SAS 70 (Statement on Auditing Standards No. 70)

1
SAS 70(Statement on Auditing Standards No. 70)

• Kelley Piner
• Charles Roberts
• Ashley Walker

2
What is SAS 70?

• SAS 70 is produced as a result of an audit
  performed by a CPA to report on the processing of
  transactions by a service organization
• Over time this has changed, the reports are now
  used as a means to provide service independent
  validation assurances to potential clients
• It allows the third-party service provider to
  have one audit and share the results with all of
  its clients

3
Candidates for SAS 70 Audits

• Claims processing centers
• Trust/benefit plan administrators
• Data centers
• Application service providers
• Payroll processors
• Internet service providers

4
SAS 70 Certified AdvantagesBenefits to Service
Organizations

• Unqualified opinions demonstrate that your
  organization has effective controls
• Decreases business interruption by removing other
  audits throughout the year for purposes of
  satisfying user organizations
• Primary benefit to a company is that it
  eliminates the need for the company to perform
  its own audit of each of its third-party service
  providers internal controls
• Ability to leverage SAS 70 certification into a
  market differentiator against existing
  competitors who are vying for outsourcing
  contracts from user organizations

5
SAS 70 Certified AdvantagesBenefits to User
Organizations

• User organizations are able to gain a greater
  understanding and assurance of the internal
  controls in place at service organizations
• Shows that they have taken steps in developing
  and implementing controls throughout the
  identified platform being used to process
  transactions for user organizations
• Type I and II reports assist external auditor for
  user organizations by cutting down on the time
  and costs of having to inquire on controls at
  service organizations

6
Why SAS 70 audits are unique

• The scope of the engagement and the voluminous
  amount of information included in the final
  service auditors report
• SAS 70 auditors focus on general and application
  controls, as well as operational and Human
  Resources issues, security guidelines and
  business continuity plans
• Only a CPA or accounting firm can sign off and
  issue a SAS 70 service auditors report
• Only a seasoned accountant should be considered
  as a primary source for SAS 70 engagements

7
Difference between Type I and Type II Engagements

• Type I reports are issued for a specific date and
  are limited to an inquiry into and observation of
  the controls
• Type II reports are issued after a minimum
  six-month testing period have been completed and
  is focused on the operating effectiveness of
  controls
• Type I consists of inquiry and observation
  controls
• Type II would include testing of controls

8
Type I vs. Type II Reports
Information Type I Type II
SAS 70 Service Auditors Report Required Required
Description of Controls Required Required
Information provided by the service auditor (a detailed listing of controls and testing of operating effectiveness) Optional Required
Information provided by the service organization Optional Optional
User organization control considerations (controls that user organizations have in place) Optional Optional
9
Organizational areas to be audited

• The identified platform or platforms that are
  being used to conduct outsourcing activities
  related to user organizations is what will be
  audited
• Several operational general controls will also be
  observed
• this is done to gain a better understanding of
  the corporate tone of the organization
• A SAS 70 audit is looking at a service
  organization that implements controls throughout
  various levels of its company, not just the
  identified platform being targeted by a SAS 70.

10
Audit Process

• Type I
• Auditor studies the general and application
  controls then lists opportunities for improvement
  with proposed remediation and documents
• If control remediation is necessary, a time frame
  can be provided to correct or strengthen the
  various internal controls
• CPA concludes the field work by doing a final
  walk-through and examination of the controls,
  then issues the report

11
Audit Process (continued)

• Type II
• Minimum of six month design review and testing of
  the general and application controls
• Auditor works with employees to review controls,
  test their effectiveness, and correct those that
  require remediation
• Report is then issued

12
Industry standards used during SAS 70 auditing

• Control Objectives for Information and Related
  Technology (COBIT)
• Committee of Sponsoring Organizations of the
  Treadway Commissions (COSO)
• ISO 17799
• Federal Financial Institutions Examinations
  Council (FFIEC)

13
Documentation of SAS 70 Certification

• Independent Service Auditors Report? unqualified
  or qualified opinion
• Elements of Internal Control Control
  environment, risk assessment, control activities,
  information and communication, monitoring
• Systems development life cycle (SDLC) and change
  management design cycle, development cycle,
  testing cycle, production cycle, and maintenance
  cycle

14
Documentation of SAS 70 Certification (continued)

• General computer controls logical security,
  physical security, environmental security,
  network security, and computer operations
• Application controls primary function is to
  ensure the completeness and accuracy of the
  records and the validity of the entries made from
  processing
• Other material Information provided by the
  service auditor, information provided by the
  service organization, and client control
  considerations

15
Certification and Recertification

• The report is valid for one full calendar year
  for both Type I and Type II
• Type I- if the report is dated July 1, 2004, it
  is valid until July 1, 2005
• Type II- if a report was issued that covered the
  period from June 1, 2004-November 30, 2004, the
  report is valid until November 30, 2005

16
Works Cited

• Denyer, Charles, and Christopher G. Nickell. "An
  Introduction to SAS 70 Audits." Benefits Law
  Journal 20(2007).
• Boutin, Christopher. "Want Independent Validation
  and Assurance? Ask for SAS-70." Healthcare
  Financial Management August 2008.