SAS 70
Encyclopedia
Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board
of the American Institute of Certified Public Accountants
(AICPA) with its content codified as AU 324. SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service provider
s (ASPs), managed security providers, credit processing organizations and clearinghouses.
There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.
The overwhelming resources that service organizations were spending complying with requests from financial auditors led the AICPA to issue SAS 70. In layman’s terms, SAS 70 allowed for one internal control review to be performed on service organizations that examined all of the areas that the financial statement auditors were required to consider to meet SAS 55 requirements. The resulting service auditor’s report (i.e. SAS 70 report) can be distributed and relied upon by all of the financial statement auditors of the service organizations' clients. The extent of that reliance is based on whether a Type I or Type II SAS 70 audit was performed.
(GLBA) requirements. Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.
While some companies utilize the SAS 70 audit to promote themselves in the "Other Information Provided by Service Organization" section, the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO
, COBIT
for SOX, ISO
, ITIL
, BITS, or the AICPA's Trust Principles (which are specifically applicable to SysTrust or WebTrust services).
Unless the report is noted for restricted use only by the CPA firm, the service organization retains control of distributing the report. Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. On rare occasions, this paragraph is limited to a specific third party, which may or may not be a user organization. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states:
Other auditing standards address the appropriate process to obtain client authorizations for auditors of different firms to obtain audit information about a shared client, which may include the sharing of workpapers and reports between the auditors.
(SOX) provisions that require a type 2 audit have made this a very common practice.
Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year.
The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year.
SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit.
User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often can not satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month Type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs.
of 2002 (SOX), SAS 70 took on increased importance. SOX adopted the COSO
model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to assure a service organization's controls. Security "certifications" are excluded as acceptable substitutes for a Type II SAS 70 audit report. PCAOB's Audit Standard No. 5 (which replaced AS 2) details how a SAS 70 audit should be used in relation to SOX.
Service Auditors to the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) will be formally issued in June 2010, effective June 15, 2011. Because many organizations have reporting periods that cover a full 12 month period and begin in July, the new standards will affect many organizations as early as July 1, 2010.
guidance provided by the Audit and Assurance Faculty of the Institute of Chartered Accountants
in England and Wales. The technical release is titled AAF 01/06 which supersedes the earlier FRAG 21/94 guidance.
, a similar report known as a Section 5970 report may be issued by a service organization auditor. It usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.
's Audit and Assurance Standards 24 "Audit Consideration Relating to Entities Using Service Organizations". The AAS 24 is issued by the Institute of Chartered Accountants of India, and is operative for all audits relating to periods beginning on or after 1 April 2003.
Auditing Standards Board
In the United States, the Auditing Standards Board is the senior technical committee designated by the American Institute of Certified Public Accountants to issue auditing, attestation, and quality control statements, standards and guidance to certified public accountants for non-public company...
of the American Institute of Certified Public Accountants
American Institute of Certified Public Accountants
Founded in 1887, the American Institute of Certified Public Accountants is the national professional organization of Certified Public Accountants in the United States, with more than 370,000 CPA members in 128 countries in business and industry, public practice, government, education, student...
(AICPA) with its content codified as AU 324. SAS 70 provides guidance to service auditors when assessing the internal controls of a service organization and issuing a service auditor’s report. SAS 70 also provides guidance to auditors of financial statements of an entity that uses one or more service organizations. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service provider
Application service provider
An application service provider is a business that provides computer-based services to customers over a network. Software offered using an ASP model is also sometimes called On-demand software or software as a service ....
s (ASPs), managed security providers, credit processing organizations and clearinghouses.
There are two types of service auditor reports. A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review.
Background
SAS 70 was originally titled “Reports on the Processing of Transactions by Service Organizations” but was changed by Statement on Auditing Standards No. 88 to "Service Organizations". The guidance contained in SAS 70 is effective for all service auditors' reports dated after March 31, 1993.SAS 55
In 1988, the AICPA issued SAS 55, titled “Consideration of the Internal Control Structure in a Financial Statement Audit”. SAS 55 required that financial statement auditors assess the internal control related to any process that could impact the client’s financial reporting objectives. In cases where the client outsourced a critical process that impacted the financial statements, the auditor was required to assess the internal control of that process as it is performed by the service organization. For example, an auditor might be required to examine the manner in which a payroll processing company controls the processing of payroll for its client. This situation was very detrimental to many service organizations since all of their clients’ auditors have an obligation to perform the same internal control assessment on them.The overwhelming resources that service organizations were spending complying with requests from financial auditors led the AICPA to issue SAS 70. In layman’s terms, SAS 70 allowed for one internal control review to be performed on service organizations that examined all of the areas that the financial statement auditors were required to consider to meet SAS 55 requirements. The resulting service auditor’s report (i.e. SAS 70 report) can be distributed and relied upon by all of the financial statement auditors of the service organizations' clients. The extent of that reliance is based on whether a Type I or Type II SAS 70 audit was performed.
SAS 94
In 2001, SAS 55 was amended by SAS 94, titled “The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit”. SAS 94 obliges the financial statement auditors to place an increased focus on the increasing role of information technology on meeting financial reporting objectives. Given this change, SAS 70 reports are now placing similar emphasis on information technology’s role in the control environment of service organizations. This helps to ensure that the SAS 70 report contains all of the information required by user organization auditors.SAS 109
In 2006, SAS 55 was superseded by SAS 109 (codified as AU 314) which provided an expanded theory regarding an auditor's responsibility to understand the entity under audit including the information systems employed by the entity under audit among other items. This understanding is to be used in determining certain risks associated with the financial statements and audit.Changing uses of the SAS 70
Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Companies in the financial services industry are being required to show adequate oversight of service providers, such as obtaining a SAS 70 review conducted to comply with Gramm-Leach-Bliley ActGramm-Leach-Bliley Act
The Gramm–Leach–Bliley Act , also known as the Financial Services Modernization Act of 1999, is an act of the 106th United States Congress...
(GLBA) requirements. Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.
While some companies utilize the SAS 70 audit to promote themselves in the "Other Information Provided by Service Organization" section, the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO
Committee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
, COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
for SOX, ISO
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
, ITIL
Information Technology Infrastructure Library
The Information Technology Infrastructure Library , is a set of good practices for IT service management that focuses on aligning IT services with the needs of business. In its current form , ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage...
, BITS, or the AICPA's Trust Principles (which are specifically applicable to SysTrust or WebTrust services).
User auditor
Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the service organization’s customers (i.e. user auditors) can use the service auditor’s report to gain an understanding of the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their financial audit.Other third parties external to service organizations
Service auditor reports are growing in popularity and are being used by customers, prospective customers and financiers to gain an understanding of the control environment of outsourcing companies. In some cases, these third parties are not intended users of the report, but still find value in using the report as third party independent verification that controls are in place and are operating effectively.Unless the report is noted for restricted use only by the CPA firm, the service organization retains control of distributing the report. Every Service Auditor’s report contains an auditor’s opinion letter. The opinion letter is required to contain a paragraph that defines the authorized user of the report. On rare occasions, this paragraph is limited to a specific third party, which may or may not be a user organization. Use of the report is typically restricted to the service organization’s management, its customers, and the financial statement auditors of its customers. Typically, a statement in the final paragraph states:
This report is intended solely for use by the management of XYZ Service Organization, its user organizations, and the independent auditors of its user organizations.
Financial statement auditor of service organization
The report is not designed to support the financial statement auditors of the service organization, because the service organization's own financial reporting IT controls are not the target of a SAS 70 audit. The environment supporting user organization's processes is the SAS 70 audit scope. However, a service organization's external auditor's Entity Level Control Considerations may be useful for a SAS 70 report.Other auditing standards address the appropriate process to obtain client authorizations for auditors of different firms to obtain audit information about a shared client, which may include the sharing of workpapers and reports between the auditors.
Audit frequency
Type 1 audits are typically performed no more than once per year; however, there is no technical reason for this practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the purposes of subsequent audits. Sarbanes-Oxley ActSarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
(SOX) provisions that require a type 2 audit have made this a very common practice.
Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year.
The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year.
SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit.
User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often can not satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month Type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs.
Report on controls placed in operation
A report on controls placed in operation, referred to as a Type 1 report, opines on controls that are in place as of a date in time. The opinion states whether the controls are fairly presented, whether the controls are suitably designed to achieve defined control objectives, and whether the controls were in place as of a specific date. Since these reports only provide assurance over a single day, they are of limited value to third parties.Report on controls placed in operation and tests of operating effectiveness
A report on controls placed in operation and tests of operating effectiveness, or Type 2 report, opines on controls that were in place over a period of time, which is typically a period of six months or more. The opinion states all that is covered by a Type 1 report and whether the controls were operating effectively enough to achieve the defined control objectives during a specified period. Third parties are better able to rely on these reports because a verification is provided regarding these matters for a substantial period of time.SAS 70 and Sarbanes-Oxley Act of 2002
With the introduction of the Sarbanes-Oxley ActSarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
of 2002 (SOX), SAS 70 took on increased importance. SOX adopted the COSO
Committee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
model of controls, which is the same model that SAS 70 audits have used since inception. SOX heightened the focus placed on understanding the controls over financial reporting and identified a Type II SAS 70 report as the only acceptable method for a third party to assure a service organization's controls. Security "certifications" are excluded as acceptable substitutes for a Type II SAS 70 audit report. PCAOB's Audit Standard No. 5 (which replaced AS 2) details how a SAS 70 audit should be used in relation to SOX.
Proposed changes to SAS 70
The AICPA has proposed changes that would move the guidance for Service Auditors to the Statements on Standards for Attestation Engagements (SSAE), naming the standard Reporting on Controls at a Service Organization. The guidance for User Auditors would remain in AU section 324 (codified location of SAS 70) but would be renamed Audit Considerations Relating to an Entity Using a Service Organization.Service Auditors to the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) will be formally issued in June 2010, effective June 15, 2011. Because many organizations have reporting periods that cover a full 12 month period and begin in July, the new standards will affect many organizations as early as July 1, 2010.
Germany
The German standard report in this section is called IDW PS 951. It is similar to SAS 70 Type II. IDW PS 951 is released by Institut der Wirtschaftsprüfer.United Kingdom
A SAS 70 is similar to the United KingdomUnited Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
guidance provided by the Audit and Assurance Faculty of the Institute of Chartered Accountants
Institute of Chartered Accountants
Institute of Chartered Accountants may refer to:* Institute of Chartered Accountants of Australia* Institute of Chartered Accountants in England & Wales* Institute of Chartered Accountants of India* Institute of Chartered Accountants in Ireland...
in England and Wales. The technical release is titled AAF 01/06 which supersedes the earlier FRAG 21/94 guidance.
Canada
In CanadaCanada
Canada is a North American country consisting of ten provinces and three territories. Located in the northern part of the continent, it extends from the Atlantic Ocean in the east to the Pacific Ocean in the west, and northward into the Arctic Ocean...
, a similar report known as a Section 5970 report may be issued by a service organization auditor. It usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.
India
Similar to the SAS 70 Report in the United States of America, reporting requirements are defined in IndiaIndia
India , officially the Republic of India , is a country in South Asia. It is the seventh-largest country by geographical area, the second-most populous country with over 1.2 billion people, and the most populous democracy in the world...
's Audit and Assurance Standards 24 "Audit Consideration Relating to Entities Using Service Organizations". The AAS 24 is issued by the Institute of Chartered Accountants of India, and is operative for all audits relating to periods beginning on or after 1 April 2003.