towards reliance on service organisations.
The payment processing agent dilemma
The auditors of payment processing agents issue an Agreed Upon Procedures (AUP) report each year, confirming trust account balances, interest paid out and related information. Auditors of property practitioners tend to place undue reliance on this AUP report, in areas not addressed by the report, without performing additional work in those areas.
A payment processing agent falls within the definition of a service organisation and should be dealt with by auditors of property practitioners, in terms of ISA 402:
- Obtain an understanding of the services provided by the service organisation, internal controls of the property practitioner over this service organisation and controls within the service organisation. Evaluate the controls and determine whether reliance needs to be placed on them, and which controls the auditor intends to rely on.
- Based on the understanding obtained, assess the risk of material misstatement and determine an appropriate response.
- Based on the control evaluation and risk assessment, determine the appropriate approach.
- Where deemed necessary, based on the process above, obtain a report (Type 1 or Type 2, depending on the level of reliance to be placed on controls) from the auditors of the service organisation.
- Ensure that assertions are addressed by the report, in order to determine additional procedures to follow during the audit.
In summary
Audit documentation should clearly reflect how the auditor considered and applied the requirements of ISA 402 when property practitioners used payment processing agents.
References
1. ISA 402, Audit considerations relating to an entity using a service organisation
How LEAF can assist
LEAF can assist firms with a full-spectrum service, producing manuals and risk registers, in line with firm circumstances and risks; continuous administration and monitoring of quality management systems; monitoring of audit engagement quality; thorough file reviews and EQR reviews; providing practical advice; reviewing methodology design; designing audit working paper templates; and providing staff training on the relevant requirements and procedures. Necessary safeguards are being applied to ensure the objectivity of our partners in each team.
We want to know: Was this article useful?
If you found this article useful, or if you would like articles on different topics, please let us know.
We welcome your feedback!
How LEAF can give practical assistance
LEAF can assist through audit quality, technical, training and other services to provide you with practical guidance.