Service Provider SAS 70 Audit Services

About WGA | Capabilities | Contact Us | Terms of Use

©2000-2010, WGA Consulting, LLC. All Rights Reserved

[edit] Changing uses of the SAS 70 Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Service organizations providing services to companies in the financial services industry are being required to have a SAS 70 review conducted to comply with Gramm-Leach-Bliley Act (GLBA) requirements. Service organizations which provide services to healthcare companies are asked by their clients to have a SAS 70 audit conducted to ensure a third party has examined the controls over the processing of healthcare information due to its sensitivity. Some companies utilize the SAS 70 audit to have third party validation of their proposal or marketing material despite the more appropriate application of the Trust Principles in a Systrust or WebTrust audit and seal. [edit] Users of SAS 70 audit reports Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organization’s customers can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit. Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not authorized users of the reports, but still use the report as third party independent verification that controls are in place and are operating effectively. Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states: “This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations.” On rare occasions, it may be necessary to change this paragraph to limit its use to a specific third party, which may or may not be a user organization. It is never appropriate to modify this statement to include as authorized users of the report the financial statement auditors of the service organization. There are other methods that should be applied for the financial statement auditors to obtain the type of information included in the SAS 70 report about their client, which may include the sharing of workpapers between the financial statement auditors and SAS 70 auditors. [edit] Audit frequency Type 1 audits are typically performed no more than once per year; however, there is no technical reason for this practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type 2 audit have made this a very common practice. Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year. The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year. SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit. User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often can not satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs. [edit] Type I and Type II SAS 70 audit differences Type 1 SAS 70 audits opine on controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type 2 SAS 70 audits opine on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time. [edit] SAS 70 and Sarbanes-Oxley Act With the introduction of the Sarbanes-Oxley Act (SOX), SAS 70 took on increased importance. SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to assure a service organization's controls. Security "certifications" are excluded as acceptable substitutes for a Type II SAS 70 audit report. Audit Standard 2, available on the PCAOB's (www.pcaobus.org) website, details how a SAS 70 audit should be used in relation to SOX. [edit] Section 5970 report In Canada, a similar report known as a Section 5970 report may be issued by a service organization auditor. It usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.