| Statement on Auditing Standards No. 70, commonly | | | | outsourced activity affects the initiation, authorization, |
| known as SAS 70, is a highly recognized auditing | | | | recording, processing or reporting of transactions in the |
| standard put forth by the American Institute of | | | | registrant's financial statement. In assessing internal |
| Certified Public Accountants (AICPA). In CPA technical | | | | controls over financial reporting, management may rely |
| terms, it’s used to report on controls placed in | | | | on a Type 2 SAS 70 report." |
| operation (Type I audits) and tests of operating | | | | SAS 70 Type II Audits |
| effectiveness (Type II audits). In simpler terms, | | | | Type II audits are audits conducted over a stated time |
| it’s an audit used by auditors for examining the | | | | period, usually anywhere from six (6) to twelve (12) |
| control environment of service organizations. | | | | months, however, circumstances can arise where the |
| SAS 70 Type I Audits | | | | audit is done in a shorter time period. SAS 70 Type II |
| Type I audits are looked upon as an audit done for a | | | | audits suffice for SOX regulatory requirements and |
| snapshot in time. Essentially, a service | | | | are seen as effective, viable audits done on service |
| organization’s control environment is examined | | | | organizations for examining their control environment. |
| by auditors for a specific date in time, such as August | | | | Because Type II audits actually test the worthiness of |
| 27, 2008. What this means is that the audit report | | | | internal controls over a stated time period, these audits |
| issued for the service organization is a report on | | | | have wide acceptance through many industries and |
| controls placed in operation for August 27, 2008. You | | | | are looked upon as the de facto audit for examining a |
| might be asking how relevant is an entity’s | | | | company’s internal controls. Type II audits can |
| control environment that is examined and attested for | | | | take a considerable amount of time and effort in |
| by a CPA firm for only that single day? Well, not too | | | | planning and preparation. Most organizations begin with |
| terribly relevant, and as such, SAS 70 Type I reports | | | | a SAS 70 Type I audit, then move towards Type II |
| have limited value from a regulatory compliance | | | | compliance in subsequent years. However, some |
| perspective. They are, however, seen as an excellent | | | | organizations do go directly towards Type II |
| stepping stone in moving towards a SAS 70 Type II | | | | compliance; it all depends on the circumstances that |
| audit, which actually tests controls over a state time | | | | arise for service organizations. |
| period. Furthermore, it must be noted that SAS 70 | | | | What is a Service Organization? |
| Type I audits do not suffice for Sarbanes Oxley, as | | | | Service organizations are essentially third-party |
| only a Type II report provides the necessary | | | | outsourcing entities that provide critical services to |
| assurances for section 404 internal control | | | | another company. Common example of these service |
| requirements for user organizations. Sound a little | | | | organizations are payroll companies, third party |
| confusing? Let me explain in detail the relationship | | | | administrators (TPA), data centers, Software as a |
| between Sarbanes Oxley (SOX) and SAS 70 audits, | | | | Service (SaaS) providers, medical claims and billing |
| which will hopefully clear up any vagueness or | | | | companies, fulfillment houses, along with many others. |
| misunderstandings you might have. | | | | Preparing for a SAS 70 Audit |
| SAS 70 and SOX | | | | The best way to prepare for a SAS 70 Type I or |
| The unique relationship between SOX and SAS 70 | | | | Type II audit is to undertake a SAS 70 Readiness. Any |
| begins with section 404. Because management must | | | | reputable CPA firm should be able to provide you with |
| report annually on the effectiveness of internal | | | | a series of sas 70 readiness questionnaire forms and |
| controls, it then has an obligation to examine all controls | | | | templates which will help identify the scope of the |
| considered vital to the organization (user organization in | | | | audit, while giving your organization a good |
| SAS 70 jargon) as a whole, but more importantly, to its | | | | understanding of what the audit actually entails. Even |
| financial reporting process. And because a large | | | | more, sas 70 readiness questionnaire forms and |
| number of publicly traded companies outsource | | | | templates will help your organization identify any gaps, |
| numerous critical services, these outsourcer providers, | | | | remediation, or deficiencies that will need to be |
| known as service organizations, are considered an | | | | addressed and corrected before the audit |
| integral component for purposes of financial reporting. | | | | commences. It’s a good example of being |
| Therefore, an in-depth, due-diligence process must be | | | | proactive in the audit process, ultimately allowing for a |
| enacted to have their internal controls observed and | | | | high degree of efficiency and cost effectiveness for |
| certified. The Securities and Exchange Commission's | | | | the SAS 70 Type I or Type II audit. |
| (SEC) Chief Accountant and the Division of | | | | If you are considering having your organizatin go |
| Corporation Finance has stated that "In many | | | | through a SAS 70 Type I or Type II audit, then SAS 70 |
| situations, a registrant relies on a third party service | | | | sample reports are available from the SAS 70 |
| provider to perform certain functions where the | | | | Resource guide. |