|
SAS 70 AUDIT
SOLUTIONS:
Ethridge & Miller, PC has
performed well over one hundred "SAS 70" audits on the
processing of transactions by service organizations for the
purpose of expressing an opinion on the policies and
procedure placed in operation and tests of operating
effectiveness indicating if such policies and procedures
were suitably designed to achieve specified control
objectives during a test period. A SAS 70 audit is the
review of internal controls, security, systems design and
development, data control and operations. Types of service
organizations audited include State Medicaid claims
processing, Federal and State medical bills claims
processing, drug card claims processing, State lottery
systems, Application Service Providers, and commercial
electronic bank confirmation systems.
SAS 70 Overview
Statement on Auditing Standards (SAS) No. 70, Service
Organizations, is an internationally recognized auditing
standard developed by the American Institute of Certified
Public Accountants (AICPA). A SAS 70 audit or service
auditor's examination is widely recognized, because it
represents that a service organization has been through an
in-depth audit of their control activities, which generally
include controls over information technology and related
processes. In today's global economy, service organizations
or service providers must demonstrate that they have
adequate controls and safeguards when they host or process
data belonging to their customers. In addition, the
requirements of Section 404 of the Sarbanes-Oxley Act of
2002 make SAS 70 audit reports even more important to the
process of reporting on effective internal controls at
service organizations.
SAS No. 70 is the authoritative guidance that allows service
organizations to disclose their control activities and
processes to their customers and their customers' auditors
in a uniform reporting format. A SAS 70 examination
signifies that a service organization has had its control
objectives and control activities examined by an independent
accounting and auditing firm. A formal report including the
auditor's opinion ("Service Auditor's Report") is issued to
the service organization at the conclusion of a SAS 70
examination.
SAS 70 provides guidance to enable an independent auditor
("service auditor") to issue an opinion on a service
organization's description of controls through a Service
Auditor's Report (see below). SAS 70 is not a
pre-determined set of control objectives or control
activities that service organizations must achieve. Service
auditors are required to follow the AICPA's standards for
fieldwork, quality control, and reporting. A SAS 70
examination is not a "checklist" audit.
SAS No. 70 is generally applicable when an auditor ("user
auditor") is auditing the financial statements of an entity
("user organization") that obtains services from another
organization ("service organization"). Service
organizations that provide such services could be
application service providers, bank trust departments,
claims processing centers, Internet data centers, or other
data processing service bureaus.
In an audit of a user organization's financial
statements, the user auditor obtains an understanding of the
entity's internal control sufficient to plan the audit as
required in SAS No. 55, Consideration of Internal Control in
a Financial Statement Audit. Identifying and evaluating
relevant controls is generally an important step in the user
auditor's overall approach. If a service organization
provides transaction processing or other data processing
services to the user organization, the user auditor may be
required to gain an understanding of the controls at the
service organization.
Service Auditor's Reports
One of the most effective ways a service organization can
communicate information about its controls is through a
Service Auditor's Report. There are two types of Service
Auditor's Reports: Type I and Type II.
A Type I report describes the service organization's
description of controls at a specific point in time (e.g.
June 30, 2003). A Type II report not only includes the
service organization's description of controls, but also
includes detailed testing of the service organization's
controls over a minimum six month period (e.g. January 1,
2003 to June 30, 2003). The contents of each type of report
is described in the following table:
|
Report Contents |
Type I Report |
Type II Report |
|
1. Independent service auditor's report (i.e.
opinion). |
Included |
Included |
|
2. Service organization's description of
controls. |
Included |
Included |
|
3. Information provided by the independent
service auditor; includes a description of the
service auditor's tests of operating
effectiveness and the results of those tests. |
Optional |
Included |
|
4. Other information provided by the service
organization (e.g. glossary of terms). |
Optional |
Optional |
In a Type I report, the service auditor will express an
opinion on (1) whether the service organization's
description of its controls presents fairly, in all material
respects, the relevant aspects of the service organization's
controls that had been placed in operation as of a specific
date, and (2) whether the controls were suitably designed to
achieve specified control objectives.
In a Type II report, the service auditor will express an
opinion on the same items noted above in a Type I report,
and (3) whether the controls that were tested were operating
with sufficient effectiveness to provide reasonable, but not
absolute, assurance that the control objectives were
achieved during the period specified.
Benefits to the Service Organization
Service organizations receive significant value from having
a SAS 70 engagement performed. A Service Auditor's Report
with an unqualified opinion that is issued by an Independent
Accounting Firm differentiates the service organization from
its peers by demonstrating the establishment of effectively
designed control objectives and control activities. A
Service Auditor's Report also helps a service organization
build trust with its user organizations (i.e. customers).
Without a current Service Auditor's Report, a service
organization may have to entertain multiple audit requests
from its customers and their respective auditors. Multiple
visits from user auditors can place a strain on the service
organization's resources. A Service Auditor's Report
ensures that all user organizations and their auditors have
access to the same information and in many cases this will
satisfy the user auditor's requirements.
SAS 70 engagements are generally performed by control
oriented professionals who have experience in accounting,
auditing, and information security. A SAS 70 engagement
allows a service organization to have its control policies
and procedures evaluated and tested (in the case of a Type
II engagement) by an independent party. Very often this
process results in the identification of opportunities for
improvements in many operational areas.
Benefits to the User Organization
User organizations that obtain a Service Auditor's Report
from their service organization(s) receive valuable
information regarding the service organization's controls
and the effectiveness of those controls. The user
organization receives a detailed description of the service
organization's controls and an independent assessment of
whether the controls were placed in operation, suitably
designed, and operating effectively (in the case of a Type
II report).
User
organizations should provide a Service Auditor's Report to
their auditors. This will greatly assist the user auditor
in planning the audit of the user organization's financial
statements. Without a Service Auditor's Report, the user
organization would likely have to incur additional costs in
sending their auditors to the service organization to
perform their procedures.
|
