Service organizations seek third-party assurance to provide their clients with comfort about their internal control environment.

Since 1992, the preferred assurance mechanism for reporting on controls at a Service Organization – data processors, third-party administrators and fulfillment houses – has been a SAS 70 Audit. Until recently SAS 70 provided the guidelines used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. In April 2010, the Auditing Standards Board (ASB) issued new guidelines under the "Statement of Standards for Attestation Engagements No. 16 (SSAE 16)". It is expected that these engagements will be referred to as SOC 1, but for now we will continue to refer to them as SAS 70 until we receive further guidance from the ASB.

In a Type I SAS 70 Audit Report, a CPA firm reviews a service organization's controls placed in operation. This outside auditor reviews documents on control processes and observes the existence and performance of controls. It issues a report on whether such controls were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date.

In a Type II SAS 70 Audit Report, the auditor performs all of the steps in a Type I Report. and also reports on whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during a specified period.

A service organization may want to engage a CPA firm to conduct a SAS 70 audit for the following benefits:

Gain a competitive edge among peers

A user organization with the choice between a service provider that has a SAS 70 report and one that does not may choose to go with the first vendor simply because the SAS 70 audits can be used to fulfill its vendor management program requirements without additional cost to the user organization for conducting expensive and time-consuming due diligence.

Establish trust with clients (the user organizations)

A service provider can use the SAS 70 report, especially a Type II, to demonstrate to current and future clients that its internal controls are adequately designed and operating effectively. This establishes the foundation for a relationship built on transparency and trust between the service provider and the user organization.

Avoid the cost (time and money) of having to respond to multiple audit requests from clients

A service organization may receive multiple requests for audits from its clients or their auditors. Each of these requests can add to the operating cost of the service organization and its clients. The latter may even put a strain on the relationship. A SAS 70 audit report eliminates these requests, for the most part, while at the same time standardizes the process.

Identify redundant or ineffective internal controls

During the process of a SAS 70, the service organization will be able to identify and address redundant or ineffective internal controls which could be costing the organization unknown amounts of money. This audit is also an opportunity to improve financial and operating processes, as these are what surround controls.

• Home
• About
• Practice Areas
• Expertise
• Press
• Careers
• Contact
• Employee Log-in
• Terms and Conditions
• Privacy Policy
• Site Map
 

• Solutions@MBAF
• Fiscal Management Associates

• Miami
• New York
• Baltimore
• Boca Raton
• Boulder
• Fort Lauderdale
• Orlando
• Valhalla
• India

©2012 Morrison, Brown, Argiz & Farra, LLC. All Rights Reserved.