The document discusses Statement on Auditing Standards (SAS) No. 70, which provides guidance for independent auditors assessing the internal controls of service organizations. It defines SAS 70 and explains that SAS 70 reports can be Type I or Type II. Type I reports evaluate internal controls at a point in time, while Type II reports also assess the controls' effectiveness over a period of six months or more. The benefits of a SAS 70 audit for service organizations include providing assurance to customers and differentiating the organization from its peers.
3. Introduction
Statement on Auditing Standards No.70: Service Organizations,
commonly abbreviated as SAS 70 is an auditing statement issued by the
Auditing Standards Board of American Institute of Certified Public
Accountants(AICPA), officially titled “Reports on the Processing of
Transactions by Service Organizations”. SAS 70 defines the professional
standards used by a service auditor to assess the internal control of a
service organization and issue a service auditor’s report.
4. Meaning of SAS
SAS 70 (the Statement on Auditing Standards
No. 70) defines the standards an auditor must
employ in order to asses the contracted
internal controls of a service organization.
Service organizations, such as hosted data
centers , insurance claims processors and
credit processing companies, provide
outstanding services that affect the operation
of the contracting enterprise.
5. Under SAS 70 (the Statement on Auditor reports are
classified as either Type I or Type II. In a Type I report the
auditor evaluates the efforts of a service organization at the
time of audit to prevent accounting inconsistencies, errors
and misrepresentation. The auditor also evaluate the
likelihood that those efforts will produce the future results. A
Type II report includes the same information as that
contained in a Type I report; in addition, the auditor attempts
to determine the effectiveness of agreed-on controls since
their implementation. Type II reports also incorporate data
complied during a specific time period, usually a minimum
of six months.
6. 1. Statement on Auditing Standards (SAS) No. 70, Service
Organizations, in an internationally recognized auditing
standard developed by the American Institute of Certified
Public Accountants(AICPA).
2. SAS 70 provides guidance to enable an independent auditor
(“service auditor”) to issue an opinion on a service
organization’s description of controls through a Service
Auditor’s Report.
3. Service auditors are required to follow the AICPA’s
standards for fieldwork, quality control, and reporting.
4. A formal report including the auditor’s opinion (“Service
Auditor’s Report”) is issued to the service organization at the
conclusion of a 70 examination.
CHARACTERSTICS or STATEMENT OF AUDITING
standards for service organizations
7. 5. A SAS 70 examination is not a “checklist” audit. SAS No.
70 is generally applicable when an auditor (“user auditor”) is
auditing the financial statements of an entity (“user
organization”) that obtains services from another
organization (“service organization”). Service organizations
that provide such services could be application service
providers, bank trust departments, claims processing centers,
Internet data centers, or other data processing service
bureaus.
6. A SAS 70 audit or service auditor’s examination is widely
recognized, because it represents that a service organization
has been through an in-depth audit of their control activities
which generally include controls over information
technology and related processes.
8. Type I SAS 70 audits opinion on controls that are in place of a
date in time. The opinion deals with the fairness of presentation
of the controls and the design of the controls in terms of their
ability to meet defined control objectives. Since these reports only
provide assurance over a single day, they are of limited value to
third parties.
Type II SAS 70 audits opinion on controls that were in place over
a period of time, which is typically a period of six months or
more. The opinion deals with fairness of presentation of the
controls, the design of the controls in terms of their ability to
meet defined control objectives, and the operational effectiveness
of those controls over the defined period. Third parties are better
able to rely on these reports since verification is provided
regarding these matters for a substantial period of time.
TYPE I AND TYPE II AUDIT STANDARDS
9. 1. A service auditor’s report ensure that all user organization and
their auditors have access to the same information and in many
cases this will satisfy the user auditor’s requirements.
2. SAS 70 engagements are generally performed by control oriented
professionals who have experience in accounting, auditing, and
information security.
3. A service auditor’s report with an unqualified opinion that is issued
by an independent accounting firm differentiate the service
organization from its peers by demonstrating the establishment of
effectively designed control objectives and control activities.
4. A SAS 70 engagement allows a service organization who have its
control policies procedures evaluated and tested (in the case of a
TYPEII engagement) by an independent party
5. A service auditor’s report also helps a service organization build
trust with its users organizations (I.e. Customers).
BENEFITS OF THE SERVICE ORGANIZATION