Presentation on theme: "1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006 Nashville, TN Presented by: Michael A. Billo, CISA, CGAP."— Presentation transcript:
1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006 Nashville, TN Presented by: Michael A. Billo, CISA, CGAP PA Department of Auditor General
2 Objectives To recognize the use of a service organization
3 Objectives To provide guidance in determining when controls at the service organization should be considered during the audit
4 Objectives To understand the difference between a Type 1 and Type 2 review (report)
5 Overview and Purpose SAS No. 70, as amended, is not applicable to every service provided by a service organization. It is applicable only if the service is part of the user organizations information system.
6 Information System … that which identifies, captures, and exchanges information (data) in a form and time frame that enables people to carry out their responsibilities. … not always directly related to an audit of financial statements; however, the guidance talks heavily about f/s audits.
7 For this presentation … Think of relevance of service organizations effects NOT ONLY on the financial statements BUT…………..ALSO Audit Objective(s) On the Audit Objective(s) !
8 Information System Indicators from SAS #88: A service organizations services are part of an entitys information system if they affect any of the following:
9 Information System (SAS #88) How the entitys transactions are initiated The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entitys transactions
10 Information System (SAS #88) The accounting processing involved from the initiation of the transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access information The financial reporting process used to prepare the entitys financial statements, including significant accounting estimates and disclosures
11 So What is SAS 70 ?
12 SAS #70 … a separate review engagement designed to provide information about control objectives that may be relevant to other audit engagements depending on the other audit engagements objectives.
13 Purpose of SAS 70 Reports Primary purpose is to provide information to auditors of user organizations Not for public disclosure – too much detailed information could be a security risk
14 Definitions User organization User auditor Service organization Service auditor
15 User Organization The entity that has engaged a service organization and who is being audited.
16 User Auditor The auditor of the user organization.
17 Service Organization The entity (or segment of an entity) that provides services to a user organization that are part of the user organizations information system.
18 Service Auditor The auditor who reports on controls of a service organization that may be relevant to a user organizations internal control.
19 Examples of Service Organizations Trust departments of banks and insurance companies Transfer agents, custodians, and recordkeepers for investment companies Mortgage servicers or depository institutions that service loans for others
20 Examples of Service Organizations Application Service Providers Internet Service Providers Other Information Technology Entities
21 Advantages of Service Organizations Controls at the service organization can be good – they do this kind of work all the time. Good controls are part of good customer service. Be on guard though – some service organizations are not mindful of controls – or at least controls are not as important as service!
22 Internal Control The concept of an entitys internal control is fundamental to SAS No. 70, and is defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, as amended (94). Internal control is a process – effected by an entitys board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
23 Internal Control (continued) a)Reliability of financial reporting b)Effectiveness and efficiency of operations, c)Compliance with applicable laws and regulations.
24 Back to SAS #94 These service organization controls may represent or affect a user organizations: 1. control environment, 2. risk assessment, 3. control activities, 4. information and communication, or 5. monitoring components of internal control.
25 Internal Control (SAS #94) Components 1.Control Environment sets the tone of an organization, influencing the control consciousness of its people. 2.Risk Assessment is the entitys identification and analysis of relevant risks to achievement of it objectives, forming a basis for determining how the risks should be managed.
26 Internal Control (SAS #94) Components 3.Control Activities are the policies and procedures that help ensure management directives are carried out. 4.Information and Communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
27 Internal Control (SAS #94) Components 5.Monitoring is a process that assesses the quality of internal control performance over time.
28 Aspects of Control Environment Integrity and ethical values Commitment to competence Board of Directors or audit committee participation Managements philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices
29 Aspects of Risk Assessment Changes in the operating environment New personnel New or revamped systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded foreign operations New accounting pronouncements
30 Aspects of Information and Communication … procedures, whether automated or manual, and records established by the service organization to: –Initiate, record, process, and report a user organizations transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity. –Provide an understanding of the individual roles and responsibilities pertaining to internal control over reporting.
31 Aspects of Information and Communication (contd.) Auditor must understand: –Classes of transactions –Procedures (automated & manual) –The related accounting records –How the information system captures other events and conditions –The financial reporting process
32 Aspects of Monitoring Internal auditors Quality control External communications –Customer complaints –Regulators
33 Objectives and Components direct relationship objectives components There is a direct relationship between the objectives (which are what the entity strives to achieve) and the components (which represent what is needed to achieve the objectives). SAS No. 70 addresses the effect that a service organization may have on an entitys (user organizations) objectives.
34 user organization We will focus on the overall internal controls of the user organization, rather than specifically on the service organizations internal controls – the overall assessment is the key!
35 More Definitions Controls or Controls – the policies and procedures an entity establishes to implement one or more aspects of the five components of internal control. Controls may exist at the user organization or at the service organization.
36 More Definitions (continued) Service organizations controls – Controls at a service organization that are part of a user organizations information system.
37 More Definitions (continued) Control Objectives – Generally, financial statement reporting control objectives, but also may encompass compliance or operational control objectives.
38 Assertions are … Either explicit or implicit and can be classified according to the following broad categories: –Existence or occurrence –Completeness –Rights and obligations –Valuation or allocation –Presentation and disclosure
39 Examples of Assertions in User Organizations Financial Statements and Related Service Organization Control Objectives
40 Example (1) Existence or occurrence Savings deposits and withdrawal transactions are received from authorized sources.
41 Example (2) Completeness Savings deposit and withdrawal transactions received from the user organizations initially are recorded completely and accurately. Output data and documents are complete and accurate and distributed to authorized recipients timely.
42 Example (3) Valuation or allocation Programmed interest and penalties are calculated in conformity with the description. Output data and documents are complete and accurate and distributed to authorized recipients timely.;
43 Example (4) CompletenessInvestment purchases and sales are recorded completely, accurately and timely.
44 Example (5) Valuation or allocationInvestment income is recorded accurately and timely.
45 Example (6) Rights and obligationsInvestment purchases and sales are recorded completely, accurately, and timely.
46 When Is a Service Organization Important? controls physically and operationally separateIn planning the audit when transactions, accounts, processes, or operations are subjected to controls that are, at least in part, physically and operationally separate from the user organization.
47 How Do I Set Risk? Auditor may initially set control risk at maximum. or Auditor may obtain evidence about the effectiveness of the design and operation of controls (TEST) to determine if a basis exists to set control risk below maximum.
48 What is Control Risk? The risk that a material misstatement could occur in a management assertion and will not be prevented or detected on a timely basis by the entitys internal control. It is also the process of evaluating the effectiveness of an entitys internal control in preventing or detecting significant failure to meet compliance or operational objectives (assertions).
49 What Must I do About Controls? Always gain an understanding of the design of controls and whether they have been placed in operation. Test those controls (if I want to reduce my control risk)
50 What are Key Controls? Where are Key Controls? critical Controls that are considered critical by the user auditor to achieving specific control objectives
51 Whatever You Do…. Youll have to use Auditor Judgment ! Look at your Audit Universe Consider your Audit Objectives Balance and Gauge Your Audit Risk and then…
52 Make Decisions and Document Your Rationale
53 So How Do I Do This? Use a step down / step through approach (some yes/nos & if/thens) You Must Know your audit objective and audit universe to do it!
54 Step 1 What does the service organization do?
55 Step 2 Does the service organizations function/process relate to my audit objective and/or my audit universe? If NO I dont need to consider controls at the service organization If YES, I proceed to Step 3
56 Step 3 How much activity (transactions, accounts, processes, operations and/or procedures) of the user organization are at the service organization? How much internal control did the user org. (auditee) give up to the service org.? Gauge activity by dollars, volume, and other relevant thresholds.
57 Step 4 Is the activity at the service organization minimal for the user organization? and Is the audit approach at the user organization sufficient to give adequate audit coverage?
58 Now What? If the answers to both questions in Step 4 are YES, I dont need a SAS 70 of the service organization – I have enough to plan my audit and assess control risk. If the answers to both questions in Step 4 are NO, I need to do more to understand controls at the service organization.
59 HOWEVER !! As government auditors – you may act conservatively and go the extra mile. Obtain the SAS 70, if available, just in case it contains BIG issues in the report. If a SAS 70 is not available, you may want to recommend obtaining one.
60 Step 5 If the answers to the questions in Step 4 are NO, I have to do more. Is there a SAS 70? If YES, obtain it and evaluate it. How do I evaluate it – lets start with the degree of interaction between the user orgs I/C and the service orgs I/C.
61 Degree of Interaction Refers to the extent to which a user organization is able to and elects to implement effective controls over the processing performed by the service organization.
62 How Do I Understand Interaction? Start with a review of the contract – what contractually should the service organization be doing for the user organization? Does the contract mention responsibility for controls? Interview and observe.
63 What Is High Interaction? Services provided by the service organization are limited to –Recording user organization transactions –Processing the related data User organization retains responsibility for authorizing transactions and maintaining related accountability
64 Example of High Interaction Employee benefit plan (EBP) uses a bank for a directed trust –EBP makes investing decisions (bank not allowed to execute transactions without specific approval) –EBP reconciles its own records of investments to the banks records
65 Example of Moderate Interaction Same employee benefit plan (EBP) using a directed trust –EBP authorizes transactions –EBP chooses not to generate independent investment records and relies on the banks statements
66 Example of Low Interaction Same employee benefit plan (EBP) uses a discretionary trust –Bank is given broad authority to invest the plans assets –EBP has no way to generate independent records
67 What If Theres No SAS 70? User auditor can ask the auditee (user organization) to request that a service auditor be engaged to perform procedures that will provide the necessary information. User auditor may visit the service organization and perform procedures there.
68 Another Alternative Agreed-upon procedures AICPA APR lists an agreed-upon procedure engagement as an alternative to have tests of controls performed. –However, you would need to understand the control design in order to specify what tests needed to be performed. –This alternative seems to be available when there is a type 1 report (no testing) describing the controls. –The service organization hires the service auditor to perform testing.
69 What If Youve Exhausted All Options? The AICPA says… If the user auditor is unable to obtain sufficient evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation.
70 If you need to settle a bar bet … AICPA APR says– SAS 60 does not apply to a service auditors engagement because it provides guidance on identifying and communicating reportable conditions … during the audit of …financial statements.
71 Two Types of Service Auditors Reports Form and Content
72 Two Types of Reports Type 1 report – a report on controls placed in operation testsType 2 report – a report on controls placed in operation and tests of operating effectiveness
73 Whats the Difference? Type 1 – concludes on the design of the controls only – no testing –This type of report is useful only in gaining an understanding Type 2 – includes tests of operating effectiveness –This type of report may allow user auditors to rely on controls to reduce risk
74 Report Format Section 1 – Service Auditors Report -- the auditors opinion (section 1) Section 2 – Service Organizations Description of Controls Section 3 – Information Provided by the Service Auditor Section 4 – Other Information Provided by the Service Organization
75 Format of Type 1 and Type 2 Reports Are Flexible However, the organization and presentation of the reports always should differentiate between: 1)The service auditors report (the opinion letter) 2)The service organizations description of controls 3)Information provided by the service auditor 4)Other information provided by the service organization
76 Types and Sections Recap Type 1 and type 2 – refer to the entire document Sections 1, 2, 3, 4 – refer to only parts of the document Service auditors report – refers to section 1
77 Section 1 – The Service Auditors Report Letter issued by the service auditor expressing an opinion on the –Fairness of the presentation of the service organizations description of controls –The suitability of the design of the controls to achieve specified control objectives –In a type 2 engagement – whether the specific controls were operating with sufficient effectiveness to achieve the related control objectives
78 Section 1 Can Not Be Distributed Alone The service auditors report (section 1 – the letter issued by the service auditor) should not be distributed without the: –Accompanying description of the service organizations controls, and –The description of the service auditors tests of operating effectiveness and the results of those tests (when applicable)
79 Section 2 – Service Organizations Description of Controls The service organizations description of controls generally is prepared by the service organization. The service organization is responsible for the completeness, accuracy, and method of presentation of the description.
80 Section 2 – Description of Controls Service organization controls are considered relevant to a user organizations internal control if they represent or affect a user organizations internal control as it relates to audit objectives.
81 Section 2 – Description of Controls The service organizations description of controls should provide sufficient information to user auditors to understand how the service organizations processing affects the components, BUT not so detailed as to potentially allow a reader to compromise security or other controls.
82 Section 2 – Description of Controls The controls should be tailored to the service provided by the service organization, and if appropriate, help the user organization(s) achieve financial reporting, operational and compliance objectives.
83 Section 2 - Computer Processing Most service organizations depend primarily on computer processing to perform contractual services. The description of controls should include a synopsis of the computer environment and the related general computer controls and objectives.
84 Section 2 - General Computer Controls Program change controls Controls that restrict access to programs and data (physical and logical access controls) Controls that affect the processing of data (including application controls, such as program edits)
85 What about business continuity and disaster/contingency planning? PlansControlsPlans are not Controls; therefore, control objectives should not include this topic. However, a service organization can include this topic in Section 4 (other information provided by the service organization).
86 Section 3 – Information Provided by the Service Auditor – a description of the tests of the operating effectiveness of controls and the results of those tests (only in a type 2 report) –Other information provided by the service auditor (optional in both type 1 and type 2 reports)
87 Section 3 – Information Provided by the Service Auditor Tests of Operating Effectiveness The following elements should be included in the description: –The controls that were tested. –The control objectives the controls were intended to achieve. –An indication of the nature, timing, extent, and results of the tests applied in sufficient detail to enable user auditors to determine the effect of such tests on their assessment of control risk.
88 Section 3 – Information Provided by the Service Auditor Other Information to Include Information that more fully describes the objectives of a service auditors engagement or information relating to regulatory requirements. Recommendations for improving the service organizations controls.
89 Section 4 – Other Information Provided by the Service Organization NOT a part of the description of controls –A service organization may wish to present other information, e.g., contingency plans, in this section that is NOT a part of the description of controls – and consequently, not covered by the service auditors opinion (section 1).
90 Who Determines What Type of Review (1 or 2)? Type of engagement should be determined by the service organization However, discussions between the management of the service organization and the management of the user organization(s) are advisable
91 So … What Would We Talk About? Discussions between the service organization and user organization(s) could identify: –Whether report will be type 1 or type 2 –The services or applications that will be covered by the report –Control objectives reviewed/tested
92 Procedures in a Type 1 Engagement Review the description of controls prepared by the service organization Inquire of appropriate management and staff Inspect documents to confirm management representations Observe control activities
93 Control objectives are usually specified by the service organization; however, they may be designated by an outside party, e.g., a regulatory agency or a user group
94 If specified by the service organization – they should be reasonable in the circumstances and consistent with the service organizations contractual obligations. If specified by an outside party, the outside party is responsible for their completeness and reasonableness.
95 Using Type 1 and Type 2 Reports First – inquire about the professional reputation of the service auditor (guidance in SAS 70 AU section ). Determine whether a given type 1 or type 2 report will meet audit objectives –READ –READ the report WHOLE REPORT !!! the WHOLE REPORT !!!
96 The report alone does NOT provide the user auditor with the understanding necessary to plan the audit!
97 The auditor should consider the information in the type 1 or 2 report, and determine whether he or she has enough information to:
98 Understand the aspects of the service organizations controls that may affect the processing of the user organizations transactions. Understand the flow of significant transactions through the service organization. Determine whether the control objectives are relevant to the user organizations f/s assertions. Determine whether the service organizations controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user organizations f/s.
99 as of a date that is appropriate The user auditor should also determine whether the service organizations description is as of a date that is appropriate for the user auditors purpose. Careful on this -- controls may have changed!
100 Goal of Type 1 Procedures Express an opinion on whether the – –Description presents fairly, in all material respects, The service organizations controls Placed in operation as of a specified date –Design of controls would provide reasonable assurance that the control objectives would be achieved if those controls were complied with satisfactorily –Note: NO TESTING!!
101 Purpose of a Type 1 Report Provide user auditors with information about the controls at the service organization Information should assist the user auditor in obtaining a sufficient understanding of the user organizations internal control to plan the audit (in accordance with SAS 94)
102 Type 1 - What Do We Do With This Understanding of Internal Controls? Identify the types of misstatements that may occur in the user organizations financial statements Consider the factors that affect the risk of material misstatement Design substantive tests
103 Type 2 – Something Extra In a type 2 engagement, the service auditor performs the procedures required for a type 1 engagement and Also performs tests Also performs tests of specific controls to evaluate their operating effectiveness
104 Goal of Type 2 Procedures Express an opinion on whether the: –Controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.
105 Type 2 – Use by the User Auditor Need to Consider: 1.Report on the operating effectiveness of the controls 2.Description of the tests of the operating effectiveness of controls that may be relevant to your audit objective
106 Type 2 – Use by User Auditor Need to Determine Whether: –The report provides adequate evidence of the nature, timing, extent and results of operating effectiveness for the user auditor to set control risk below maximum. –The timing of the tests is appropriate for his/her purposes. –The report identifies results of tests (exceptions and other information that could affect his/her considerations.
107 Must Also Consider Controls at the User Organization Controls at the user organization should complement the controls at the service organization User control considerations
108 Complimentary Controls In some cases, a service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user organization. For example, user organizations authorize transactions before they are processed by the service organization.
109 Type 2 – Use by User Auditor The results of the testing may be part of the evidence the user auditor relies on to: –Assess control risk below the maximum for certain management assertions affected by the service organization –Reduce the extent of substantive procedures performed for those assertions.
110 Strong Warning! AICPA says: Under no circumstances should the service auditors report (the letter issued by the service auditor) be the only basis for reducing the assessed level of control risk below the maximum.
111 Never Eliminate Substantive Tests! Although a type 2 report (with testing) and other evidence may allow you to reduce your testing, …Neither a type 1 nor a type 2 report is designed to provide a basis for assessing control risk sufficiently low to eliminate …substantive tests….
112 Miscellaneous Issues/Considerations Exceptions AICPA says: exceptions noted by the service auditor or a report modification in the service auditors report do not automatically mean that the service auditors report will not be useful in planning the auditor of a user organizations financial statements or in assessing control risk.
113 Miscellaneous Issues/Considerations Reportable Conditions If a user auditor sees reportable conditions in the SAS 70 report May be reportable conditions to the user organization – may need to include in report or management letter
114 Miscellaneous Issues/Considerations Timing A SAS 70 report is as of a specific date How useful the SAS 70 report will be depends on how that date fits with your audit period.
115 Keep in Mind… shorter the period covered longer the time elapsed –The shorter the period covered by the specific test and the longer the time elapsed since the performance of the test --- the less support for control risk reduction
116 Does the description of controls need to be updated? If the service organizations description of controls is as of a date that precedes the beginning of the audit period, the user auditor should consider updating the information in the description to determine if there are changes in the service organizations controls relevant to the processing of the user organizations transactions.
117 Procedures to update may include: Discussions with user organization personnel who are in a position to know about changes at the service organization. A review of current documentation and correspondence issued by the service organization. Discussions with service organization personnel or with the service auditor.
118 Miscellaneous Issues/Considerations Management Representation Letter In all engagements, a service auditor should obtain written representations from the service organizations management. AU section provides guidance as to the types of representations the service auditor should obtain.
119 Miscellaneous Issues/Considerations Internal Auditors A service organization may have an internal audit department that performs test of controls as part of its audit plan. The service auditor may determine it effective and efficient to use the work. Service auditor should then consider the guidance in SAS No. 65
120 Miscellaneous Issues/Considerations Engagements to Report ONLY on General Computer Controls Service organizations may engage an auditor to report only on its controls related to computer processing. Generally appropriate if the service organization provides only computer hardware and system software.
121 Service Organizations That Use Other Service Organizations Subservice Organizations
122 Apply what was learned previously to another level!
123 One Big Difference The service organization determines whether its description will include controls of the subservice organization by using: –The carve-out method (dont include) –The inclusive method (include)
124 Questions and Comments Thank you for your attention!