Alpern Rosenthal

About Us
 Services
 Industries
 News/Events
 Career Center
 Resources
 Contact Us



Fast-find information






Publications
Tax Updates
Legislation Updates
Financial Calculators

Why is SAS 70 Important to My Company?

By David G. Guenther, Alpern Rosenthal

Within many large private and public companies, one or more services are outsourced which involve data which has a material financial impact. Since it is unlikely that the contract with the outsourced service providers contains a right to audit clause, alternative methods are used to validate whether an adequate set of controls have been implemented and are effective during the entire fiscal year.

SAS 70 reviews traditionally cover the applications controls which support the operational processes an organization has outsourced and the IT general controls as it relates to the environment in which the applications operate within. Although the service auditor is required to ensure that all controls are adequately represented by the service organization within the limits of the defined scope, the competence levels of these service auditors varies throughout the industry. Although AICPA provides guidance on the various areas which should be included in the application and IT general controls reviews, a checklist of the specific controls are not provided and, therefore, reliance is placed on the experience of the service auditor.

One of the most common questions when discussing SAS 70 reviews is whether you can rely on the information provided. The most important thing to understand is that the service organization (i.e., the organization being reviewed) defines the scope of the audit and the control objectives. The service auditor (i.e., the auditor which conducts the SAS 70 review) is required to render an opinion as to whether the control objectives are adequately represented based on the scope defined. However, the service organization can exclude traditional areas of IT general controls or application controls reviews and the service auditor is not required to raise this as issue in their opinion. Therefore, the most critical review that can be performed by the user organizations (i.e., organizations that rely on the services provided by the service organization) and the user auditors is to identify traditional areas which are not included in the scope of the SAS 70 review.

The adequacy of the testing of the controls provided by the service organization varies greatly within the industry. The type of test which satisfies a SAS 70 requirement is quite different from what is required for Sarbanes-Oxley (SOX). Collaborative inquiry is an acceptable form of testing for SAS 70 reviews. Collaborative inquiry involves interviewing two independent persons to validate that a control process is functioning as intended. This type of testing does not involve any independent compliance testing to validate that the control is functioning as intended. This is known as a Type I report as it includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objective.

A Type II report includes the information contained in a Type I service auditor’s report and also includes tests of the operating performance as well as the service auditor’s opinion on whether controls were operating effectively during the posted review. This report is in compliance with the SOX requirements.

In addition, SAS 70 Type II reports are now placing more emphasis on information technology’s role in the control environment of service organizations. This helps to ensure that the SAS 70 report contains all of the information required by user organization auditors. Type II reports can be used by the user organization’s auditors to assess internal control risk for the purposes of planning and executing their financial audit.

With the introduction of SOX, SAS 70 has taken on an increased importance. SOX adopted the COSO model of controls, which is the same model that SAS 70 audits have utilized since inception. SOX heightened the focus placed on understanding the controls over financial reporting. It identified a Type II SAS 70 report as the only acceptable method of obtaining third-party assurance regarding the controls at a service organization.

For more information, contact David G. Guenther, CPA, Director of Comprehensive Risk Services for Alpern Rosenthal, at 412.281.2501, ext. 471.


Back



Alpern Rosenthal Home | About Us | Services | Industries | News/Events | Career Center | Resources | Contact Us | Search | Site Map | Webmaster

Copyright 2002 Alpern Rosenthal.
Heinz 57 Center · 339 Sixth Avenue · Pittsburgh, PA 15222 · Phone: (412)281-2501 · Fax: (412)471-1996