Accelerate Your Financial Success

SAS 70 Audit

SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers.

There are two types of service auditor reports which Meredith & Associates can provide.

Type 1 SAS 70 audits provide an opinion on controls that are in place as of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties.

Type 2 SAS 70 audits provide an opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with the fairness of presentation of the controls, the design of the controls with regard to their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports because verification is provided regarding these matters for a substantial period of time.

Putting SAS 70 to Work

Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

Over the last few years, the use of the SAS 70 audit has migrated to be used in non-traditional ways. Companies in the financial services industry are being required to show adequate oversight of service providers. Service organizations which provide services to healthcare companies are often asked by their clients to have a SAS 70 audit conducted to ensure an independent third party has examined the controls over the processing of sensitive healthcare information.

While some companies utilize the SAS 70 audit to promote themselves in the "Other Information Provided by Service Organization" section, the more appropriate application is to utilize properly modified objectives from internal control framework(s) appropriate to their industry and company; such as COSO, COBIT for SOX, ISO, ITIL, BITS, or the AICPA's Trust Principles - Systrust or WebTrust.

Audit Frequency

Type 1 audits are typically performed no more than once per year; however, there is no technical reason for this practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type 2 audit have made this a very common practice.

Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year.

The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in length. Companies generally choose a review period between six and 12 months. There is no requirement or recommendation that the examination period fall completely within the calendar year.

SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in the case of a type 2 audit.

User organizations will desire a type 2 audit report that has an examination period with as many months as possible falling within their own fiscal year and an examination period end date that is within three months of their fiscal year end. Most service organizations have many user organizations and often cannot satisfy all of their clients if they only perform one audit per year, regardless of the length of their review period. For example, a company could have a 12 month type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with 6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common situation when it occurs.

Contact us for more information about a SAS 70 audit. We have audit specialists trained in this field.

View a chart showing the differences between a SAS 70 audit and a SysTrust (or WebTrust) audit.

Accounting & Auditing Menu

Answers

Solutions

Peace of Mind

Ideas

Home | About | Mission | Services | Industries | Training | Become a Client | Careers | Contact | e-Newsletter | Book

© 2010 - Meredith & Associates / Karen Meredith

Meredith & Associates
251 O'Connor Ridge Blvd, Suite 370
Irving, TX 75038
Phone: 214.492.1986 | Fax: 972.887.9996
cpa@meredithcpas.com