2. What is a SAS 70? Statement on Auditing Standards Number 70, (“SAS 70”) Reports on the Processing of Transactions by Service Organizations :
Professional guidance issued by the AICPA to provide standards for use by the independent service auditor who issues reports on the processing of transactions by a service organization for use by other auditors
Also known as a “Service Auditor’s Report” on the internal control structure of the service organization - particularly those affecting the user organization’s (i.e. Client) internal control structure and the assertions in their financial statements
3. Benefits of a SAS 70 Provides an independent assessment of the organization’s control procedures
Establishes whether those controls met the objectives stated by management
Demonstrates those controls to customers and their auditors
Minimizes the number of requested audits over the service organization’s “Internal Controls” by different customers and their auditors
Provides management with a level of “reasonable assurance” over the control integrity of the processing environment
4. Typical SAS 70 Progression The Service Organization begins by determining the scope of “Internal Controls” that may affect their user organizations (i.e. clients) as well as the impact of controls provided by their subservicers
The Service Organization drafts a “Description of Internal Controls and Control Objectives”
A “readiness review” is conducted over the “Internal Controls”
Areas of weakness noted in the “readiness review” are mitigated, the Service Organization validates control changes, and the “Description of Internal Controls and Control Objectives” are updated accordingly
5. Typical SAS 70 Progression The Service Organization engages a Service Auditor to perform a SAS 70 examination and provides the Service Auditor its “Description of Internal Controls and Control Objectives”
During the examination, the Service Auditor will examine, on a test basis, evidence of the operating effectiveness of the “Internal Controls” that management has reported to be in place
After the examination, the Service Auditor will assess “Internal Control” exceptions, disclose compliance test exceptions and render an opinion
6. Type 1 SAS 70 Reports Report on Controls Placed in Operation
A report on a service organization’s description of its internal control structure and whether such controls were suitably designed to achieve specified control objectives, and whether they had been placed in operation as of a specified date.
7. Type II SAS 70 Reports Report on Controls Placed in Operation and Tests of Operating Effectiveness of such Controls
Includes a Type I report plus:�Whether the controls tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified (minimum 6 month period).
8. Report Structure Type I and II Report consists of 4 sections:
Section One - Independent Service Auditor’s Report (the “Opinion”)
Section Two - Description of Internal Controls and Control Objectives (this is provided by the Service Organization)
Section Three - Information Provided by the Independent Service Auditor (this includes Tests of Operating Effectiveness - results and exceptions for a Type II Report)
Section Four - Other Information Provided by the Service Organization (this is not required and is a supplemental section)
9. The “Opinion” Description presents fairly the Internal Controls
Internal Controls were placed in operation as of a specific date
Internal Controls were suitably designed to provide reasonable assurance that control objectives would be achieved if complied with
Internal Controls tested were operating with effectiveness to provide reasonable assurance that control objectives were achieved during the period (Type II Report only)
10. Sample Control Objectives Logical security tools and techniques are implemented and configured to enable restriction of access to programs, data, and other information resources.
Physical access restrictions are implemented and administered to ensure that only authorized individuals have the ability to access or use information resources.
The data structure, as defined in the database management system is appropriately implemented and functions consistent with management’s intentions.
New network and communication software is appropriately implemented and functions consistent with management’s intentions.
All necessary modifications to existing systems software are implemented timely.
11. Sample Testing
12. Treatment of Exceptions Compliance Testing Exception -
Noted in the SAS 70 Report under Results of Testing
Control Deficiency -
The “opinion” includes an “except for” qualification relating to an assessment on the “design” and “operating effectiveness” of the control related to the control objective
Finding -
Identification of a weakness that is not related to the control objective; no requirement to disclose
13. Examples of Service Organizations Typical examples
Transaction Processors
Application Service Providers
Internet Data Centers/Hosting Services
Brokerage Services (back-office processing)
14. Questions Am I required to have a SAS70?
If I receive a request for a SAS 70 from one of my customers (and do not currently have a SAS 70), am I required to obtain one?
What is a SAS 70 Readiness Review? Am I required to conduct a Readiness Review before issuing an actual SAS 70?
Who can SAS 70 reports be distributed to? Do I have to receive the consent of my external audit firm to provide?
Is a SAS70 a marketing tool?
Am I required to obtain a SAS70 from my vendors?
I received a SAS70 from my vendor – now what?
What is the impact of a qualified opinion?
Do I need to have 2 SAS70s a year?
How are SAS 70s utilized for SOX purposes?
15. Questions?
