
Companies that provide third-party processing for other companies in regulated industries have long been required to provide proof that their internal controls are working effectively so that their clients' auditors and regulators can obtain assurance annually. Today, the preferred assurance mechanism to efficiently handle these audit requests is a SAS 70 Audit. SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.
In a Type I SAS 70 Audit Report, a CPA firm reviews a service organization's controls placed in operation. This outside auditor reviews documents on controls processes and observes the existence and performance of controls. It issues a report on whether such controls were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date.
In a Type II SAS 70 Audit Report, the auditor performs all of the steps in a Type I Report, and also reports on whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related controls objectives were achieved during a specified period.
A service organization may want to engage a CPA firm to conduct a SAS 70 audit for the following benefits:
Gain a competitive edge among peers: a user organization with the choice between a service provider that has a SAS 70 report and one that does not may chose to go with the first vendor simply because the SAS 70 audits can be used to fulfill its vendor management program requirements without additional cost to the user organization for conducting expensive and time-consuming due diligence.
To speak directly with Trevor Foo, call 305 373-5500 or email tfoo@mbafcpa.com today.
Frequently asked questions...
Specific answers to technical and functional question regarding SAS 70 Audits
SAS 70 - Case Studies...
The experience and partnership that Encircle shared with MBAF allowed us to achieve greater efficiences while strengthening our overall internal controls and being counted as a viable partner for the big boys in the industry.
SAS 70 Glossary...
All of the terminology used by SAS 70 auditors, reviewers, and clients.
Sample Documents
These include management representative letters..., copies of the type 1 and type 2 auditors' report..., and sample of control objectives....