What is SAS 70 Type I & II Audit Services?

What is SAS 70 Type I & II Audit Services?

In today’s global industry economic, service organizations or service providers are required to demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for reporting design and operational effectiveness of a service organization’s internal controls over processing transactions.

SAS No. 70 enables service organizations to disclose their control activities, their effectiveness and processes to their customers and their customers’ auditors in a uniform reporting format.

SAS 70 Process method for Compliance

Performing a SAS 70 audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Depending on a service organization’s needs, a SAS 70 Type II audit is generally performed for any subsequent period following the completion of a Type I. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose.

Type II compliance can be dependent on a variety of circumstances, but primarily it’s driven by publicly traded (i.e., SEC registered) companies having to certify on internal controls of service organizations that they are outsourcing material or significant functions to. This is required under section 404 of the Sarbanes-Oxley act, and therefore, a Type II audit is necessary for many service organizations. SAS 70 Type II compliance can be attained by following the most common approach, whereby service organizations become Type I certified, then move towards Type II compliance for subsequent years. However, due to factors such as varying financial statement reporting time periods for publicly traded corporations and a host of other issues, working immediately towards Type II compliance becomes the only option at times.

SAS 70 Type I and Type II Roadmap to Compliance encompasses the following:

  • Initial discussion between service auditor and service organization for the purposes of understanding the scope, timing and final deliverables of the audit.
  • Service organization successfully undertakes a service auditor SAS 70 Readiness assessment.
  • Service auditor reviews, analyzes, and make comments and recommendations regarding the information obtained during the SAS 70 Readiness assessment.
  • In-depth discussion ensues with service organization regarding the SAS 70 Readiness assessment.
  • Service auditor and service organization collectively agree on any areas within the service organization’s control environment that require remediation prior to beginning the SAS 70 Type I or Type II fieldwork.
  • Service auditor sends to client a Prepared by Client (PBC) list which consists of documents and other deliverables that must be prepared prior to commencement of the SAS 70 Type I or Type II fieldwork.
  • Service auditor conducts fieldwork and holds in-depth meeting with service organization to discuss findings.
  • Preparation of initial draft report begins, with collaborative effort from service organization, ultimately leading to the generation of final SAS 70 Service Auditor’s Report.
  • Final closing meeting between service auditor and service organization for discussing final SAS 70 Service Auditor’s Report, along with management’s comments for the audit, the intended user’s of the audit and all other significant items that merit discussion.

SAS 70 Type I Audit Information

Type I audits include an examination of controls that have been placed in operation and how these very controls achieve the specified control objective for a stated period of time. Generally speaking, costs and completion time for a SAS 70 Type I audit are less than that of a Type II audit.

A Type I report is only issued for a particular date. For example, a certified public accounting firm would examine a company’s controls and report on the “controls placed in operation” for a specified point in time, such as July 1, 2009. A fair amount of criticism of SAS 70 Type I audits has centered around its limited testing period, which many feel is inadequate to gain a sufficient understanding of a service organization’s control environment. As such, Type II audits are considered the viable choice, and they too have fallen under criticism for various reasons. Type I audits are beneficial in many ways, such as laying the framework and foundation for subsequent Type II audits in future periods, along with giving the service organization an understanding of expectations and time commitments for regulatory compliance auditing. Please note that completing consecutive Type I audits are typically rare, does not suffice for Section 404 of the Sarbanes-Oxley Act of 2002, and ultimately does not provide user organizations with the assurances they are seeking.

Performing a SAS 70 Type I audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose to undertake when considering a SAS 70 roadmap for compliance that has long-term value.

SAS 70 Type II Testing Period Considerations

Type II audits include an examination of controls that have been placed in operation and testing of operating effectiveness. Testing of controls is required for Type II audits, with a minimum testing period of at least six months. Testing is conducted throughout various predetermined timeframes throughout the six-month period, and in a manner that significantly mitigates any type of business interruption. However, other factors, circumstances can lead to a smaller testing period, such as four (4) months, or a longer testing period, such as ten (10) months. Many times, the test period is driven by external auditor requirements, user organization demands, along with service organization financial and operational concerns for undertaking the audit itself. For example, many times a user organization is notified by its external auditors (user auditors) that one of their outsourced providers (service organization) conducts transaction processing activities that affect the user organization’s “information system”. When this happens, a dialogue amongst all parties will ensue, with the testing period being a paramount topic. It’s just one of many scenarios that can decide the testing period of the Type II audit.

A Type II report is issued after a generally accepted period has been completed. For example, an accounting firm would examine a company’s controls from July 1, 2009 to November 30, 2009 and report on the “controls placed in operations and tests of operating effectiveness” for the six-month test period of the audit.

Type II compliance can be attained by following the most common approach, whereby service organizations undergo a Type I audit, then move towards Type II compliance for subsequent years. However, due to factors stated earlier, such as varying financial statement reporting time periods for publicly traded corporations and a host of other issues, working immediately towards Type II compliance becomes the only option at times.

SAS 70 Readiness Questionnaire for Audit Readiness Review

A SAS 70 readiness questionnaire will assist service organizations who are unsure of the necessary steps that must be in place before effectively beginning the audit process for compliance, which is essentially the first step in the readiness assessment phase. By making the entity aware of the tasks involved with preparing and ultimately engaging in this type of audit, precious amount and employee man-hours will be saved, ultimately affecting SAS 70 pricing. Upon examining a service organization’s controls and related activities, the service auditor can then determine if a SAS 70 Type I or Type II audit is to begin, or if additional internal procedures need to be undertaken before analysis and fieldwork begins.

Goals for a SAS 70 Readiness Questionnaires and Assessment

A SAS 70 readiness questionnaire simply augments the overall engagement process for the actual audit. It provides for a more streamlined, efficient audit, along with aiding in mitigating any business interruption issues when conducting the engagement itself. It should not be looked upon as an additional cost of the engagement, rather, a useful and proactive tool in successfully completing the audit. A SAS 70 Readiness Questionnaire and the assessment itself can be completed in a number of ways, but this is primarily dependent on the approach used by the SAS 70 auditor. Some firms conduct readiness assessments on site, traditionally ranging from 2 to 5 days, while others have employed document exchange portals for sharing information. Each has its drawbacks, but also their benefits. Regardless of which approach is taken, the service auditor’s goal is gain a comprehensive understanding and working knowledge of the service organization and its underlying control environment. Items that should be discussed include, but are not limited to, the following:

  • Audit scope and history of entity’s regulatory audit requirements
  • Development of control objectives and tests of the controls, commonly known as “control activities”
  • Methodology of audit, including issues such as how sampling and testing are defined by the auditor
  • Project milestones and deliverables