Untitled Document

SAS 70 Frequently Asked Questions [ PDF ]
By Eugene T. Tyrrell, CISSP

What is a SAS 70 examination?

SAS 70 is the American Institute of Certified Public Accountants (AICPA) Statement on Accounting Standard (SAS) number 70. Also referred to as a service auditor’s examination, a SAS 70 reports on a service organization’s internal controls and safeguards when they host or process data belonging to their customers.

Is this a new standard?

No. The SAS 70 was adopted by AICPA as a standard in 1992. However, increased outsourcing and the visibility of control requirements introduced in Section 404 of the Sarbanes-Oxley Act of 2002 have fueled a renewed interest in SAS 70 examinations.

How has Sarbanes-Oxley impacted the demand for SAS 70 examinations?

SOX was enacted to rebuild investor’s trust in the financial reporting of public companies. Inherent in improved financial reporting is the assurance of reliable and robust internal controls throughout the organization’s financial systems. SOX clearly states that the outsourcing of a business process does not relieve the user organization of the responsibility to ensure adequate controls over the business process. As a result many companies are relying on the SAS 70 standard to evaluate the robustness of controls at service organizations

Today, companies need to be assured that their service providers have implemented controls over business processes and information technology. A SAS 70 audit is the de facto standard for demonstrating the existence and effectiveness of internal controls at a service organization.

Can you explain the process at the 50,000 foot level?

A SAS 70 is an audit engagement that reviews and tests the effectiveness of a provider’s internal controls based on the AICPA Statement of Accounting Standards No. 70. The deliverable of the engagement is the Service Auditor’s Report. In general the service auditor’s report may contain:

Independent Service Auditors opinion
Description of Controls in place at the service organization
Description and results of tests for the effectiveness of controls

What is the difference between a SAS 70 Report and a Service Auditor’s Report?

There is no difference. The terms are interchangeable.

What type of entities are candidates for SAS 70 reviews?

Any company that provides the following services to another organization:

Executes and maintains accountability of transactions
Records transactions and processes information
Impacts the client’s financial reporting

Typical service companies include application service providers, managed security providers, trust departments, claims processors, clearinghouses, credit processing companies, application service providers, and data hosting facilities,

What are the benefits of a SAS 70 certification?

There are benefits for both the service organization and the user organization. For the service organization an unqualified SAS 70 opinion:

Demonstrates that the organizations controls over processes, infrastructure and applications have been reviewed and deemed effective by an independent third party.
Provides a competitive advantage in the market place. User organizations are more likely to retain services of organizations that have formally established the effectiveness of their internal controls.
Provides a single seal of approval that can be provided to multiple user organizations. Thereby freeing up resources that would otherwise be allocated to responding to individual audit requests and questionnaires from each user organization.

For the user organization an unqualified SAS 70 opinion:

Provides the user organization reasonable assurance that service organization has established internal controls that are operating effectively.
Provides insight into the nature of the service organization’s controls and an independent party’s assessment of their effectiveness.
Alleviates the burden and cost of performing their own audit on the service organization.

Will I be at a disadvantage if my competitors achieve certification before I do?

A SAS 70 examination establishes that the controls of a service provider have been examined by an independent audit firm. An unqualified SAS 70 opinion can distinguish a provider from its competitors. In head to head comparison a user organization is likely to be more comfortable selecting a service organization that has substantiated the existence of robust controls through a SAS 70 examination.

In most cases, a SAS 70 is likely to be a significant differentiator. In fact, many companies are successfully using SAS 70 as a marketing tool.

What is the difference between a Type I and Type II service auditor’s report?

A Type I report includes the service organization’s description of its controls and objectives, and an auditor’s opinion on the suitable design of the controls in meeting the specified objectives. The Type I report reflects an opinion at a specified point in time.

A Type II report, in addition to the Type I components includes a test and evaluation of the effectiveness of the internal controls. The Type II attests, with reasonable assurance, to the effectiveness of the controls in meeting the specified objectives over a period of time, typically six months.

What is the resource commitment to undertake a SAS 70 audit?

Resource commitments vary depending of the type of examination (Type I or Type II), the size of the organization and the current state of the control environment. A SAS 70 is a comprehensive examination of controls. Time will be spent reviewing documentation, interviewing personnel and observing and testing controls. The resource commitment can be optimized by establishing a team and providing the necessary documentation and resources on a timely basis.

What can a service organization do to prepare for a SAS 70 examination?

Effective preparation reduces the time spent on audit activities and increases the likelihood of a high quality and successful review. Service organization can take several steps in preparation for a SAS 70 examination:

Identify and document control objectives and related control activities.
Perform a Gap analysis of the control environment prior to the SAS 70 engagement.
Collect all relevant documentation and documents.
Engage the internal audit function to assist in pre-audit activities.
Designate a project leader and SAS 70 audit team.

Where can I find information relative to what is expected of a service organization’s controls?

Controls are specific to the service being provided and the objectives of the organization. Therefore, there is no formal, published standard for SAS 70 controls. However there are several generally accepted guidelines that can be useful in preparing for a SAS 70 examination.

Information Systems Audit and Control Association (ISACA) has developed a comprehensive framework of control objectives entitled ‘Control Objectives for Information and Related Technology’ (CobiT).
The IT Governance Institute has published a guide entitled ‘IT Control Objectives for Sarbanes-Oxley’.
The International Standards Organization (ISO) has published a comprehensive set of controls consisting of best practices in information security entitled ISO-17799.
The American Institute of Certified Public Accountants has published a guide for service organizations and auditors of service organizations entitled ‘Service Organizations: Applying SAS No. 70, as Amended: AICPA Audit Guide’.

How often do I have to perform a SAS 70 audit to keep it current?

Common practice is for the service organization to keep their SAS 70 current by conducting a formal review of its controls on an annual basis.

How can I learn more?

Polar Cove would be glad to answer your more specific questions. We may be contacted at +1.401.454.3939 or info@polarcove.com.