1 / 14

Statement on Auditing Standards No. 70 Reports on the Processing of Transactions by Service Organizations

What is a SAS 70?. Statement on Auditing Standards Number 70, (

bettina
Download Presentation

Statement on Auditing Standards No. 70 Reports on the Processing of Transactions by Service Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    2. What is a SAS 70? Statement on Auditing Standards Number 70, (“SAS 70”) Reports on the Processing of Transactions by Service Organizations : Professional guidance issued by the AICPA to provide standards for use by the independent service auditor who issues reports on the processing of transactions by a service organization for use by other auditors Also known as a “Service Auditor’s Report” on the internal control structure of the service organization - particularly those affecting the user organization’s (i.e. Client) internal control structure and the assertions in their financial statements

    3. Benefits of a SAS 70 Provides an independent assessment of the organization’s control procedures Establishes whether those controls met the objectives stated by management Demonstrates those controls to customers and their auditors Minimizes the number of requested audits over the service organization’s “Internal Controls” by different customers and their auditors Provides management with a level of “reasonable assurance” over the control integrity of the processing environment

    4. Typical SAS 70 Progression The Service Organization begins by determining the scope of “Internal Controls” that may affect their user organizations (i.e. clients) as well as the impact of controls provided by their subservicers The Service Organization drafts a “Description of Internal Controls and Control Objectives” A “readiness review” is conducted over the “Internal Controls” Areas of weakness noted in the “readiness review” are mitigated, the Service Organization validates control changes, and the “Description of Internal Controls and Control Objectives” are updated accordingly

    5. Typical SAS 70 Progression The Service Organization engages a Service Auditor to perform a SAS 70 examination and provides the Service Auditor its “Description of Internal Controls and Control Objectives” During the examination, the Service Auditor will examine, on a test basis, evidence of the operating effectiveness of the “Internal Controls” that management has reported to be in place After the examination, the Service Auditor will assess “Internal Control” exceptions, disclose compliance test exceptions and render an opinion

    6. Type 1 SAS 70 Reports Report on Controls Placed in Operation A report on a service organization’s description of its internal control structure and whether such controls were suitably designed to achieve specified control objectives, and whether they had been placed in operation as of a specified date.

    7. Type II SAS 70 Reports Report on Controls Placed in Operation and Tests of Operating Effectiveness of such Controls Includes a Type I report plus: Whether the controls tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified (minimum 6 month period).

    8. Report Structure Type I and II Report consists of 4 sections: Section One - Independent Service Auditor’s Report (the “Opinion”) Section Two - Description of Internal Controls and Control Objectives (this is provided by the Service Organization) Section Three - Information Provided by the Independent Service Auditor (this includes Tests of Operating Effectiveness - results and exceptions for a Type II Report) Section Four - Other Information Provided by the Service Organization (this is not required and is a supplemental section)

    9. The “Opinion” Description presents fairly the Internal Controls Internal Controls were placed in operation as of a specific date Internal Controls were suitably designed to provide reasonable assurance that control objectives would be achieved if complied with Internal Controls tested were operating with effectiveness to provide reasonable assurance that control objectives were achieved during the period (Type II Report only)

    10. Sample Control Objectives Logical security tools and techniques are implemented and configured to enable restriction of access to programs, data, and other information resources. Physical access restrictions are implemented and administered to ensure that only authorized individuals have the ability to access or use information resources. The data structure, as defined in the database management system is appropriately implemented and functions consistent with management’s intentions. New network and communication software is appropriately implemented and functions consistent with management’s intentions. All necessary modifications to existing systems software are implemented timely.

    11. Sample Testing

    12. Treatment of Exceptions Compliance Testing Exception - Noted in the SAS 70 Report under Results of Testing Control Deficiency - The “opinion” includes an “except for” qualification relating to an assessment on the “design” and “operating effectiveness” of the control related to the control objective Finding - Identification of a weakness that is not related to the control objective; no requirement to disclose

    13. Examples of Service Organizations Typical examples Transaction Processors Application Service Providers Internet Data Centers/Hosting Services Brokerage Services (back-office processing)

    14. Questions Am I required to have a SAS70? If I receive a request for a SAS 70 from one of my customers (and do not currently have a SAS 70), am I required to obtain one? What is a SAS 70 Readiness Review? Am I required to conduct a Readiness Review before issuing an actual SAS 70? Who can SAS 70 reports be distributed to? Do I have to receive the consent of my external audit firm to provide? Is a SAS70 a marketing tool? Am I required to obtain a SAS70 from my vendors? I received a SAS70 from my vendor – now what? What is the impact of a qualified opinion? Do I need to have 2 SAS70s a year? How are SAS 70s utilized for SOX purposes?

    15. Questions?

More Related