Skip to main content

All about SAS 70 Report


A SAS 70 report is the service auditor’s report on a service organization’s controls for use by user organizations and their auditors. Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting
It applies to any service organization that:
• Executes transactions and maintains accountability or
• Records transactions and processes related data
The primary purpose of the SAS 70 report is to provide information about the service organization to auditors who audit the user organization’s financial statements.

Benefits of a SAS 70 ReportReduces disruption to service organization operations (single auditor concept) - Otherwise, auditors of all user organizations would have to perform testing. This would result in significant duplication of effort in reviewing common service organization systems, and the service organization would have to provide support (and accept the disruption) for every review.

Provides an independent assessment of controls - Important function for many user organizations to have an independent, trained set of eyes evaluating internal control.

Value-added recommendations from the service auditor to the service organization - An independent, trained set of eyes is able to provide recommendations to improve operational aspects of the organization. They can compare the organization to other service organizations to provide suggestions and strengthen controls as well as improve operational effectiveness.

Potential efficiency gains for user auditors if reliance can be placed on the SAS 70 report - Utilization of a SAS 70 may allow the user auditor to reduce scope of direct testing of systems and procedures at the service organization, resulting in lower fees for the client.

Few basic definitions
User Organization - The entity that has engaged a service organization and whose financial statements are being audited (e.g., the customer of the service organization).

User Auditor - The auditor who reports on the financial statements of the user organization.

Service Organization - The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system (e.g., processes transactions on behalf of its customers).

Service Auditor - The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control as it relates to an audit of financial statements (e.g., performs the SAS No. 70 review of the service organization).

Why would a company use a service organization?Many companies are focusing on their core competencies and outsource certain other functions that specialized companies can do more efficiently.

These specialized companies or service organizations frequently provide outsourcing services to multiple organizations, thereby generating economies of scale.

When a company uses a service organization to accomplish tasks that affect the company’s financial statements, the processing performed by the service organization may impact the company’s system of internal control.

Therefore, the processing at the service organization may affect the user auditor’s planning and performance of the audit of the user organization’s financial statements and the audit of internal controls.

When to consider SAS 70?The fact that an entity uses a service organization is not, in and of itself, a compelling reason for a user auditor to conclude that it is necessary to obtain a service auditor’s report to plan the audit.

The user auditor should consider SAS No. 70 when auditing the financial statements of an entity that obtains services from another organization that are part of its information system.

A service organization’s services are part of an entity’s information system if they affect any of the following:
ª How the entity’s transactions are initiated
ª The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions
ª The accounting processing involved from the initiation of the transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access information
ª The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures

SAS No. 70 is not applicable to the audit of the financial statements of an entity when:
Services provided are limited to executing client organization transactions that are specifically authorized by the client. Examples: processing of checking account transactions by a bank and execution of securities transactions by a broker.

Services provided involve financial interests in partnerships, corporations, and joint ventures when proprietary interests are accounted for and reported to interest holders. Examples: include working interests in oil and gas ventures.

Types of SAS 70 Reports
Type I Report – Report on controls placed in operation
In a Type I report, the service auditor issues an opinion on whether the description of controls is fairly presented, whether controls were placed in operation and whether they are suitably designed as of a specific date. However, a Type I report does not address the operating effectiveness of controls over time. A Type I report may provide a user auditor with an understanding of the service organization's controls necessary to plan the audit and to design effective tests of controls and substantive tests at the user organization. A user auditor cannot rely on a Type I report to reduce the assessed level of control risk which may result in the reduction of substantive procedures.

Type II Report - Report on controls placed in operation and Test of Operating EffectivenessIn a Type II report, the service auditor performs the procedures required for a Type I engagement and performs tests of specific controls to evaluate their operating effectiveness in achieving specified control objectives. A Type II report:
• Describes controls and effectiveness over a period of time
• May provide user auditor’s information to place a greater level of reliance on controls
A Type 2 report is typically more useful to a user auditor because, in addition to providing an understanding of controls necessary to plan the audit, it may also provide the user auditor with reasonable assurance that control objectives that may be important to the auditor have been met.

Report Contents1. Independent service auditor's report (i.e. opinion).
Type I - Included
Type II - Included
2. Service organization's description of controls.
Type I - Included
Type II - Included
3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests.
Type I - Optional
Type II - Included
4. Other information provided by the service organization (e.g. glossary of terms).
Type I - Optional
Type II - Optional

The user auditor will need to consider whether the controls at the subservice organization are relevant to the user organization’s information system.

Carve Out MethodIf the controls of the subservice organization are not included in the SAS 70 report, the carve-out method is used. In the carve-out method, the subservice organization’s controls objectives and controls are excluded from the description and from the scope of the service auditor’s engagement.

Inclusive MethodIf the controls of the subservice organization are included in the SAS 70 report, the inclusive method is used. In the inclusive method, the subservice organization’s relevant controls are included in the description and scope and the description in the SAS 70 report differentiates between controls of the service organization and controls of the subservice organization.

Report timingWhen a Type 2 SAS 70 report period end date is within 6 months of our client’s year end, both our client’s management and the Service Auditor should consider procedures to bridge the gap between the period end of the SAS 70 report and the client’s year end.
When a Type 2 SAS 70 is dated more than 6 months before the client’s year end, the report provides little evidence of the operating effectiveness of controls at the service organization.

The User Auditor may need to perform alternative procedures to gain comfort on a control objective appearing in the SAS 70 report:
• In instances where there are non-negligible exceptions documented in the report,
• When a relevant control objective is qualified,
• When a period of time greater than 6 months has elapsed since the SAS 70 period end, or
• In situations where the service organization did not provide (or our client’s management did not obtain) a SAS 70 report over the service organization.

The procedures a User Auditor can rely on vary and may include some or all of the following procedures:
• Use work performed by management and their results
• Obtain specific information from the service organization to influence the nature, timing, and extent of testing to be performed.
• Request a service auditor be engaged to perform the necessary procedures (i.e. Agreed Upon Procedure engagement)
• Visit the service organization and performing the necessary audit procedures
• Evaluate the user controls at the user organization (our audit client) to determine if the control objectives are met with procedures already performed at the user organization.
References: www.sas70.com
Labels:

Comments

Post a Comment

Popular posts from this blog

CA Info - industrial training

Hi Friends, Here is the list of approved insitutions eligible for imparting Industrial training Approved Organisations - Eastern Region SIEMENS LIMITED 43 SHANTI PALLY E.M.BY PASS CALCUTTA 700042 CITI BANK N.A. TATA CENTRE 41,CHOWRINGHEE ROAD CALCUTTA 700071 RECKITT & COLMAN OF INDIA LTD 41,CHOWRINGHEE ROAD CALCUTTA 700071 BRITANIA INDUSTRIES LTD . 14, TARATALA ROAD CALCUTTA 700088 ICI INDIA LTD 34, CHOWRINGHEE ROAD CALCUTTA 700071 GRASIM INDUSTRIES LTD. INDUSTRY HOUSE 14TH FLOOR, 10, CAMAC STREET KOLKATA 700017 AMERICAN EXPRESS BANK 21, OLD COURT HOUSE STREET CALCUTTA 700001 BALMER LAWRIE CO. LTD 21, NETAJI SUBHAS ROAD CALCUTTA 700001 INDIAN OIL CORPORATION LIMITED 2,GARIAHAT ROAD(S) DHAKURIA CALCUTTA 700068 SRF LIMITED EXPRESS BUILDING 1ST FLOOR BAHADUR SHAH ZAFAR MARG NEW DELHI 110002 INDIAN RAYON AND INDUSTRIES LTD RISHRA HOOGHLY 712249 PEPSI-COLA INDIA MARKETING COMPANY SREE MANJURI BLDG. SUITE NO.6 , 1ST FLOOR 8/1, MIDDLETON ROW CALCUTT
116 comments
Read more

ECB vs FCCB

This is in response to the queries I received on whether ECB or FCCB is more convenient/liberal/less regulated. For guidelines on each of them, please refer to the links attached in the respective articles. FCCB http://www.icai.org/icairoot/publications/complimentary/cajournal_nov05/703-708.pdf . ECB http://www.icai.org/icairoot/publications/complimentary/cajournal_may04/p1216-19.pdf As regards which is more convenient, it always depends on the company raising funds. Historically, companies prefer ECBs over FCCBs . The RBI data for the month of December 2007 showed only 7 of 44 companies raising funds through FCCBs automatic route and all 7 companies preferring the ECB over FCCB through approval route. http://rbidocs.rbi.org.in/rdocs/ECB/pdfs/83662.pdf Government has said that it is contemplating relaxing norms governing external commercial borrowings (ECBs) to enable Indian corporates access higher foreign capital at low cost. Besides, a review is underway to remove restrictions on fo
Post a Comment
Read more

Reverse Mortgage in India

Imagine a situation where you grow old and have managed to buy a house. However, you could not save enough for your retirement. You certainly need money to manage your day to day finances since you are retired and have no fixed source of income or your income is not enough to meet your finances. Reverse Mortgage is the answer for you. Reverse Mortgage is a type of mortgage available to senior citizens in which a home-owner can borrow money against the value of his/her home. No repayment of the mortgage (principal or interest) is required until the borrower dies or the home is sold. After accounting for the initial mortgage amount, the rate at which interest accrues, the length of the loan and rate of home price appreciation, the transaction is structured so that the loan amount will not exceed the value of the home over the life of the loan. [1] How does it work? Reverse Mortgage in India Realising the potential benefits of Reverse Mortgage, the Union Budget 2007-
9 comments
Read more