SAS 70: Understanding the Role, Advantages, and Types of Service Auditor Reports, Study notes of Human Resource Management

Sas 70 is a report produced after an audit of a service organization's controls by a certified public accountant (cpa). What sas 70 is, who can benefit from it, and the differences between type i and type ii reports. It also covers the advantages for both service organizations and user organizations, the unique aspects of sas 70 audits, and the industry standards used during the auditing process.

Typology: Study notes

2011/2012

Uploaded on 12/20/2012

devashish
devashish 🇮🇳

4.3

(24)

111 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SAS 70 (Statement on Auditing Standards No. 70)
What is SAS 70?
SAS 70 is produced as a result of an audit performed by a CPA to report on the
processing of transactions by a service organization
-Over time this has changed, the reports are now used as a means to provide service
independent validation assurances to potential clients
It allows the third-party service provider to have one audit and share the results with
all of its clients
Candidates for SAS 70 Audits
Claims processing centers
Trust/benefit plan administrators
Data centers
Application service providers
Payroll processors
Internet service providers
SAS 70 Certified Advantages:
Benefits to Service Organizations
Unqualified opinions demonstrate that your organization has effective controls
Decreases business interruption by removing other audits throughout the year for
purposes of satisfying user organizations
Primary benefit to a company is that it eliminates the need for the company to
perform its own audit of each of its third-party service provider’s internal controls
Ability to leverage SAS 70 certification into a market differentiator against existing
competitors who are vying for outsourcing contracts from user organizations
Benefits to User Organizations
User organizations are able to gain a greater understanding and assurance of the
internal controls in place at service organizations
Shows that they have taken steps in developing and implementing controls
throughout the identified platform being used to process transactions for user
organizations
Type I and II reports assist external auditor for user organizations by cutting down on
the time and costs of having to inquire on controls at service organizations
Why SAS 70 audits are unique
The scope of the engagement and the voluminous amount of information included in
the final service auditor’s report
SAS 70 auditors focus on general and application controls, as well as operational and
Human Resources issues, security guidelines and business continuity plans
Only a CPA or accounting firm can sign off and issue a SAS 70 service auditor’s
report
Only a seasoned accountant with both financial statement auditing and IT skills
should be considered as a primary source for SAS 70 engagements
Docsity.com
pf3

Partial preview of the text

Download SAS 70: Understanding the Role, Advantages, and Types of Service Auditor Reports and more Study notes Human Resource Management in PDF only on Docsity!

SAS 70 (Statement on Auditing Standards No. 70) What is SAS 70?

  • SAS 70 is produced as a result of an audit performed by a CPA to report on the processing of transactions by a service organization -Over time this has changed, the reports are now used as a means to provide service independent validation assurances to potential clients
  • It allows the third-party service provider to have one audit and share the results with all of its clients

Candidates for SAS 70 Audits

  • Claims processing centers
  • Trust/benefit plan administrators
  • Data centers
  • Application service providers
  • Payroll processors
  • Internet service providers

SAS 70 Certified Advantages: Benefits to Service Organizations

  • Unqualified opinions demonstrate that your organization has effective controls
  • Decreases business interruption by removing other audits throughout the year for purposes of satisfying user organizations
  • Primary benefit to a company is that it eliminates the need for the company to perform its own audit of each of its third-party service provider’s internal controls
  • Ability to leverage SAS 70 certification into a market differentiator against existing competitors who are vying for outsourcing contracts from user organizations

Benefits to User Organizations

  • User organizations are able to gain a greater understanding and assurance of the internal controls in place at service organizations
  • Shows that they have taken steps in developing and implementing controls throughout the identified platform being used to process transactions for user organizations
  • Type I and II reports assist external auditor for user organizations by cutting down on the time and costs of having to inquire on controls at service organizations

Why SAS 70 audits are unique

  • The scope of the engagement and the voluminous amount of information included in the final service auditor’s report
  • SAS 70 auditors focus on general and application controls, as well as operational and Human Resources issues, security guidelines and business continuity plans
  • Only a CPA or accounting firm can sign off and issue a SAS 70 service auditor’s report
  • Only a seasoned accountant with both financial statement auditing and IT skills should be considered as a primary source for SAS 70 engagements

Difference between Type I and Type II Engagements

  • Type I reports are issued for a specific date and are limited to an inquiry into and observation of the controls
  • Type II reports are issued after a minimum six-month testing period have been completed and is focused on the operating effectiveness of controls
  • Type I consists of inquiry and observation controls
  • Type II would include testing of controls

Type I vs. Type II Reports Information Type I Type II

SAS 70 Service Auditor’s Report Required Required

Description of Controls Required Required

Information provided by the service auditor (a detailed listing of controls and testing of operating effectiveness)

Optional Required

Information provided by the service organization

Optional Optional

User organization control considerations (controls that user organizations have in place)

Optional Optional

Organizational areas to be audited

  • The identified platform or platforms that are being used to conduct outsourcing activities related to user organizations is what will be audited
  • Several operational general controls will also be observed -this is done to gain a better understanding of the corporate tone of the organization
  • A SAS 70 audit is looking at a service organization that implements controls throughout various levels of its company, not just the identified platform being targeted by a SAS 70.

Audit Process Type I

  • Auditor studies the general and application controls then lists opportunities for improvement with proposed remediation and documents
  • If control remediation is necessary, a time frame can be provided to correct or strengthen the various internal controls
  • CPA concludes the field work by doing a final walk-through and examination of the controls, then issues the report