Printer Friendly Version

Trevor Foo, CISA, CISM 

Senior Manager, SAS 70 Audit, Attestation Group

(aka SAS No. 70, SAS Number 70, SAS70, Service Organization Audit, Service Organization Controls, Report of Controls Place in Operation)

Companies that provide third-party processing for other companies in regulated industries have long been required to provide proof that their internal controls are working effectively so that their clients' auditors and regulators can obtain assurance annually. Today, the  preferred assurance mechanism to efficiently handle these audit requests is a SAS 70 Audit. SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

In a Type I SAS 70 Audit Report, a CPA firm reviews a service organization's controls placed in operation. This outside auditor reviews documents on controls processes and observes the existence and performance of controls. It issues a report on whether such controls were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date.

In a Type II SAS 70 Audit Report, the auditor performs all of the steps in a Type I Report, and also reports on whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related controls objectives were achieved during a specified period.

A service organization may want to engage a CPA firm to conduct a SAS 70 audit for the following benefits:

Gain a competitive edge among peers: a user organization with the choice between a service provider that has a SAS 70 report and one that does not may chose to go with the first vendor simply because the SAS 70 audits can be used to fulfill its vendor management program requirements without additional cost to the user organization for conducting expensive and time-consuming due diligence.

• Establish trust with clients (the user organizations): a service provider can use the SAS 70 report, especially a Type II, to demonstrate to current and future clients that its internal controls are adequately designed and operating effectively. This establishes the foundation for a relationship built on transparency and trust between the service provider and the user organization.
   
• Avoid the cost (time and money) of having to respond to multiple audit requests from clients: a service organization may receive multiple requests for audits from its clients or their auditors. Each of these requests can add to the operating cost of the service organization and its clients. The latter may even put a strain on the relationship. A SAS 70 audit report eliminates these requests, for the most part, while at the same time it standardizes the process.
   
• Identify redundant or ineffective internal controls: during the process of a SAS 70, the service organization will be able to identify and address redundant or ineffective internal controls which could be costing the organization unknown amounts of money. This audit is also an opportunity to improve financial and operating processes, as these are what surround controls.

To speak directly with Trevor Foo, call 305 373-5500 or email tfoo@mbafcpa.com today.