Transcript Statement on Auditing Standards (SAS) No. 70, Service

Statement on Auditing
Standards (SAS) No. 70,
Service Organizations
BADM 559 Final Project
By: Kristina Morales

In 1988, AICPA issued SAS 55
◦ Independent auditor required to review internal controls
of both the user and service organization
◦ Service organization= insurance and medical claims
processors, hosted data centers, etc.
◦ Too costly for service organizations; therefore, SAS 70
evolved

SAS 55 amended by SAS 94 in 2001
◦ SAS 70 places emphasis on internal controls concerning
information technology
User
Auditor
Background
SAS 70
AUDITOR

“To obtain an independent service auditor’s
report regarding the Operational and Technical
Controls in place at a service organization, which
may be relevant to the internal control structure
and financial statement assertions of user
organizations of that service organization.”
- Walter Searcey, Business Advisory Services Manager of Grant
Thornton LLP

Sarbanes Oxley increased the focus of SAS 70
audit reports
 Importance of reporting on the effectiveness of
internal controls.
 Provide Assurance
Purpose
Service Organization




Provide management with
insight into the
effectiveness of its
controls and areas for
improvement
Eliminates repeat audits,
which saves time and
money
Provides independent
assurance and builds trust
Able to meet contractual
obligations and respond
to regulatory inquiries
Benefits
User Organization
May control some audit
costs
 Help user auditors by
already having
information available to
them
 Satisfies client
regulatory
requirements
 Provides a level of
comfort over the
processes outsourced



Two types of SAS 70 service reports: Type I and Type II
Management, the user organization, and/or the external
auditors of the user organization can read the report to
understand the service organization’s controls and its
effectiveness.
Report Contents
Type I
Type II
1. Independent service auditor's report (i.e. opinion).
Included
Included
2. Service organization's description of controls.
Included
Included
3. Information provided by the independent service auditor;
includes a description of the service auditor's tests of
operating effectiveness and the results of those tests.
4. Other information provided by the service organization
(e.g. glossary of terms).
Optional
Included
Optional
Optional
SAS 70 Audit Report

Grant Thornton’s approach to SAS 70
◦ Phase I: SAS 70 Readiness Review
 Understand business process and information
technology within the SAS 70 scoope
◦ Phase II: Fair Representation and Suitability of
Controls
 Evaluate description of controls, suitability of the
design of control activities and control objectives.
◦ Phase III: Test and Observe
 Validates the controls and apply tests of inquiry
◦ Phase IV: Report and Attest
 Develop and present either Type I or Type II report
Real Life Approach

United Kingdom: Guidance titled AAF 01/06
which supersedes FRAG 21/94.
◦ Provided by the Audit and Assurance Faculty of the
Institute of Chartered Accountants in England and
Wales.

Canada: Report titled Section 5970, which
may be issued by a service organization
auditor.
◦ Generally entails 2 separate audit opinions on the
controls in place and its operating effectiveness
over a period.
SAS 70 International Counterparts

Recently, the use of the SAS 70 audit has
been applied in non-traditional ways.
◦ Service organizations that provide services to
financial companies are required to have a SAS 70
review in order to comply with the Gramm-LeachBliley Act (GLBA).
◦ Service organizations that provide services to
healthcare companies are requested by their clients
to have a SAS 70 audit to ensure that a third party
has examined the controls over sensitive
information
◦ Some companies actually propose a SAS 70 audit in
order to have an independent party review a
business proposal or marketing idea.
Conclusion