Statement on Auditing Standards No. 70: Service Organizations
From Wikipedia, the free encyclopedia
Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.
There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.
This is similar to the United Kingdom guidance provided by the Audit and Assurance Faculty of the Institute of Chartered Accountants in England and Wales. The technical release is titled AAF 01/06 which supersedes the earlier FRAG 21/94 guidance.
Contents |
[edit] Background
[edit] SAS 55
There are approximately 100 Statements on Auditing Standards promulgated by the American Institute of Certified Public Accountants (AICPA). In 1988, the AICPA issued SAS 55, titled “Consideration of the Internal Control Structure in a Financial Statement Audit”. SAS 55 required that financial statement auditors assess the internal control related to any process that could impact the client’s financial reporting objectives. In cases where the client outsourced a critical process that impacted the financial statements, the auditor was required to assess the internal control of that process as it is performed by the service organization. For example, an auditor might be required to examine the manner in which a payroll processing company controls the processing of payroll for its client. This situation was very detrimental to many service organizations since all of their clients’ auditors have an obligation to perform the same internal control assessment.
The overwhelming resources that service organizations were spending complying with requests from financial auditors, led the AICPA to issue SAS 70. In layman’s terms, SAS 70 allowed for one internal control review to be performed on service organizations that examined all of the areas that the financial statement auditors were required to consider to meet SAS 55 requirements. The resulting service auditor’s report (i.e. SAS 70 report) can be distributed and relied upon by all of the financial statement auditors of the service organizations clients. The extent of that reliance is based on whether a Type I or Type II SAS 70 audit was performed.
[edit] SAS 94
In 2001, SAS 55 was amended by SAS 94, titled “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”. SAS 94 obliges the financial statement auditors to place an increased focus on the increasing role of information technology on meeting financial reporting objectives. Given this change, SAS 70 reports are now placing similar emphasis on information technology’s role in the control environment of service organizations. This helps to ensure that the SAS 70 report contains all of the information required by user organization auditors.
[edit] Changing uses of the SAS 70
Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Service organizations providing services to companies in the financial services industry are being required to have a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements. Service organizations which provide services to healthcare companies are asked by their clients to have a SAS 70 audit conducted to ensure a third party has examined the controls over the processing of healthcare information due to its sensitivity. Some companies utilize the SAS 70 audit to have third party validation of their proposal or marketing material despite the more appropriate application of the Trust Principles in a Systrust or WebTrust audit and seal.
[edit] Users of SAS 70 audit reports
Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organization’s customers can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.
Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not authorized users of the reports, but still use the report as third party independent verification that controls are in place and are operating effectively.
Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states:
“This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations.”
On rare occasions, it may be necessary to change this paragraph to limit its use to a specific third party, which may or may not be a user organization. It is never appropriate to modify this statement to include as authorized users of the report the financial statement auditors of the service organization. There are other methods that should be applied for the financial statement auditors to obtain the type of information included in the SAS 70 report about their client, which may include the sharing of workpapers between the financial statement auditors and SAS 70 auditors.
[edit] Audit frequency
Type 1 audits are typically performed no more than once per year; however, there is no technical reason for this practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type 2 audit have made this a very common practice.
Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year.
The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year.
SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit.
User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often can not satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs.
[edit] Type I and Type II SAS 70 audit differences
Type 1 SAS 70 audits opine on controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties.
Type 2 SAS 70 audits opine on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time.
[edit] SAS 70 and Sarbanes-Oxley Act
With the introduction of the Sarbanes-Oxley Act (SOX), SAS 70 took on increased importance. SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to assure a service organization's controls. Security "certifications" are excluded as acceptable substitutes for a Type II SAS 70 audit report. Audit Standard 2, available on the PCAOB's (www.pcaobus.org) website, details how a SAS 70 audit should be used in relation to SOX.
[edit] Section 5970 report
In Canada, a similar report known as a Section 5970 report may be issued by a service organization auditor. It usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.
