Obtaining Assurance for Financial Statement Audits and Control Audits When Aspects of the Financial Reporting Process Are Outsourced

Abstract

SUMMARY Businesses increasingly outsource organizational functions that have financial reporting implications, which requires auditors to adjust their risk assessment and audit procedures for this practice. However, PCAOB inspection reports cite deficiencies indicating that external auditors frequently do not perform proper procedures before relying on controls maintained by service organizations. In this paper, we examine the audit implications of clients' use of service organizations. Using the audit risk and control risk models and drawing on the extant research on using the work of others and internal audit outsourcing, we develop a framework that describes how clients' use of service organizations affects financial statement and internal control audits. We propose that three characteristics of outsourcing: the client, the service organization, and the auditor of the service organization affect inherent risk, control risk, and control detection risk for clients who outsource these functions. Based on this model, we develop specific research questions to guide future auditing research. We also use this model to provide insights for future research on external auditors' reliance on outsourced internal audit functions. JEL Classifications: M41; M42; L24.