What is a user entity?
Planning meeting. The manager asks who runs payroll. "We outsource it." Then the question that follows: "So we don't need to test those controls, right?" Wrong. ISA 402.3 is direct: the user entity's auditor owns the opinion. Outsourcing changes the audit approach, not the responsibility.
ISAE 3402.8(o) and ISA 402.9 (f) define a user entity as an organisation that uses the services of a service organisation where those services form part of the user entity's information system relevant to financial reporting. When a user entity sends processes to a service organisation, the user auditor must understand what has been outsourced and how those services affect internal controls over financial reporting.
Every ISAE 3402 report lists complementary user entity controls (CUECs). These are controls the service organisation assumes are in place at the user entity's end. ISA 402.14 requires the user auditor to test those CUECs. If the user entity has not implemented them, the control chain is broken regardless of what the service organisation's report says.
ISA 402.12 (a) requires four distinct evaluations of the service auditor's report: relevance of the description, relevance of the control objectives, appropriateness of the tests performed, and sufficiency of the evidence obtained. User auditors who skip any of these four steps have an incomplete assessment.
Key Takeaways
- A user entity outsources processes but keeps all audit risk related to its financial statements.
- The user auditor must understand the outsourced services and their effect on internal controls.
- Complementary user entity controls listed in the ISAE 3402 report must actually be in place.
- If no service organization report exists, the user auditor needs another way to get evidence.
Worked example: Mayr Einzelhandel GmbH
Mayr is an Austrian retail group reporting under UGB, FY2024 revenue of EUR 145M.
Mayr outsources warehouse management and logistics billing to Translog Solutions GmbH. Translog processes warehouse receipts, generates dispatch records, calculates freight charges, and provides billing summaries that feed directly into Mayr's revenue and cost of goods sold.
Translog's ISAE 3402 Type II report covers the period April 2023 to March 2024 and addresses control objectives over logistics billing and warehouse data. After obtaining the report, the user auditor tests the four CUECs listed: monthly billing reconciliation against Mayr's purchase orders, approval of new supplier set-ups, review of exception reports, and quarterly inventory count reconciliation.
The Type II report period ends in March 2024, but Mayr's financial year runs to December 2024. The user auditor performs roll-forward procedures for April to December 2024: inquiry of Translog management about system changes and re-performance of the monthly billing reconciliation for two months in the gap period. The team also reviews Mayr's exception reports for the same period.
What reviewers get wrong
We've seen teams treat the ISAE 3402 report as a tick box exercise: skim the opinion page, file it, move on. That is not what ISA 402 asks for.
- The AFM's 2022 thematic review found user auditors consistently failed to test CUECs. ISA 402.14 requires this testing. Without it, the control environment assessment is incomplete. Nobody enjoys ticking and bashing through a list of CUECs, but skipping it is how files get flagged at review.
- Teams accept the Type II report without performing gap period procedures. ISA 402.12 (b) requires evidence about controls operating during the period not covered by the service auditor's report.
User entity vs service organization
| Dimension | User entity | Service organization |
|---|---|---|
| Financial statements | Prepares and presents | Does not present to user entity's stakeholders |
| Audit opinion | User auditor issues opinion | Service auditor issues ISAE 3402 report |
| Control responsibility | Operates CUECs and overall environment | Controls over outsourced processes only |
| Risk ownership | Retains all risk of material misstatement | Bears operational risk |
Key standard references
- ISAE 3402.8(o) defines user entity as an entity that uses the services of a service organisation.
- ISA 402.9 (f) defines user entity in the context of the user auditor's responsibilities.
- ISA 402.3 states the user entity's auditor retains full responsibility for the audit opinion.
- ISA 402.14 requires the user auditor to test CUECs.
- ISA 402.12 (a) sets out the four evaluations required when using a service auditor's report.
Related terms
Related reading
Frequently asked questions
Does outsourcing reduce the user auditor's responsibility?
No. ISA 402.3 is clear: the user entity's auditor retains full responsibility for the audit opinion regardless of what has been outsourced.
What are CUECs and why do they matter?
Complementary user entity controls are controls the service organization assumes the user entity has in place. Without testing them under ISA 402.14, the control chain has an untested link.