Inherent risk: employees have to get used to new processes, change uncertainty and learning curve, unreliable processing. Control risk control activities are part of business activities: even more risk if service provider in turn outsources. Detection risk: auditors have to understand new processes, audit trail is now in the service organization. Considerations: risk vs. benefit, business case, vendor selection, contingency plan if service organization fails, contract should not prevent effective audits, process to monitor contract compliance, train employees. Internal control expectations and requirements: approval from bod. Rely on independent control assurance report: cas 402. Whether service organization has reported non-compliance with laws and regulations and/or uncorrected misstatements, effect on audit risk. User auditor"s opinion not diminished by service auditor. Allows user auditor to rely on csae 3416/ssae 16 report (or similar: csae 3416/ssae 16. Assurance based on a set of control objectives and supporting procedures, system description + control description.