HOME
LATEST NEWS
SAS 70 DETAILS
Steps and flow
Risk & Value
Sarbane-Oxley
ABOUT US
COMMENT JOURNAL
 



Visit Accounting & Audit Works, LLC a leader in SAS 70 Audits and SOX404.


SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations can be any entities providing services to clients.  For SAS 70 purposes, the service oranization typically impacts the control environment of their customers. Examples of service organizations are computer or information processing providers, insurance and medical claims processors, payroll and pension processors, trust companies, book-keepers, credit processing organizations, clearinghouses, and so on.

The AICPA defines two types of service auditor reports: Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. The Type II service auditor’s report includes the information in a Type I and an auditor's opinion on whether the specified controls were operating effectively during the period under review.

Other important and pertinent information can be found in:

  • SAS No. 88, Service Organizations and Reporting on Consistency, which clarifies the applicability of SAS No. 70.
  • Paragraph renumbering in SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit.
  • SAS No. 94 amends SAS No. 55 to provide guidance to auditors about the effect of information technology on internal control, and on the auditor's understanding of internal control and assessment of control risk.



Section 404 of SOA mandates the SEC to adopt rules requiring each issuer to include an internal control report that contains management’s assertions regarding the effectiveness of the company’s internal control structure and procedures over financial reporting.  404 furthermore requires the company’s auditor to attest to, and report on, management’s assessment of the company’s internal control over financial reporting in accordance with standards established by the PCAOB.

Pending further standard-setting by the PCAOB, SAS 10 Standards for Attestation Engagements will remain the applicable standard for the required attestation.

So how does a SAS 70 Audit affect an outsourced processing of transactions?

As stated above, under SOA provisions, management must evaluate the controls over the process activities and applications critical to the company’s internal control over financial reporting.

The evaluation of internal controls resident in business processes should consider the controls needed to achieve the financial statement assertion objectives, which are likely to require appropriate controls residing at a service provider.  During a 404 project, these controls would need to be evaluated and tested like any other controls for a process or an application managed and controlled directly by the company if during SOX 404 scoping, the processing is material in nature.  A method to accomplish this is either a SAS70-type audit (with some provisions) or by having independent testing performed by a designee (e.g., IA, outside consultant, etc).

When considering an approach the organization must always keep in mind that the service provider is merely executing the directions issued by the user organization, thus not transferring the process risk. The contents of a SAS70 report are reviewed in relation to controls at the user organization.  Therefore, the user organization should develop a process map that documents input controls, the processing at the outsourcer, the output and output controls.  Additionally, the user would map key processes and administration procedures for applications because typically the key controls over authorization and segregation of duties are internal to and under the control of the user organization.   

Since SAS70 reports typically are written and scoped for purposes of communication between independent auditors for the purposes of the user organization’s financial statements.  404 changes the requirements by assigning management the responsibility to make an assertion with respect to the internal controls over financial reporting.  There continues to be further development at the PCAOB on this matter and as such, this condition may change.

With this in mind, there are three very important points to consider:

First, it clear that a SAS70 report is an auditor to auditor communication, so it is possible that the Auditing Standards Board did not intend for it to be used from a regulatory standpoint.

Second, the scope of the SAS 70 review needs to be evaluated.  Prior periods’ scope to satisfy the auditors for purposes of expressing an opinion on the financial statement may need to be expanded, perhaps significantly, to satisfy the additional requirements of management.  Additionally, management must make decisions regarding the sufficiency of scope and adequacy of the testing coverage and evaluation of test results.  The new testing requirements are much more pervasive.

And last, there is also the question concerning the issue of the point-in-time internal control report that management must issue to comply with 404 as of its annual report year-end.  How would management’s ability to sign off on its assertion about the controls as of year-end by affected if the date of the SAS 70 report differs significantly from that date?  One way to accomplish this is to conduct multiple SAS 70 Audits.