1 / 10

Andrew E. Nolan PricewaterhouseCoopers LLP New York, NY

SAS 70 Update Fiduciary and Investment Risk Management Association, Inc. Anniversary National Training Conference Washington D.C. April 12, 2006. Andrew E. Nolan PricewaterhouseCoopers LLP New York, NY. Topics to be addressed. Brief SAS 70 primer Interplay of SAS 70 and SOX 404

dunn
Download Presentation

Andrew E. Nolan PricewaterhouseCoopers LLP New York, NY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAS 70 UpdateFiduciary and Investment Risk Management Association, Inc. Anniversary National Training Conference Washington D.C. April 12, 2006 Andrew E. Nolan PricewaterhouseCoopers LLP New York, NY

  2. Topics to be addressed • Brief SAS 70 primer • Interplay of SAS 70 and SOX 404 • Trends in SAS 70 examinations

  3. SAS 70 Primer • SAS 70 “Service Organizations” – organizations that process transactions for other (user) organizations • SAS 70 pertains to controls over processing of financial transactions • SAS 70’s are utilized by user organizations and their auditors in connection with an audit of the financial statements of a user organization • 2 types of reports: • Type I – design of controls and whether placed in operation • Type II – Type I plus operating effectiveness • Generally 6 month coverage period • Sub-service organizations: • Organizations that provide services to a service organization • 2 methods of treatment SAS 70: 1) all inclusive; 2) “carve out” • E.g.’s of service organization – mutual fund transfer agent, custodian, investment advisor, fund accounting agent • E.g.’s sub-service organization – data center operator, pricing service

  4. Interplay of SAS 70 and SOX 404 • SOX 404 – directs SEC to establish rules regarding annual reports of public companies to have an internal control report which shall: • State responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting • Contain an assessment of the effectiveness of internal control structure for financial reporting

  5. Interplay of SAS 70 and SOX 404 • SOX 302 – directs SEC to establish rules for periodic reports of public companies requiring CEO and CFO to each certify that • The signing officer has read the report • The report does not contain any untrue statement or omit any material fact • The financial statements are fairly presented • The signing officers • Are responsible for maintaining internal controls • Have designed controls to make material facts known to such officers • Have evaluated effectiveness of controls within 90 days prior to the report • Have presented in the report conclusions on effectiveness of controls • Have disclosed to the audit committee all significant deficiencies, fraud involving management who have a significant role in controls • Have disclosed whether there were any significant changes in controls, including corrective actions

  6. Interplay of SAS 70 and SOX 404 • PCAOB – AS 2 “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements” • Use of service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting • If SAS 70 Type II report available, management of the user organization and the user auditor may evaluate whether the report provides sufficient evidence to support management’s report and opinion • Need to consider • Time period covered vs. dates of management’s assessment of controls • Scope of the report • Results of tests

  7. Interplay of SAS 70 and SOX 404 PCAOB FAQ’s • Q24 – What types of outsourcing activities as part of a company’s internal control over financial reporting? • A24 – Part of internal control structure if affects significant classes of transactions, initiation and authorization of transactions, maintenance of accounting records, etc. (e.g. bank trust department). SAS 70 not applicable to organizations that simply execute transactions (e.g. bank checking account) • Q25 – Is a SAS 70 Type II report issued more than six months prior to management’s assessment of controls current enough to provide evidence regarding operating effectiveness of controls? • A25 – No “bright line” test, but the older the report the less useful. • Q26 - Can registered accounting firms obtain evidence from a non-registered firm? • A26 - Yes

  8. Interplay of SAS 70 and SOX 404 SEC FAQ’s • Q24 – May management rely on a SAS 70 Type II report issued by the service auditor of the third-party service organization of the auditor is the same auditor as the registrant? • A14 – Yes, as long as the registrant doesn’t engage the service auditor to perform the SAS 70.

  9. Trends in SAS 70 Examination • Expansion of universe of service organizations • Type I reports – decreased usefulness • Increased frequency of SAS 70 reporting • Application of PCAOB standards by analogy in SAS 70 engagements: • Sampling • Evaluation of exceptions • Compensating controls • Change in date of SAS 70 report • Qualified opinions • Elimination of non-financial statement related controls • CCO reporting • Service auditor and financial statement auditor same firm

  10. Questions???

More Related