Transcript SAS No. 70 - University of Illinois at Urbana–Champaign

SAS No. 70
BADM 559
Jong Choi
Overview of SAS 70
• Definition
▫ SAS 70 helps service auditors to assess operational
and technical controls of a service organization and
issue a service auditor’s report
• Purpose
▫ Demonstrate effective control placed in operation
• Legislation compliance
▫ Health Insurance Portability and Accountability Act
▫ Gramm-Leach-Bliley Act
▫ Sarbanes-Oxley Act
Background
SAS 55
- Original guideline to assess internal control structure in a
financial statement audit
- However, inefficiencies in performing the procedures
SAS 94
- More importance of information technology on meeting
financial reporting objectives
SAS 70
Type I and Type II
Type I
Type II
Assurance on
- Fairly represented
description of controls by
management
- Suitably designed controls
that achieve control
objectives
- Control place in operating
as of a specified date
Assurance on
- The same as Type I
- Operating effectiveness of
controls
Organization and Content of a Report
• Section I: Opinion of Service Auditor
▫ Includes an opinion letter regarding the service organization’s
internal controls
• Section II: Description of Controls
▫ Includes management’s description in accordance to COSO
framework
• Section III: Control Objectives
▫ Provides reasonable assurance that controls are tested, approved
and documented
• Section IV: Other information provided
▫ Includes any additional information beyond the descriptions of
controls
Benefits to a Service Organization
• Provide assurance on the establishment of
internal control placed in operation
• Build up firm’s reputation
• Reduce unnecessary compliance cost with user
auditors
• Be advised on existing control policies and
procedures for improvement
Benefits to a User Organization
• Receive assurance and more understandings
regarding service organization’s control system
• Reduce user auditors’ cost
Grant Thornton’s Approach
• Phase 1 – SAS 70 Readiness Review
▫ Gains understanding and identifies the key business
processing and information technology controls
• Phase 2 – Fair Representation and Suitability of Controls
▫ Helps and evaluates representation of description of
controls and effectiveness of the control design
• Phase 3 – Test and Observe
▫ Conducts inquiry, inspection, observation, and reperformance to test specific control activities
• Phase 4 – Report and Attest
▫ Issue either Type I or Type II report
Questions?