SAS 70 Audits: An Auditors Perspective

1
SAS 70 AuditsAn Auditors Perspective

• Presented by
• Marc Davis, CPA
• AGA PDC Conference June 27, 2007

2
Discussion Items

• Definitions
• Internal Control
• Need for a SAS 70 Audit
• Control Objectives
• SAS 70 Audit Reports/Testing
• Report Qualifications
• Issues Encountered

3
Definitions

• User Organization The entity that has engaged a
  service organization and whose financial
  statements are being audited
• User Auditor The auditor who reports on the
  financial statements of the user organization

4
Definitions

• Service Organization The entity that provides
  services to a user organization that are part of
  the user organizations information system
• Service Auditor The auditor who reports on
  controls of a service organization that may be
  relevant to a user organizations internal
  controls as it relates to an audit of financial
  statements

5
Internal Control

• A process designed to provide reasonable
  assurance regarding achievement of objectives
• Reliability of financial reporting
• Effectiveness and efficiency of operations
• Compliance with laws and regulations

6
Internal Control
7
Need for a SAS 70 Audit

• Are controls of the service organization
  significant
• Need to gain an understanding of controls
• Contact service organization
• Require a SAS 70 audit
• Visit service organization and perform procedures

8
Control Objectives

• Can be determined by the user organization, the
  service organization or an outside party
• Must be specified as who determines the control
  objectives in the auditors opinion

9
Control Objectives

• If determined by user organization or outside
  party
• Must be complete and reasonable
• If determined by service organization
• Must be reasonable in the circumstances and
  consistent with contractual obligations

10
Control Objective Example

• Controls provide reasonable assurance that
  changes to existing applications are authorized,
  tested, approved, properly implemented and
  documented.
• Service organization documents control activities
  to meet the control objective

11
SAS 70 Audit Reports

• Types of SAS 70 Audits
• Type I design of controls
• Point in time
• Type II design of controls and tests of
  operating effectiveness
• Period of time

12
SAS 70 Audit Reports

• Authorized users of the report
• Only present users of the service organization
• Should not include potential users of the service
  organization

13
SAS 70 Audit Reports

• 4 Sections
• Auditors opinion
• Description of controls
• Information provided by service auditor
• Information provided by service organization

14
SAS 70 Audit Testing

• Type I
• Read description of controls
• Inquire as to existence of controls
• Type II
• Read description of controls
• Inquire as to existence of controls
• Test controls to ensure operating effectively

15
SAS 70 Audit Testing

• Types of tests for operating effectiveness
• Inquiry
• Inspection of documents
• Observation of control
• Reperformance of control

16
To Qualify or Not to Qualify

• Are controls designed to meet control objectives
• Are controls operating with sufficient
  effectiveness to meet control objectives
• Exception vs. systemic issue

17
Issues Encountered

• Timing of the SAS 70 audit
• Step down engagement
• Requirements of SAS 70 in RFP process
• Marketing aspects

18
Contact Information

• Marc Davis, CPA
• Shareholder
• Mayer Hoffman McCann P.C.
• (949) 474-2020 ext. 244
• mddavis_at_cbiz.com