Statement on Auditing Standards (SAS) No. 70, Service Organizations

1
Statement on Auditing Standards (SAS) No. 70,
Service Organizations

• BADM 559 Final Project

By Kristina Morales
2
Background

• In 1988, AICPA issued SAS 55
• Independent auditor required to review internal
  controls of both the user and service
  organization
• Service organization insurance and medical
  claims processors, hosted data centers, etc.
• Too costly for service organizations therefore,
  SAS 70 evolved
• SAS 55 amended by SAS 94 in 2001
• SAS 70 places emphasis on internal controls
  concerning information technology

User Auditor
SAS 70 AUDITOR
3
Purpose

• To obtain an independent service auditors
  report regarding the Operational and Technical
  Controls in place at a service organization,
  which may be relevant to the internal control
  structure and financial statement assertions of
  user organizations of that service organization.
  
• - Walter Searcey, Business Advisory Services
  Manager of Grant Thornton LLP
• Sarbanes Oxley increased the focus of SAS 70
  audit reports
• Importance of reporting on the effectiveness of
  internal controls.
• Provide Assurance

4
Benefits

• Service Organization

• User Organization

• Provide management with insight into the
  effectiveness of its controls and areas for
  improvement
• Eliminates repeat audits, which saves time and
  money
• Provides independent assurance and builds trust
• Able to meet contractual obligations and respond
  to regulatory inquiries

• May control some audit costs
• Help user auditors by already having information
  available to them
• Satisfies client regulatory requirements
• Provides a level of comfort over the processes
  outsourced

5
SAS 70 Audit Report

• Two types of SAS 70 service reports Type I and
  Type II
• Management, the user organization, and/or the
  external auditors of the user organization can
  read the report to understand the service
  organizations controls and its effectiveness.

6
Real Life Approach

• Grant Thorntons approach to SAS 70
• Phase I SAS 70 Readiness Review
• Understand business process and information
  technology within the SAS 70 scoope
• Phase II Fair Representation and Suitability of
  Controls
• Evaluate description of controls, suitability of
  the design of control activities and control
  objectives.
• Phase III Test and Observe
• Validates the controls and apply tests of inquiry
• Phase IV Report and Attest
• Develop and present either Type I or Type II
  report

7
SAS 70 International Counterparts

• United Kingdom Guidance titled AAF 01/06 which
  supersedes FRAG 21/94.
• Provided by the Audit and Assurance Faculty of
  the Institute of Chartered Accountants in England
  and Wales.
• Canada Report titled Section 5970, which may be
  issued by a service organization auditor.
• Generally entails 2 separate audit opinions on
  the controls in place and its operating
  effectiveness over a period.

8
Conclusion

• Recently, the use of the SAS 70 audit has been
  applied in non-traditional ways.
• Service organizations that provide services to
  financial companies are required to have a SAS 70
  review in order to comply with the
  Gramm-Leach-Bliley Act (GLBA).
• Service organizations that provide services to
  healthcare companies are requested by their
  clients to have a SAS 70 audit to ensure that a
  third party has examined the controls over
  sensitive information
• Some companies actually propose a SAS 70 audit in
  order to have an independent party review a
  business proposal or marketing idea.