Session 9 - SAS 70.ppt - Statement on Auditing Standard 70 Professor Chris Wardak ACC 624 Agenda Overview of SAS 70 Page 2 Why a SAS 70 Report Many of

Statement on Auditing Standard 70 Professor Chris Wardak ACC 624

Page  2 Agenda Overview of SAS 70

Page  3 Why a SAS 70 Report?  Many of the functions performed by service organizations affect an entity’s financial statements, auditors performing audits of financial statements may need to obtain information about those services, the related service organization controls, and their affects on the financial statement.

Page  4 What is a SAS 70 Report?  Statement on Auditing Standards (SAS) 70, Service Organizations – Reports on the Processing of Transactions by Service Organizations.  SAS 70 engagements are association engagements that consist of an examination of a description of internal controls provided by a service organization that may be relevant to a user organization’s internal control as it relates to an audit of financial statements.

Page  5 What is a SAS 70 Report?  A SAS 70 is a report on a service organization.  The subject of the report has financial statement implications.  Auditor to Auditor Communication.  Limited Distribution Report.

Page  6 Types of SAS 70 Reports  Type 1 Report – Fair presentation of the controls and a review of the design of controls placed in operation as of a given date.  Type 2 Report – Type I review plus tests of the operating effectiveness of the controls over a period of time, usually 6 to 12 months. Note: When a company requires a SAS70 report for SOX purposes they can only rely on a TYPE 2 as it tests the appropriateness of design and operating effectiveness of control activities.

Page  7 Typical Parties to a SAS 70 review Company A (Service Organization) Company A’s Customers (User Organizations and Internal Auditors) CPA Firm (Service Auditor) CPA Firm (User Organization Third Party Auditor)

Page  8 What is Contained in SAS 70 Report?  SAS 70 Report Consists of Three Main Sections and One Optional Section: – Section I – The Opinion (The Service Auditors Report); – Section II – Relevant Aspects of the Control Environment; – Section III – Control Objectives, controls, testing and results of testing; and – Section IV – Other Information (Optional).

Page  9 SAS 70 Report Components SECTION RESPONSIBILITY I. Independent Service Auditors’ Report Service Auditor II. Company A Description of Controls and Procedures Company A III. Tests of Operating Effectiveness Service Auditor IV. Other Information Provided by Company A (Optional) Company A

Page  10 Section I  Independent Service Auditor’s Report (Opinion) Consists of the following:  Scope – Definition of the System/Environment under review.  The Opinion – An evaluation as to whether the Control Objectives have been achieved: – Report descriptions present controls fairly; – Control structure suitably designed to achieve objectives; and – Controls operating through the period with sufficient effectiveness to achieve objectives.