3. Background
Auditors of US Securities and Exchange
Commission (“SEC”) registrants are required to
issue an opinion over their internal control
environments
Specifically, they need to gain comfort over their
client’s internal controls over financial reporting
If their client outsources certain key functions (i.e.
Payroll) to a 3rd
Party Service Organisation
(“Provider”), auditors still need to obtain
assurance that the control environment where the
key functions are operating is effective
4. Gaining Assurance
SEC registrants look to their Provider to present
evidence that their internal control environment is
operating effectively
The registrant can obtain this basically in one of two
ways:
Option A: Auditing their Provider
Option B: Reliance on a SAS 70 Type II Report
5. Option A: Audit the Provider
On an annual basis, each registrant will send a team into the
Provider to conduct walkthroughs of controls and perform
testing of the control environment by selecting samples and
reviewing evidence
This is an additional burden to the registrant and the
Provider:
Registrant needs to absorb cost and utilise resources to perform this
work every year
Provider’s operation is disrupted through gathering evidence and
employee efforts are diverted from their normal responsibilities
This burden is compounded for the Provider due to the fact that each
registrant needs to send their own team in to perform the work
The registrant’s outside auditor may also need to perform their own
testing at the Provider which adds to cost and employee efforts
6. Option B: Reliance on a SAS 70
Type II Report
The Provider hires an outside audit firm to perform an annual
SAS 70 audit
The audit firm reviews the Provider’s control objectives and
tests control activities that support those objectives
A report is issued by the audit firm which can be used by the
Provider’s clients and their auditors
7. Disadvantages of Not
Obtaining a SAS 70 Report
Multiple auditors visiting the Provider’s site and requiring
evidence of a secured control environment
Extensive disruption of daily operations in order to comply
with individual client requests (i.e. preparation of reports to
satisfy clients and their auditors)
Potential loss of clients due to lack of evidence of an
effective control environment
Limited potential to attract new clients who require a SAS 70
Audit to be performed
8. Benefits of SAS 70 Type II
Report
One set of auditors coming in to perform testing rather than
multiple teams from different clients
Cost savings through minimal disruption of daily operations
so employees can focus on the business
Retention of clients through giving them the assurance that
they need: evidence of a valid internal control environment
Very effective as a marketing tool to attract new business
and expand operations
Given the fact that a global convergence of standards /
compliance requirements is occurring (i.e. IFRS), a SAS 70
Report will enhance the readiness of the Provider to meet
these requirements and give them a distinct edge over
competition
9. Where do we start?
The most cost effective way to determine if your
entity is ready for a SAS 70 Audit is through the
performance of a SAS 70 Readiness
Assessment
An external independent party will conduct interviews,
review established Control Objectives and supporting
Activities and examine sample evidence to support the
Activities
A report will then be finalised and findings will be
communicated to Management
Based on findings, action plans may need to be
developed in order to enhance the control environment
10. MP Consulting
Michael Potorti, a US Certified Public Accountant and former Big 4 Audit
Manager, is the Managing Director of MP Consulting, a London and New
York based company focused on helping companies with the
development and enhancement of Internal Control Structures, Sarbanes
Oxley (SOX) compliance and Internal Audit outsourcing. We have been
extensively involved in US and European Sarbanes-Oxley Projects for
multiple FTSE 100 and Fortune 500 entities. Our Industry experience
includes Oil/Gas, Manufacturing, Banking, Insurance, Service and
Technology (among others). We have consulted for both management of
companies and assisted Big 4 firms with external audits. We have given
seminars on effective internal controls and have helped companies with
US SOX compliance since the law was passed in 2002.
11. For further information please contact:For further information please contact:
Michael Potorti CPAMichael Potorti CPA
DirectorDirector
MP ConsultingMP Consulting
michaelp@mpconsultingltd.commichaelp@mpconsultingltd.com
Tel. : +44 (0)7914 191455Tel. : +44 (0)7914 191455
www.mpconsultingltd.comwww.mpconsultingltd.com