1. Statement on Auditing Standards (SAS) No. 70, Service Organizations BADM 559 Final Project By: Kristina Morales

2. Background In 1988, AICPA issued SAS 55 ◦Independent auditor required to review internal controls of both the user and service organization ◦Service organization= insurance and medical claims processors, hosted data centers, etc. ◦Too costly for service organizations; therefore, SAS 70 evolved SAS 55 amended by SAS 94 in 2001 ◦SAS 70 places emphasis on internal controls concerning information technology SAS 70 AUDITOR User Auditor

3. Purpose  “To obtain an independent service auditor’s report regarding the Operational and Technical Controls in place at a service organization, which may be relevant to the internal control structure and financial statement assertions of user organizations of that service organization.” - Walter Searcey, Business Advisory Services Manager of Grant Thornton LLP  Sarbanes Oxley increased the focus of SAS 70 audit reports  Importance of reporting on the effectiveness of internal controls.  Provide Assurance

4. Benefits Service OrganizationUser Organization Provide management with insight into the effectiveness of its controls and areas for improvement Eliminates repeat audits, which saves time and money Provides independent assurance and builds trust Able to meet contractual obligations and respond to regulatory inquiries May control some audit costs Help user auditors by already having information available to them Satisfies client regulatory requirements Provides a level of comfort over the processes outsourced

5. SAS 70 Audit Report Two types of SAS 70 service reports: Type I and Type II Management, the user organization, and/or the external auditors of the user organization can read the report to understand the service organization’s controls and its effectiveness.

6. Real Life Approach Grant Thornton’s approach to SAS 70 ◦Phase I: SAS 70 Readiness Review  Understand business process and information technology within the SAS 70 scoope ◦Phase II: Fair Representation and Suitability of Controls  Evaluate description of controls, suitability of the design of control activities and control objectives. ◦Phase III: Test and Observe  Validates the controls and apply tests of inquiry ◦Phase IV: Report and Attest  Develop and present either Type I or Type II report

7. SAS 70 International Counterparts United Kingdom: Guidance titled AAF 01/06 which supersedes FRAG 21/94. ◦Provided by the Audit and Assurance Faculty of the Institute of Chartered Accountants in England and Wales. Canada: Report titled Section 5970, which may be issued by a service organization auditor. ◦Generally entails 2 separate audit opinions on the controls in place and its operating effectiveness over a period.

8. Conclusion Recently, the use of the SAS 70 audit has been applied in non-traditional ways. ◦Service organizations that provide services to financial companies are required to have a SAS 70 review in order to comply with the Gramm-Leach- Bliley Act (GLBA). ◦Service organizations that provide services to healthcare companies are requested by their clients to have a SAS 70 audit to ensure that a third party has examined the controls over sensitive information ◦Some companies actually propose a SAS 70 audit in order to have an independent party review a business proposal or marketing idea.