Images
SAS 70 Audits
November 16, 2009
SAS 70 Audits
Background on SAS 70
Statement on Auditing Standards (SAS) No. 70 is the authoritative guidance that allows companies who provide data related services for one or more customers, to disclose their internal control activities and processes in a universally accepted format. SAS 70 engagements are conducted by Independent CPAs who have experience in accounting, auditing, and information security. A service auditor can issue either a Type 1, or a Type 2 report.
In a Type I report, the service auditor will express an opinion on (1) whether the service organization's description of its controls presents fairly, in all material respects, the relevant aspects of the service organization's controls that had been placed in operation as of a specific date, and (2) whether the controls were suitably designed to achieve specified control objectives.
In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (3) whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.
Benefits to the Service Organization
1. Service organizations receive significant value from having a SAS 70 engagement performed. A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers).
2. Without a current Service Auditor's Report, a service organization may have to entertain multiple audit requests from its customers and their respective auditors. Multiple visits from user auditors can place a strain on the service organization's resources. A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.
3. SAS 70 engagements are generally performed by internal control oriented professionals who have experience in accounting, auditing, and information security. A SAS 70 engagement allows a service organization to have its control policies and procedures evaluated and tested by an independent CPA. Very often this process results in the identification of opportunities for improvements in many operational areas.
Approach & Methodology
1. Project scope and work plan development
Management, consultants, and independent CPAs should discuss those specific processes that are offered to 3rd parties that will be covered by a SAS 70 Report. Not every product or service offering, nor every technology platform that enables these products or services need be included in the report, however the description of systems that accompanies the auditor's opinion will be very specific about what is and what is not included in the scope of the engagement. During this phase, all parties should also discuss the desired end date for a Type 1 or Type 2 report, and work backwards to establish a reasonable timeline up front to assure a successful SAS 70 Audit.
2. Prepare management's Description of Controls
The Description of Controls is a critical part of the final SAS 70 report where management describes the relevant a) data services/systems to be audited, b) control environment c) information systems environment, d) application processing procedures, e) control objectives and related controls, and f) client control consideration. It is very important how this section is written, because all testing the auditor performs will be based on this Description of Controls.
3. Readiness Assessment
A SAS 70 Audit, like an examination of the financial statements by a CPA, once started must be completed. Therefore it is highly recommended organizations undergo a readiness assessment, prior to engaging an auditor to perform the initial SAS 70. This reduces the likelihood that an initial SAS 70 audit will result in an unfavorable opinion.
During this phase, experienced advisors will assist management in developing appropriate control objectives and related controls. A Gap assessment will help identify control weaknesses, or gaps between the "to be environment" described in the control objective, and the existing control environment. A list of action items to remediate the gaps will be prepared.
4. Remediation Period
Following the Gap assessment, allow time for newly implemented or recently remediated controls to be placed into service prior to beginning the SAS 70 Audit.
5. Evaluate Control Design
The Service Auditor begins the evaluation of control design and verifies controls have been put in place as of a specific date. At this time, a Type 1 report can be issued.
6. Test Control Effectiveness
Once the Service Auditor has concluded that controls are properly designed and placed into service for the appropriate length of time (typically 6 months) they may begin testing the effectiveness of controls in place for period being audited. At this point, a Type 2 report can be issued.
By: David H. Besse, MCSE,CISSP,CISA
