A SAS 70 report is the service auditor’s report on a service organization’s controls for use by user organizations and their auditors. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting
It applies to any service organization that:
• Executes transactions and maintains accountability or
• Records transactions and processes related data
The primary purpose of the SAS 70 report is to provide information about the service organization to auditors who audit the user organization’s financial statements.
Benefits of a SAS 70 ReportReduces disruption to service organization operations (single auditor concept) - Otherwise, auditors of all user organizations would have to perform testing. This would result in significant duplication of effort in reviewing common service organization systems, and the service organization would have to provide support (and accept the disruption) for every review.
Provides an independent assessment of controls - Important function for many user organizations to have an independent, trained set of eyes evaluating internal control.
Value-added recommendations from the service auditor to the service organization - An independent, trained set of eyes is able to provide recommendations to improve operational aspects of the organization. They can compare the organization to other service organizations to provide suggestions and strengthen controls as well as improve operational effectiveness.
Potential efficiency gains for user auditors if reliance can be placed on the SAS 70 report - Utilization of a SAS 70 may allow the user auditor to reduce scope of direct testing of systems and procedures at the service organization, resulting in lower fees for the client.
Few basic definitions
User Organization - The entity that has engaged a service organization and whose financial statements are being audited (e.g., the customer of the service organization).
User Auditor - The auditor who reports on the financial statements of the user organization.
Service Organization - The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system (e.g., processes transactions on behalf of its customers).
Service Auditor - The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control as it relates to an audit of financial statements (e.g., performs the SAS No. 70 review of the service organization).
Why would a company use a service organization?Many companies are focusing on their core competencies and outsource certain other functions that specialized companies can do more efficiently.
These specialized companies or service organizations frequently provide outsourcing services to multiple organizations, thereby generating economies of scale.
When a company uses a service organization to accomplish tasks that affect the company’s financial statements, the processing performed by the service organization may impact the company’s system of internal control.
Therefore, the processing at the service organization may affect the user auditor’s planning and performance of the audit of the user organization’s financial statements and the audit of internal controls.
When to consider SAS 70?The fact that an entity uses a service organization is not, in and of itself, a compelling reason for a user auditor to conclude that it is necessary to obtain a service auditor’s report to plan the audit.
The user auditor should consider SAS No. 70 when auditing the financial statements of an entity that obtains services from another organization that are part of its information system.
A service organization’s services are part of an entity’s information system if they affect any of the following:
ª How the entity’s transactions are initiated
ª The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions
ª The accounting processing involved from the initiation of the transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access information
ª The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures
SAS No. 70 is not applicable to the audit of the financial statements of an entity when:
Services provided are limited to executing client organization transactions that are specifically authorized by the client. Examples: processing of checking account transactions by a bank and execution of securities transactions by a broker.
Services provided involve financial interests in partnerships, corporations, and joint ventures when proprietary interests are accounted for and reported to interest holders. Examples: include working interests in oil and gas ventures.
Types of SAS 70 Reports
Type I Report – Report on controls placed in operation
In a Type I report, the service auditor issues an opinion on whether the description of controls is fairly presented, whether controls were placed in operation and whether they are suitably designed as of a specific date. However, a Type I report does not address the operating effectiveness of controls over time. A Type I report may provide a user auditor with an understanding of the service organization's controls necessary to plan the audit and to design effective tests of controls and substantive tests at the user organization. A user auditor cannot rely on a Type I report to reduce the assessed level of control risk which may result in the reduction of substantive procedures.
Type II Report - Report on controls placed in operation and Test of Operating EffectivenessIn a Type II report, the service auditor performs the procedures required for a Type I engagement and performs tests of specific controls to evaluate their operating effectiveness in achieving specified control objectives. A Type II report:
• Describes controls and effectiveness over a period of time
• May provide user auditor’s information to place a greater level of reliance on controls
A Type 2 report is typically more useful to a user auditor because, in addition to providing an understanding of controls necessary to plan the audit, it may also provide the user auditor with reasonable assurance that control objectives that may be important to the auditor have been met.
Report Contents1. Independent service auditor's report (i.e. opinion).
Type I - Included
Type II - Included
2. Service organization's description of controls.
Type I - Included
Type II - Included
3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests.
Type I - Optional
Type II - Included
4. Other information provided by the service organization (e.g. glossary of terms).
Type I - Optional
Type II - Optional
The user auditor will need to consider whether the controls at the subservice organization are relevant to the user organization’s information system.
Carve Out MethodIf the controls of the subservice organization are not included in the SAS 70 report, the carve-out method is used. In the carve-out method, the subservice organization’s controls objectives and controls are excluded from the description and from the scope of the service auditor’s engagement.
Inclusive MethodIf the controls of the subservice organization are included in the SAS 70 report, the inclusive method is used. In the inclusive method, the subservice organization’s relevant controls are included in the description and scope and the description in the SAS 70 report differentiates between controls of the service organization and controls of the subservice organization.
Report timingWhen a Type 2 SAS 70 report period end date is within 6 months of our client’s year end, both our client’s management and the Service Auditor should consider procedures to bridge the gap between the period end of the SAS 70 report and the client’s year end.
When a Type 2 SAS 70 is dated more than 6 months before the client’s year end, the report provides little evidence of the operating effectiveness of controls at the service organization.
The User Auditor may need to perform alternative procedures to gain comfort on a control objective appearing in the SAS 70 report:
• In instances where there are non-negligible exceptions documented in the report,
• When a relevant control objective is qualified,
• When a period of time greater than 6 months has elapsed since the SAS 70 period end, or
• In situations where the service organization did not provide (or our client’s management did not obtain) a SAS 70 report over the service organization.
The procedures a User Auditor can rely on vary and may include some or all of the following procedures:
• Use work performed by management and their results
• Obtain specific information from the service organization to influence the nature, timing, and extent of testing to be performed.
• Request a service auditor be engaged to perform the necessary procedures (i.e. Agreed Upon Procedure engagement)
• Visit the service organization and performing the necessary audit procedures
• Evaluate the user controls at the user organization (our audit client) to determine if the control objectives are met with procedures already performed at the user organization.
References: www.sas70.com
