sas 70 (statement on auditing standards no. 70) kelley piner charles roberts ashley walker
TRANSCRIPT
SAS 70(Statement on Auditing Standards No. 70)
Kelley PinerCharles RobertsAshley Walker
What is SAS 70?
SAS 70 is produced as a result of an audit performed by a CPA to report on the processing of transactions by a service organization
– Over time this has changed, the reports are now used as a means to provide service independent validation assurances to potential clients
It allows the third-party service provider to have one audit and share the results with all of its clients
Candidates for SAS 70 Audits
Claims processing centers Trust/benefit plan administrators Data centers Application service providers Payroll processors Internet service providers
SAS 70 Certified Advantages:Benefits to Service Organizations
Unqualified opinions demonstrate that your organization has effective controls
Decreases business interruption by removing other audits throughout the year for purposes of satisfying user organizations
Primary benefit to a company is that it eliminates the need for the company to perform its own audit of each of its third-party service provider’s internal controls
Ability to leverage SAS 70 certification into a market differentiator against existing competitors who are vying for outsourcing contracts from user organizations
SAS 70 Certified Advantages:Benefits to User Organizations
User organizations are able to gain a greater understanding and assurance of the internal controls in place at service organizations
Shows that they have taken steps in developing and implementing controls throughout the identified platform being used to process transactions for user organizations
Type I and II reports assist external auditor for user organizations by cutting down on the time and costs of having to inquire on controls at service organizations
Why SAS 70 audits are unique
The scope of the engagement and the voluminous amount of information included in the final service auditor’s report
SAS 70 auditors focus on general and application controls, as well as operational and Human Resources issues, security guidelines and business continuity plans
Only a CPA or accounting firm can sign off and issue a SAS 70 service auditor’s report
Only a seasoned accountant should be considered as a primary source for SAS 70 engagements
Difference between Type I and Type II Engagements
Type I reports are issued for a specific date and are limited to an inquiry into and observation of the controls
Type II reports are issued after a minimum six-month testing period have been completed and is focused on the operating effectiveness of controls
Type I consists of inquiry and observation controls Type II would include testing of controls
Type I vs. Type II Reports
Information Type I Type II
SAS 70 Service Auditor’s Report Required Required
Description of Controls Required Required
Information provided by the service auditor (a detailed listing of controls and testing of operating effectiveness)
Optional Required
Information provided by the service organization
Optional Optional
User organization control considerations (controls that user organizations have in place)
Optional Optional
Organizational areas to be audited
The identified platform or platforms that are being used to conduct outsourcing activities related to user organizations is what will be audited
Several operational general controls will also be observed– this is done to gain a better understanding of the corporate tone
of the organization A SAS 70 audit is looking at a service organization that
implements controls throughout various levels of its company, not just the identified platform being targeted by a SAS 70.
Audit Process
Type I– Auditor studies the general and application controls
then lists opportunities for improvement with proposed remediation and documents
– If control remediation is necessary, a time frame can be provided to correct or strengthen the various internal controls
– CPA concludes the field work by doing a final walk-through and examination of the controls, then issues the report
Audit Process (continued)
Type II– Minimum of six month design review and testing of
the general and application controls – Auditor works with employees to review controls, test
their effectiveness, and correct those that require remediation
– Report is then issued
Industry standards used during SAS 70 auditing
Control Objectives for Information and Related Technology (COBIT)
Committee of Sponsoring Organizations of the Treadway Commissions (COSO)
ISO 17799 Federal Financial Institutions Examination’s
Council (FFIEC)
Documentation of SAS 70 Certification
Independent Service Auditor’s Report unqualified or qualified opinion
Elements of Internal Control: Control environment, risk assessment, control activities, information and communication, monitoring
Systems development life cycle (SDLC) and change management: design cycle, development cycle, testing cycle, production cycle, and maintenance cycle
Documentation of SAS 70 Certification (continued)
General computer controls: logical security, physical security, environmental security, network security, and computer operations
Application controls primary function is to ensure the completeness and accuracy of the records and the validity of the entries made from processing
Other material: Information provided by the service auditor, information provided by the service organization, and client control considerations
Certification and Recertification
The report is valid for one full calendar year for both Type I and Type II
Type I- if the report is dated July 1, 2004, it is valid until July 1, 2005
Type II- if a report was issued that covered the period from June 1, 2004-November 30, 2004, the report is valid until November 30, 2005
Works Cited:
Denyer, Charles, and Christopher G. Nickell. "An Introduction to SAS 70 Audits." Benefits Law Journal 20(2007).
Boutin, Christopher. "Want Independent Validation and Assurance? Ask for SAS-70." Healthcare Financial Management August 2008.