SAS 70 AUDIT SERVICES

Overview of SAS 70

Statement on Auditing Standards No. 70, Service Organizations (SAS 70), is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants. The SAS 70 examination is an in-depth audit of a service organization’s controls, which allows the company receiving the audit to demonstrate to outside parties that their internal controls are designed and operating effectively. SAS 70 audits are crucial to many service organizations for retaining customers and obtaining new business.

In today’s global economy, service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SAS 70 is the authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format. The issuance of a Service Auditor’s Report prepared in accordance with SAS 70 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The Service Auditor’s Report, which includes the service auditor’s opinion, is issued to the service organization at the conclusion of a SAS 70 examination.

Service Auditor’s Reports

One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor’s Report. There are two types of Service Auditor’s Reports: Type I and Type II.

A Type I report describes the service organization’s description of controls at a specific point in time (e.g. June 30, 2008). A Type II report not only includes the service organization’s description of controls, but also includes detailed testing of the service organization’s controls over a minimum six month period (e.g. January 1, 2008 to June 30, 2008).

In a Type I report, the service auditor will express an opinion on (1) whether the service organization’s description of its controls presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.

In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.

Benefits to the Service Organization

Service organizations receive significant value from having a SAS 70 engagement performed. A Service Auditor’s Report with an unqualified opinion that is issued by an independent accounting firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. A Service Auditor’s Report also helps a service organization build trust with its user organizations (i.e. customers).

Without a current Service Auditor’s Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors.  Multiple visits from user auditors can place a strain on the service organization’s resources.  A Service Auditor’s Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements.

Internal Control Overview

Service organizations are permitted to disclose their control objectives and activities in any manner they see fit.  However, for a SAS 70 audit engagement to be of maximum benefit to the user organizations (i.e. customers) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor’s requirements.  To do this, the service organization’s description of controls should address five key components of internal control as defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit:

1.Control Environment sets the tone of an organization, influencing the control consciousness of its people. The control environment is the foundation for all other components of internal control, providing discipline and structure.

2.Risk Assessment is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.

3.Control Activities are the policies and procedures that help ensure that management directives are carried out.

4.Information and Communication is the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

5.Monitoring is the process that assesses the quality of internal control performance over time.

The K Financial Advantage

K Financial is a licensed Certified Public Accounting firm, registered with the American Institute of Certified Public Accountants. Our CPAs who focus on SAS 70 examinations are also trained and experienced IT auditors. We have developed and follow an efficient and effective SAS 70 audit methodology that enables us to deliver services at significantly lower rates than our competitors. In accordance with professional standards, we maintain our independence throughout the SAS 70 audit process, but we pride ourselves on taking a much more consultative approach to SAS 70 audits than our competitors. We recognize that the SAS 70 standard may be confusing to our customers and the audit process may be intimidating. Therefore, all of our engagements are staffed with seasoned professionals who are able to help our clients define their control objectives and document their control activities in order to stream-line the audit process. Our services also generally include valuable recommendations to improve the overall internal control structure.