• What is SAS 70?
• What are the differences between the Type I and Type II Service Auditor’s Reports
• What is a service organization?
• What is the history of SAS 70?
• How is SAS 70 related to the Sarbanes-Oxley Act?
• What industries are requesting SAS 70 services?
• What are the benefits of SAS 70 to a service organization?
• What are the benefits of SAS 70 to a user organization?
• What types of organizations can provide SAS 70 services?
• What should a service organization look for in a service auditor?
• Where do service organizations begin if they’ve never had a SAS 70 audit?
• What is included in a typical first-time SAS 70 project?
• What are the benefits of a control framework?
• Do you recommend the COSO, COBIT, or ISO 17799 framework?
• What is SAS 70 certification?
• How often should SAS 70 audits be performed?
• How are SAS 70 audit reports distributed?
• How can service organizations use SAS 70 as a marketing tool?

What is SAS 70?
Developed by the American Institute of Certified Public Accountants (AICPA), the acronym SAS stands for Statement on Auditing Standards. Certified Public Accounting (CPA) firms must follow these rules set forth by the AICPA when conducting an audit of a company’s financial statements.

SAS No. 70, Service Organizations (often referred to as SAS 70) contains the rules for conducting an audit of a service organization’s internal controls and issuing a Service Auditor’s Report. Service auditors are required to follow this auditing statement when conducting a SAS 70 audit.

The primary objective of the Service Auditor’s Report (auditor’s opinion) is to provide the reader with information about the internal controls and security practices at a service organization. The role of the CPA firm (service auditor) is to perform tests in order to provide independent assurance about the accuracy and adequacy of that description of controls.

There are two types of Service Auditor’s Reports available:

• Type I (reports on controls in operation)
• Type II (reports on controls in operation and tests of operating effectiveness)

Back to top

What are the differences between the Type I and Type II Service Auditor’s Reports?
The important distinction between the two types of SAS 70 reports is the level of testing, and therefore, the level of assurance the SAS 70 report provides.

The auditor’s report is directed at the description of controls provided by the service organization. In a Type I report, the auditor’s opinion states that the description is reasonably accurate, the controls described are suitably designed to achieve specified control objectives, and the controls have been implemented as of a specified date. This opinion is therefore a “point in time” opinion.

The Type II report offers more assurance because, in addition to stating that the description is reasonably accurate, the controls described are suitably designed to achieve specified control objectives, and the controls have been implemented, the auditor’s opinion also states that the controls described operated effectively over a specified period of time. The time period specified is typically six months to a year. Obviously, the marketplace greatly prefers the increased level of assurance offered in a Type II report.

Back to top

What is a service organization?
Service organizations are otherwise known as outsourced data centers. They are organizations hired by another entity to process transactions and data, which are usually confidential. Service organizations are part of the users’ internal control. Examples include companies that perform services in the following areas:

• Accounting
• Benefits
• Billing
• Clearing house
• Collection
• Finance
• Insurance
• Investment
• Information technology (IT)
• Market research
• Payroll

Back to top

What is the history of SAS 70?
The AICPA established SAS 70 in response to a huge market shift toward outsourcing data processing. This shift in business operations put a significant portion of a company’s internal controls into the hands of the service organization they hired to process their transactions. Service organizations found themselves responding to multiple audit requests from their clients and their respective auditors, which strained their resources.

SAS 70 eliminated the request for nonstop audits because one audit firm can now audit the internal controls. The auditors for the service organization’s customers (user organization) can rely on this single audit.

Back to top

How is SAS 70 related to the Sarbanes-Oxley Act?
After several public companies were charged with fraud and negligence, the Sarbanes-Oxley Act of 2002 (SOX) was implemented. Section 404 of SOX requires independent auditors to assess and express an opinion on the effectiveness of its clients’ internal controls over financial reporting, including service organization controls.

Internal controls are the safeguards companies apply to ensure that financial reporting is reasonably accurate and free of significant misstatements, errors, and fraud. They include business process controls and IT security practices.

Many public companies outsource functions of their business to third parties (service organizations). Frequently those functions constitute a key element of the financial reporting process. Therefore, the service organization must be included in the SOX 404 assessment.

Back to top

What industries are requesting SAS 70 services?
Since the downfall of Enron, there has been an outcry for more sound governance practices. The impact of SOX has resulted in pressures on service organizations to obtain a SAS 70 audit. Any organization (large or small, for-profit or nonprofit) that has a financial statement audit and uses a service organization could benefit from obtaining a SAS 70 report for their service auditor. If applied correctly, the report shows evidence of financial reporting controls and the safeguarding of confidential information.

Many industries are now requiring vendors to obtain SAS 70 audits including banking, construction and real estate, dealership, health care, insurance, nonprofit and government, manufacturing and distribution, trucking and transportation, etc.

Not only has SOX affected the banking and health care industries, but lately these industries have received a lot of negative attention for being targets of cyber thieves who use their confidential data for fraud and identity theft. Naturally, the regulatory environment is becoming stricter. Those with fiduciary responsibilities must take their roles very seriously and establish the policies necessary to mitigate risks.

Alarmed by the growing number of data and identity thefts, banking and health care regulators are focusing on vendor management. Financial institutions and health care providers are required to know more about the security and privacy practices of the companies they are outsourcing business functions to (service organizations).

Many regulations have been implemented to address the threats to banking and health care data and information system vulnerabilities. And the government is following up to make sure organizations are in compliance. For example, the Centers for Medicare & Medicaid Services (CMS) plans to conduct security audits in 2008 to check for compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Back to top

What are the benefits of SAS 70 to a service organization?
Service organizations receive significant value from the performance of a SAS 70 engagement:

• A SAS 70 audit provides assurance for SOX, bank regulators, HIPAA, user organizations, and more.
• Very often, the SAS 70 engagement results in the identification of opportunities for improvements in operational areas. SAS 70 can dramatically improve your internal control—resulting in minimized risk of error, irregularities, and fraud.
• A SAS 70 audit with an unqualified opinion can be used as a marketing tool to show potential customers you are committed to the development of sound internal safeguards and business practices. SAS 70 can differentiate you from your peers.
• Without a Service Auditor’s Report, service organizations may have to respond to multiple audit requests from their clients and their respective auditors, which will strain resources. A SAS 70 report will ensure that all user organizations and their auditors have access to the same information and in many cases will satisfy the user auditor’s requirements.

Back to top

What are the benefits of SAS 70 to a user organization?
User organizations that obtain a Service Auditor’s Report from their service organizations receive a detailed description of the service organization's controls and an independent assessment of whether the controls were placed in operation, suitably designed, and operating effectively (in the case of a Type II report). User auditors will use this information when obtaining a sufficient understanding of controls to assess the risk of material misstatement of the financial statements.

User organizations should provide a Service Auditor's Report to their auditors. This will greatly assist the user auditor in planning the audit of the user organization's financial statements. Without a Service Auditor's Report, the user organization would likely incur additional costs sending their auditors to the service organization to perform their required procedures.

Back to top

What types of organizations can provide SAS 70 services?
Only an independent, licensed CPA firm can conduct SAS 70 audit services, and when doing so they are required to follow the professional standards developed by the AICPA.

Final reports must be reviewed and issued by a licensed CPA; however, public accounting firms are permitted to utilize the skills of non-CPA professionals as part of the SAS 70 engagement team. Typically, non-CPA professionals are relied upon for their specialized information security certifications.

Back to top

What should a service organization look for in a service auditor?
Any CPA firm can offer SAS 70 audit services; however, service organizations should seek out firms with SAS 70 experience and the staff to provide the services.

Service organizations should be thoughtful in choosing a CPA firm for SAS 70 services. Look for personnel with a combination of accounting, auditing, and information security credentials including Microsoft Certified Professional (MCP), Citrix Certified Administrator (CCA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and CPA.

Back to top

Where do service organizations begin if they’ve never had a SAS 70 audit?
Service organizations that have never had a SAS 70 audit usually start off with a pre-assessment consulting engagement. The pre-assessment is designed to determine whether the existing control environment is robust enough to pass the suitably designed component of the auditor’s opinion. Two key components of the pre-assessment include documenting descriptions of the internal controls and identifying control deficiencies. Since many organizations lack extensive written policies and procedures, this is not a trivial task and is typically the most time consuming and expensive part of the SAS 70 audit.

Service organizations with a control framework have an advantage because in many cases, it provides the process and control documentation necessary to minimize the effort often required in the pre-assessment phase. (Also read the answer to the question, “What are the benefits of a control framework?”)

Back to top

What is included in a typical first-time SAS 70 project?
If a service organization has never had a SAS 70 audit, the first-time project would include:

• Pre-assessment (Also read the answer to the question, “Where do service organizations begin if they’ve never had a SAS 70 audit?”)
  • Identify control objectives
  • Obtain a description of controls relevant to achieving objectives
  • Assess the accuracy of the description of the controls
  • Identify gaps
  • Develop a gap remediation strategy
  • Develop a written description of controls
• Remediation
  • Institute improved controls to address gaps identified in the pre-assessment
• SAS 70 audit
  • Type I or II

Back to top

What are the benefits of a control framework?
A control framework assists with the development of the control objectives. In many cases, it provides the process and control documentation necessary to minimize the effort required in the pre-assessment phase.

A framework also provides the users of the SAS 70 report a reliable, repeatable method to objectively measure the controls put in place by the service organization. By comparing the control objectives and activities reported by the service organization to those contained in the framework, the users can get an improved sense for the completeness of controls reported.

Back to top

Do you recommend the COSO, COBIT, or ISO 17799 framework?
There are three widely recognized and distributed control frameworks:

• The Committee of Sponsoring Organizations (COSO) of the Treadway Commission developed a control framework. This framework typically forms the basis for SAS 70 reporting.
• The Control Objectives for Information and Related Technologies (COBIT) framework is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. It’s partly built upon the COSO framework.
• ISO/IEC 17799 Part 1 framework for information security practices was adopted by the International Organization for Standardization (ISO) and the International Electrontechnical Committeee (IEC) in 2000. Part 2, BS 7799 was published by the British Standards Institute (BSI).

LarsonAllen believes the COBIT framework is the most useful control framework for SAS 70 reporting. COBIT’s framework maps well to COSO, and public accounting firms that audit the financial statements of public companies understand it. For these reasons, using COBIT for SAS 70 assessments is especially useful for the internal control reporting requirements contained in SOX 404.

Back to top

What is SAS 70 certification?
Technically, there is no such thing as a SAS 70 certification because a SAS 70 audit states an auditor’s opinion on a service organization’s internal controls and security practices for a specific period of time. However, it’s common in the marketplace to refer to a SAS 70 audit as SAS 70 certification.

Back to top

How often should SAS 70 audits be performed?
A Service Auditor’s Report is typically valid for 6 months to one year from the date it’s issued. The majority of service organizations that engage service auditors to conduct SAS 70 audits have them done on an annual basis.

Back to top

How are SAS 70 audit reports distributed?
The distribution of a SAS 70 report is usually restricted. The plan for distributing the SAS 70 audit report should be formally agreed upon in the engagement letter between the service organization and the service auditor.

Service Auditor’s Reports are generally distributed in three ways:

• A service auditor will distribute a Service Auditor’s Report to the audited service organization at the close of a SAS 70 audit.
• The service organization will provide copies of the Service Auditor’s Report to their customers (those organizations that hired them to outsource business functions) who are required to show their auditors the SAS 70 report.
• The service organization will likely use the Service Auditor’s Report as a marketing tool to differentiate its organization from the competition.

Back to top

How can service organizations use SAS 70 as a marketing tool?
A SAS 70 audit with an unqualified opinion can be used as a marketing tool. Some service organizations are marketing their audits in proposals, email signatures, press releases, Web site materials, direct mail, give aways, brochures, etc.

Back to top

For more information, contact us or learn about our SAS 70 audit services.