Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAS #70 (as Amended by SAS #88)

Similar presentations

Presentation on theme: "SAS #70 (as Amended by SAS #88)"— Presentation transcript:

1 SAS #70 (as Amended by SAS #88)
Service Organizations NSAA IT Conference September 28, 2006 Nashville, TN Presented by: Michael A. Billo, CISA, CGAP PA Department of Auditor General Introduce yourself, experience, years with department, etc. Ask participants to introduce themselves; participants’ expectations of course Handout copy of SAS #88 from AICPA Journal of Accountancy

2 Objectives To recognize the use of a service organization
Will give guidance how to know if it’s a service organization.

3 Objectives To provide guidance in determining when controls at the service organization should be considered during the audit This is the tricky part, but have developed a methodology to help you gauge. Will depend on the information system of your auditee.

4 Objectives To understand the difference between a Type 1 and Type 2 review (report) Clear cut differences between the 2 types of reports. Also will give guidance on the different sections of the report.

5 Overview and Purpose SAS No. 70, as amended, is not applicable to every service provided by a service organization. It is applicable only if the service is part of the user organization’s information system. “Information System” definition follows – the generic one and the one from SAS 70 (with financial statement references removed).

6 Information System … that which identifies, captures, and exchanges information (data) in a form and time frame that enables people to carry out their responsibilities. … not always directly related to an audit of financial statements; however, the guidance talks heavily about f/s audits. Definition is from SAS #94 para #7, Already getting the tie-in between SAS 70 and 94. SAS #70 is very I/C-based, dependent, reliant.

7 For this presentation …
Think of relevance of service organizations’ effects NOT ONLY on the financial statements BUT…………..ALSO On the Audit Objective(s) ! Introduce importance of knowing the audit objective and audit universe.

8 Information System Indicators from SAS #88:
A service organization’s services are part of an entity’s information system if they affect any of the following: Here’s the wording about an information system from SAS 70 with references to … affecting financial statement reporting objectives removed.

9 Information System (SAS #88)
How the entity’s transactions are initiated The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions Basically, it’s following a transaction or process from start to finish

10 Information System (SAS #88)
The accounting processing involved from the initiation of the transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access information The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures Notice the importance of what’s happening from start to end (input, processing, output)

11 So What is SAS 70 ? Ready for a plain and simple explanation/definition?

12 “SAS #70” … a separate review engagement designed to provide information about control objectives that may be relevant to other audit engagements depending on the other audit engagements’ objectives. A plain and simple explanation

13 Purpose of SAS 70 Reports Primary purpose is to provide information to auditors of user organizations Not for public disclosure – too much detailed information could be a security risk

14 Definitions User organization User auditor Service organization
Service auditor Need to keep this terminology clear

15 User Organization The entity that has engaged a service organization and who is being audited. The auditee!

16 User Auditor The auditor of the user organization.
The Department of the Auditor General’s auditors

17 Service Organization The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.

18 Service Auditor The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control.

19 Examples of Service Organizations
Trust departments of banks and insurance companies Transfer agents, custodians, and recordkeepers for investment companies Mortgage servicers or depository institutions that service loans for others According to AICPA – “Service organizations may provide services ranging from performing a specific task under the direction of an entity to replacing entire business units or functions of an entity.”

20 Examples of Service Organizations
Application Service Providers Internet Service Providers Other Information Technology Entities

21 Advantages of Service Organizations
Controls at the service organization can be good – they do this kind of work all the time. Good controls are part of good customer service. Be on guard though – some service organizations are not mindful of controls – or at least controls are not as important as service!

22 Internal Control The concept of an entity’s internal control is fundamental to SAS No. 70, and is defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, as amended (94). Internal control is a process – effected by an entity’s board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories: SAS 94, paragraph 6.

23 Internal Control (continued)
Reliability of financial reporting Effectiveness and efficiency of operations, Compliance with applicable laws and regulations. Introduce operational and compliance

24 Back to SAS #94 These service organization controls may represent or affect a user organization’s: control environment, risk assessment, control activities, information and communication, or monitoring components of internal control. There’s those 5 components again!

25 Internal Control (SAS #94) Components
Control Environment sets the tone of an organization, influencing the control consciousness of its people. Risk Assessment is the entity’s identification and analysis of relevant risks to achievement of it objectives, forming a basis for determining how the risks should be managed.

26 Internal Control (SAS #94) Components
Control Activities are the policies and procedures that help ensure management directives are carried out. Information and Communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. Mention that #4 really is the key to the definition of an information system.

27 Internal Control (SAS #94) Components
Monitoring is a process that assesses the quality of internal control performance over time.

28 Aspects of Control Environment
Integrity and ethical values Commitment to competence Board of Directors or audit committee participation Management’s philosophy and operating style Organizational structure Assignment of authority and responsibility Human resource policies and practices

29 Aspects of Risk Assessment
Changes in the operating environment New personnel New or revamped systems Rapid growth New technology New business models, products, or activities Corporate restructurings Expanded foreign operations New accounting pronouncements

30 Aspects of Information and Communication
… procedures, whether automated or manual, and records established by the service organization to: Initiate, record, process, and report a user organization’s transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity. Provide an understanding of the individual roles and responsibilities pertaining to internal control over reporting.

31 Aspects of Information and Communication (cont’d.)
Auditor must understand: Classes of transactions Procedures (automated & manual) The related accounting records How the information system captures other events and conditions The financial reporting process Transactions significant to the f/s By which transactions are initiated, recorded, processed, and reported from occurrence to f/s Electronic or manual, supporting information, specific accounts in the f/s … that are significant to the f/s … used to prepare the f/s, including significant accounting estimates and disclosures.

32 Aspects of Monitoring Internal auditors Quality control
External communications Customer complaints Regulators

33 Objectives and Components
There is a direct relationship between the objectives (which are what the entity strives to achieve) and the components (which represent what is needed to achieve the objectives). SAS No. 70 addresses the effect that a service organization may have on an entity’s (user organization’s) objectives.

34 We will focus on the overall internal controls of the user organization, rather than specifically on the service organization’s internal controls – the overall assessment is the key! Internal controls relevant to the audit objective can be at the user organization and service organization. Rarely is I/C solely at the service organization. After all, whose responsibility is it for I/C? MANAGEMENT’S

35 More Definitions Controls – the policies and procedures an entity establishes to implement one or more aspects of the five components of internal control. Controls may exist at the user organization or at the service organization. … because when a user organization uses a service organization, certain controls at the service organization may be part of the user organization’s information system.

36 More Definitions (continued)
Service organization’s controls – Controls at a service organization that are part of a user organization’s information system. They do not include service organization controls that are not relevant to a user organization’s information system.

37 More Definitions (continued)
Control Objectives – Generally, financial statement reporting control objectives, but also may encompass compliance or operational control objectives. Reinforce that the guidance refers heavily to controls as they impact the f/s reporting objectives, but also references other control objectives like compliance and operational ones.

38 Assertions are … Either explicit or implicit and can be classified according to the following broad categories: Existence or occurrence Completeness Rights and obligations Valuation or allocation Presentation and disclosure

39 Examples of Assertions in User Organization’s Financial Statements and Related Service Organization Control Objectives Describe services provided for Examples 1-3, and 4-6.

40 Example (1) Existence or occurrence
Savings deposits and withdrawal transactions are received from authorized sources. Left side is the assertion –- right side is the control objective.

41 Example (2) Completeness
Savings deposit and withdrawal transactions received from the user organizations initially are recorded completely and accurately. Output data and documents are complete and accurate and distributed to authorized recipients timely.

42 Example (3) Valuation or allocation
Programmed interest and penalties are calculated in conformity with the description. Output data and documents are complete and accurate and distributed to authorized recipients timely.;

43 Example (4) Completeness
Investment purchases and sales are recorded completely, accurately and timely.

44 Example (5) Valuation or allocation
Investment income is recorded accurately and timely.

45 Example (6) Rights and obligations
Investment purchases and sales are recorded completely, accurately, and timely.

46 When Is a Service Organization Important?
In planning the audit when transactions, accounts, processes, or operations are subjected to controls that are, at least in part, physically and operationally separate from the user organization. If the service organization’s functionality does not affect your audit objectives or audit universe or you have sufficient audit coverage without considering the service organization – then you can document that the service organization has no impact on your audit and not pursue a further understanding of the service organization’s controls. However, as you will see later, if a SAS 70 report is available, you should request it to be conservative.

47 How Do I Set Risk? Auditor may initially set control risk at maximum.
Auditor may obtain evidence about the effectiveness of the design and operation of controls (TEST) to determine if a basis exists to set control risk below maximum.

48 What is Control Risk? The risk that a material misstatement could occur in a management assertion and will not be prevented or detected on a timely basis by the entity’s internal control. It is also the process of evaluating the effectiveness of an entity’s internal control in preventing or detecting significant failure to meet compliance or operational objectives (assertions).

49 What Must I do About Controls?
Always gain an understanding of the design of controls and whether they have been placed in operation. Test those controls (if I want to reduce my control risk) Sometimes the interviews of personnel and observations of functioning of controls is sufficient evidential matter. Give concrete examples: - If your key control is that systems manuals are available on-site for use by tech staff – seeing that the manuals are current is enough. - If your key control is that all vouchers are signed by the controller prior to payments, then you need to select a sample of vouchers and test.

50 What are Key Controls? Where are Key Controls?
Controls that are considered critical by the user auditor to achieving specific control objectives

51 You’ll have to use Auditor Judgment !
Whatever You Do…. You’ll have to use Auditor Judgment ! Look at your Audit Universe Consider your Audit Objectives Balance and Gauge Your Audit Risk and then…

52 Make Decisions and Document Your Rationale

53 So How Do I Do This? Use a step down / step through approach (some yes/no’s & if/then’s) You Must Know your audit objective and audit universe to do it!

54 Step 1 What does the service organization do?
Gain that initial understanding of the functionality and responsibilities of the service organization.

55 Step 2 Does the service organization’s function/process relate to my audit objective and/or my audit universe? If NO  I don’t need to consider controls at the service organization If YES, I proceed to Step 3 Give example of audit objective of looking at auditee’s investments and the service organization is only processing their payroll.

56 Step 3 How much activity (transactions, accounts, processes, operations and/or procedures) of the user organization are at the service organization? How much internal control did the user org. (auditee) give up to the service org.? Gauge activity by dollars, volume, and other relevant thresholds.

57 Step 4 Is the activity at the service organization minimal for the user organization? and Is the audit approach at the user organization sufficient to give adequate audit coverage? What gets us to adequacy? (may need a slide – slide that they fill in) Identifying and testing compensating key controls at the user organization. Identifying and testing manual controls at the user organization that would identify weaknesses at the service organization. 100% authorization of transactions at the user organization and 100% review of all output from the service organization.

58 Now What? If the answers to both questions in Step 4 are YES, I don’t need a SAS 70 of the service organization – I have enough to plan my audit and assess control risk. If the answers to both questions in Step 4 are NO, I need to do more to understand controls at the service organization.

59 HOWEVER !! As government auditors – you may act conservatively and go the extra mile. Obtain the SAS 70, if available, just in case it contains BIG issues in the report. If a SAS 70 is not available, you may want to recommend obtaining one. You may want to make a finding, a letter of comment, verbal recommendation to management. Explain if the activity increases, this could be a problem in future years. Your audit approach is sufficient regardless of the SAS 70 results, but considering issues in the report may motivate the auditee to address them – bottom line – better internal control overall and less likely to be an issue in future years. A proactive approach is beneficial for planning in future years especially if the percentage changes between the amount of internal control at the service organization as compared to the amount of internal control at the user organization.

60 Step 5 If the answers to the questions in Step 4 are NO, I have to do more. Is there a SAS 70? If YES, obtain it and evaluate it. How do I evaluate it – let’s start with the degree of interaction between the user org’s I/C and the service org’s I/C.

61 Degree of Interaction Refers to the extent to which a user organization is able to and elects to implement effective controls over the processing performed by the service organization.

62 How Do I Understand Interaction?
Start with a review of the contract – what contractually should the service organization be doing for the user organization? Does the contract mention responsibility for controls? Interview and observe. Sufficiency of procedures – what’s enough?

63 What Is High Interaction?
Services provided by the service organization are limited to Recording user organization transactions Processing the related data User organization retains responsibility for authorizing transactions and maintaining related accountability

64 Example of High Interaction
Employee benefit plan (EBP) uses a bank for a directed trust EBP makes investing decisions (bank not allowed to execute transactions without specific approval) EBP reconciles its own records of investments to the bank’s records

65 Example of Moderate Interaction
Same employee benefit plan (EBP) using a directed trust EBP authorizes transactions EBP chooses not to generate independent investment records and relies on the bank’s statements

66 Example of Low Interaction
Same employee benefit plan (EBP) uses a discretionary trust Bank is given broad authority to invest the plan’s assets EBP has no way to generate independent records

67 What If There’s No SAS 70? User auditor can ask the auditee (user organization) to request that a service auditor be engaged to perform procedures that will provide the necessary information. User auditor may visit the service organization and perform procedures there. Bullet 2 – with permission of the user organization and the service organization

68 Agreed-upon procedures
Another Alternative Agreed-upon procedures AICPA APR lists an agreed-upon procedure engagement as an alternative to have tests of controls performed. However, you would need to understand the control design in order to specify what tests needed to be performed. This alternative seems to be available when there is a type 1 report (no testing) describing the controls. The service organization hires the service auditor to perform testing. This is a “here’s what we did; here’s what we found situation – should be a report on key controls or else it doesn’t mean anything. Note that this is a deviation from a SAS 70 report format.

69 What If You’ve Exhausted All Options?
The AICPA says… “If the user auditor is unable to obtain sufficient evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation.” AICPA APR page 6

70 If you need to settle a bar bet …
AICPA APR says– “SAS 60 does not apply to a service auditor’s engagement because it provides guidance on identifying and communicating reportable conditions … during the audit of …financial statements.” By the way – did you know that the Guinness Book of World Records was first underwritten by the Guinness Brewing company to settle bar bets? - look up “Guinness” on This is important – don’t have to identify reportable conditions in the SAS 70, BUT if you’re the user auditor, you may have to report them in your audit. Evaluate and disposition as though you found it – it’s part of your audit process as the user auditor.

71 Two Types of Service Auditors’ Reports
Form and Content Objective here is to help you understand how to recognize the types of SAS 70s; how to identify the sections of the report.

72 Two Types of Reports Type 1 report – a report on controls placed in operation Type 2 report – a report on controls placed in operation and tests of operating effectiveness

73 What’s the Difference? Type 1 – concludes on the design of the controls only – no testing This type of report is useful only in “gaining an understanding” Type 2 – includes tests of operating effectiveness This type of report may allow user auditors to rely on controls to reduce risk

74 Report Format Section 1 – Service Auditor’s Report -- the auditor’s opinion (section 1) Section 2 – Service Organization’s Description of Controls Section 3 – Information Provided by the Service Auditor Section 4 – Other Information Provided by the Service Organization

75 Format of Type 1 and Type 2 Reports Are Flexible
However, the organization and presentation of the reports always should differentiate between: The service auditor’s report (the opinion letter) The service organization’s description of controls Information provided by the service auditor Other information provided by the service organization Need to always clearly differentiate between the sections prepared by the service auditor and those prepared by the service organization. When going through this slide – verbally remind everyone of section 1, 2, 3, 4

76 Types and Sections Recap
Type 1 and type 2 – refer to the entire document Sections 1, 2, 3, 4 – refer to only parts of the document Service auditors report – refers to section 1

77 Section 1 – The Service Auditor’s Report
Letter issued by the service auditor expressing an opinion on the Fairness of the presentation of the service organization’s description of controls The suitability of the design of the controls to achieve specified control objectives In a type 2 engagement – whether the specific controls were operating with sufficient effectiveness to achieve the related control objectives The term sufficient effectiveness is notable here – I have seen SAS 70 reports where there were errors noted in the testing performed. However, the auditors still expressed the opinion that the controls were operating with sufficient effectiveness to achieve objectives. - the idea in a SAS 70 report is for the service organization and the service auditors to provide sufficient detail in the report to allow the user auditor to understand the basis for the opinion. This level of detail also allows the user auditor to come to their own conclusion, if they disagree with the service auditor’s opinion. The user auditor may decide that the errors noted are of a concern to him or her (even though they were not to the service auditor) and then the user auditor would continue to assess control risk at high and keep substantive testing high.

78 Section 1 Can Not Be Distributed Alone
The service auditor’s report (section 1 – the letter issued by the service auditor) should not be distributed without the: Accompanying description of the service organization’s controls, and The description of the service auditor’s tests of operating effectiveness and the results of those tests (when applicable) Note for future research: It might be really interesting to present the thought process that occurred during SAS 70 development. i.e., what were the comments to the exposure draft, what changed during the exposure period, etc.

79 Section 2 – Service Organization’s Description of Controls
The service organization’s description of controls generally is prepared by the service organization. The service organization is responsible for the completeness, accuracy, and method of presentation of the description.

80 Section 2 – Description of Controls
Service organization controls are considered relevant to a user organization’s internal control if they represent or affect a user organization’s internal control as it relates to audit objectives.

81 Section 2 – Description of Controls
The service organization’s description of controls should provide sufficient information to user auditors to understand how the service organization’s processing affects the components, BUT not so detailed as to potentially allow a reader to compromise security or other controls. The degree of detail of the description should be equivalent to the degree of detail a user auditor would require if a service organization were not used.

82 Section 2 – Description of Controls
The controls should be tailored to the service provided by the service organization, and if appropriate, help the user organization(s) achieve financial reporting, operational and compliance objectives.

83 Section 2 - Computer Processing
Most service organizations depend primarily on computer processing to perform contractual services. The description of controls should include a synopsis of the computer environment and the related general computer controls and objectives.

84 Section 2 - General Computer Controls
Program change controls Controls that restrict access to programs and data (physical and logical access controls) Controls that affect the processing of data (including application controls, such as program edits)

85 What about business continuity and disaster/contingency planning?
Plans are not Controls; therefore, control objectives should not include this topic. However, a service organization can include this topic in Section 4 (other information provided by the service organization).

86 Section 3 – Information Provided by the Service Auditor
a description of the tests of the operating effectiveness of controls and the results of those tests (only in a type 2 report) Other information provided by the service auditor (optional in both type 1 and type 2 reports) In a type 2 engagement the service auditor must describe the tests of operating effectiveness performed on the control objectives. In a type 1 or type 2 engagement, the service auditor may include recommendations for improvement in controls in this section.

87 Section 3 – Information Provided by the Service Auditor Tests of Operating Effectiveness
The following elements should be included in the description: The controls that were tested. The control objectives the controls were intended to achieve. An indication of the nature, timing, extent, and results of the tests applied in sufficient detail to enable user auditors to determine the effect of such tests on their assessment of control risk.

88 Section 3 – Information Provided by the Service Auditor Other Information to Include
Information that more fully describes the objectives of a service auditor’s engagement or information relating to regulatory requirements. Recommendations for improving the service organization’s controls.

89 Section 4 – Other Information Provided by the Service Organization
A service organization may wish to present other information, e.g., contingency plans, in this section that is NOT a part of the description of controls – and consequently, not covered by the service auditor’s opinion (section 1).

90 Who Determines What Type of Review (1 or 2)?
Type of engagement should be determined by the service organization However, discussions between the management of the service organization and the management of the user organization(s) are advisable The SAS states that it is the service organization’s responsibility to determine what type of review – after all, they are paying for the engagement. However, in practice, discussions between all involved parties usually occur before the decision for the type of review is decided. Organizations are not as well-versed as auditors in understanding the difference in the types of reviews and what may be most relevant to the issues at hand. When the Commonwealth of PA outsourced its IT function to Unisys Corp., the auditors met with the Commonwealth to work out the control objectives tested and included in the report.

91 So … What Would We Talk About?
Discussions between the service organization and user organization(s) could identify: Whether report will be type 1 or type 2 The services or applications that will be covered by the report Control objectives reviewed/tested Talk about Commonwealth outsourcing --

92 Procedures in a Type 1 Engagement
Review the description of controls prepared by the service organization Inquire of appropriate management and staff Inspect documents to confirm management representations Observe control activities

93 Control objectives are usually specified by the service organization; however, they may be designated by an outside party, e.g., a regulatory agency or a user group

94 If specified by the service organization – they should be reasonable in the circumstances and consistent with the service organization’s contractual obligations. If specified by an outside party, the outside party is responsible for their completeness and reasonableness.

95 Using Type 1 and Type 2 Reports
First – inquire about the professional reputation of the service auditor (guidance in SAS 70 AU section ). Determine whether a given type 1 or type 2 report will meet audit objectives READ the report  the WHOLE REPORT !!!

96 The report alone does NOT provide the user auditor with the understanding necessary to plan the audit!

97 The auditor should consider the information in the type 1 or 2 report, and determine whether he or she has enough information to:

98 Understand the aspects of the service organization’s controls that may affect the processing of the user organization’s transactions. Understand the flow of significant transactions through the service organization. Determine whether the control objectives are relevant to the user organization’s f/s assertions. Determine whether the service organization’s controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user organization’s f/s.

99 The user auditor should also determine whether the service organization’s description is as of a date that is appropriate for the user auditor’s purpose. Careful on this -- controls may have changed!

100 Goal of Type 1 Procedures
Express an opinion on whether the – Description presents fairly, in all material respects, The service organization’s controls Placed in operation as of a specified date Design of controls would provide reasonable assurance that the control objectives would be achieved if those controls were complied with satisfactorily Note: NO TESTING!! Stress that a type 1 report only opines on the design of the controls – not whether they are operating effectively. The user auditor would need to arrange for additional testing if they wanted to rely on controls Also point out – AICPA always protects its members – the service organization writes the description of controls. Then the service auditor opines only on what is in the description. Makes it easier to budget and bill for services – keeps scope focused. Prevents misunderstandings. The Description is only going to cover the control objectives specifically listed in the report. A SAS 70 type 1 report is always as of a certain date – the date that the service auditors visited the facility User auditors need to consider how old the info is

101 Purpose of a Type 1 Report
Provide user auditors with information about the controls at the service organization Information should assist the user auditor in obtaining a sufficient understanding of the user organizations internal control to plan the audit (in accordance with SAS 94)

102 Type 1 - What Do We Do With This Understanding of Internal Controls?
Identify the types of misstatements that may occur in the user organization’s financial statements Consider the factors that affect the risk of material misstatement Design substantive tests Cannot reduce level of substantive testing – cannot reduce risk assessment – because there is no testing

103 Type 2 – Something Extra In a type 2 engagement, the service auditor performs the procedures required for a type 1 engagement and Also performs tests of specific controls to evaluate their operating effectiveness

104 Goal of Type 2 Procedures
Express an opinion on whether the: Controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.

105 Type 2 – Use by the User Auditor Need to Consider:
Report on the operating effectiveness of the controls Description of the tests of the operating effectiveness of controls that may be relevant to your audit objective Per AICPA APR page 12: “When considering the operating effectiveness of the relevant controls at the service organization, the user auditor should read and consider both the service auditor’s –”

106 Type 2 – Use by User Auditor Need to Determine Whether:
The report provides adequate evidence of the nature, timing, extent and results of operating effectiveness for the user auditor to set control risk below maximum. The timing of the tests is appropriate for his/her purposes. The report identifies results of tests (exceptions and other information that could affect his/her considerations.

107 Must Also Consider Controls at the User Organization
Controls at the user organization should complement the controls at the service organization User control considerations Often the SAS 70 report will detail the controls in place at the service organization and then list controls that must be in place at the user organizations in order to provide an adequate control structure overall. These are called: User Control Considerations. - In the Commonwealth’s GAAP and Single Audit we reviewed the SAS 70 report of Citibank. This detailed out the controls at Citibank but also was quite clear that the proper functioning of these controls was dependent upon controls at the user organizations (in this case in PA’s Department of Public Welfare). - I believe there were 12 user control considerations - In order to rely on the Citibank SAS 70 report, we had to ask that Office of the Budget, Bureau of Audits, test the functioning of the user controls in DPW.

108 Complimentary Controls
In some cases, a service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user organization. For example, user organizations authorize transactions before they are processed by the service organization.

109 Type 2 – Use by User Auditor
The results of the testing may be part of the evidence the user auditor relies on to: Assess control risk below the maximum for certain management assertions affected by the service organization Reduce the extent of substantive procedures performed for those assertions.

110 Strong Warning! AICPA says: “Under no circumstances should the service auditor’s report (the letter issued by the service auditor) be the only basis for reducing the assessed level of control risk below the maximum.” AIPCA APR page 12 You have to read and understand the ENTIRE report. You need to document which service organization controls are - relevant to your audit objectives, - what tests were done, -what results were achieved as part of your support of your reduced risk assessment.

111 Never Eliminate Substantive Tests!
Although a type 2 report (with testing) and other evidence may allow you to reduce your testing, “…Neither a type 1 nor a type 2 report is designed to provide a basis for assessing control risk sufficiently low to eliminate …substantive tests….” Quote from AICPA APR page 12.

112 Miscellaneous Issues/Considerations Exceptions
AICPA says: “exceptions noted by the service auditor or a report modification in the service auditor’s report do not automatically mean that the service auditor’s report will not be useful in planning the auditor of a user organization’s financial statements or in assessing control risk.” Give examples: the exceptions are in control objectives not relevant to the user audit. compensating controls exist.

113 Miscellaneous Issues/Considerations Reportable Conditions
If a user auditor sees reportable conditions in the SAS 70 report May be reportable conditions to the user organization – may need to include in report or management letter See AICPA APR page 30 May need to give examples here (also ask class for examples that they can think of): Instances where controls at the service organization may adversely affect the organization’s ability to record, process, summarize and report financial data consistent with management assertions.

114 Miscellaneous Issues/Considerations Timing
A SAS 70 report is “as of” a specific date How useful the SAS 70 report will be depends on how that date fits with your audit period. The date of the report is always as of a specific date – for both type 1 and type 2 reports. That means the service organization’s description of controls and the service auditor’s report on the effectiveness of those controls is as of a certain date. A SAS 70 report date that is outsied of the user organization’s audit period may still be useful: Providing a user auditor with a preliminary understanding of the controls at the service organization if the report is supplemented with information from other sources. If the service organization's description is as of a date that precedes the beginning of the period under audit, the user auditor should consider updating the info in the description of controls to determine whether there have been any changes in the controls.

115 Keep in Mind… The shorter the period covered by the specific test and the longer the time elapsed since the performance of the test --- the less support for control risk reduction Example from Page 28 of APR: “…a report on a six-month testing period that covers only one or two months of the user organization’s financial reporting period offers less support for control risk reduction than a report in which the testing covers six months of the user organization’s financial reporting period.” Also from page 28: “If the service auditor’s testing period is completely outside the user organization’s financila reporting period, the user auditor should not relay on such tests as support for control risk reducaiton because they do not provide current audit period evidence of the the effectiveness of the controls, unless…” …unless you want to apply the SAS 55 criteria for taking credit for testing done in prior years. (AU sec and .72) From AU sec : “When considering evidential matter obtained from prior audits, the auditor should obtain evidential matter in the current period about whether changes have occurred in internal control.” When SAS 55 was first adopted, we used to do a current year sample of 5 transactions to take credit for the results of the 25 tested in the prior year. Do your bureau’s take advantage of this provision of SAS 55? How do you implement? How do you document?

116 Does the description of controls need to be updated?
If the service organization’s description of controls is as of a date that precedes the beginning of the audit period, the user auditor should consider updating the information in the description to determine if there are changes in the service organization’s controls relevant to the processing of the user organization’s transactions.

117 Procedures to update may include:
Discussions with user organization personnel who are in a position to know about changes at the service organization. A review of current documentation and correspondence issued by the service organization. Discussions with service organization personnel or with the service auditor.

118 Miscellaneous Issues/Considerations Management Representation Letter
In all engagements, a service auditor should obtain written representations from the service organization’s management. AU section provides guidance as to the types of representations the service auditor should obtain.

119 Miscellaneous Issues/Considerations Internal Auditors
A service organization may have an internal audit department that performs test of controls as part of its audit plan. The service auditor may determine it effective and efficient to use the work. Service auditor should then consider the guidance in SAS No. 65

120 Miscellaneous Issues/Considerations Engagements to Report ONLY on General Computer Controls
Service organizations may engage an auditor to report only on its controls related to computer processing. Generally appropriate if the service organization provides only computer hardware and system software.

121 Service Organizations That Use Other Service Organizations
Subservice Organizations Chapter 5

122 Apply what was learned previously to another level!

123 One Big Difference The carve-out method (don’t include)
The service organization determines whether its description will include controls of the subservice organization by using: The carve-out method (don’t include) The inclusive method (include)

124 Questions and Comments
Thank you for your attention!

Download ppt "SAS #70 (as Amended by SAS #88)"

Similar presentations

Ads by Google