Service organisations provide services ranging from performing a specific task under the direction of a company to replacing entire business units or functions of that company. Many companies use service organisations to accomplish tasks that affect the company's financial statements.
Because of this, auditors auditing those financial statements may need information about those services, the related service organisation's controls, and their effects on the company's financial statements.
The Statement on Auditing Standards ('SAS') No. 70, Service Organizations, is an internationally recognised auditing standard developed by the American Institute of Certified Public Accountants (AICPA, at
www.aicpa.org). SAS 70 addresses the effect that a service organisation may have on its client’s financial reporting objectives. A SAS 70 audit or service auditor's examination is widely recognised, because it shows that a service organisation has been through an in-depth audit of their control activities, which usually includes controls over information technology and related processes. This third party audit is a simpler option for client companies than either sending in their own personnel to carry out the audit, or hiring an alternative third party provider to carry out a specifically tailored audit and analysis.
In the global economy, service organisations and service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on effective internal controls at service organisations. Specifically, service organisations whose transaction or event processing is included in their clients' financial statements (for instance, offshore provision of electronic accounting records) are within the scope of a Sarbanes Oxley 404 assessment; whereas a provider that (for instance) provides only telecommunications services would be unlikely to fall within the 404 scope. Current SEC and PCAOB guidance is that user organisations can rely on a current SAS 70 to support their assessment of internal controls.
SAS No. 70 is the authoritative guidance that allows service organisations to disclose their control activities and processes to their customers and their customers' auditors in a uniform reporting format. A SAS 70 examination signifies that a service organisation has had its control objectives and control activities examined by an independent auditing firm. A formal report including the auditor's opinion ('Service Auditor's Report') is issued to the service organisation at the conclusion of a SAS 70 examination.
SAS 70 is not a pre-determined set of control objectives or control activities that service organisations must achieve. While service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting, a SAS 70 examination is not a checklist' audit. Neither is it a report on the quality of internal controls at any 'sub-service providers' (those organisations to whom a service provider itself outsources critical services).
SAS No. 70 is generally applicable when an auditor is auditing the financial statements of a user organisation that obtains services from another organisation, or service provider. These service providers could be application service providers, bank trust departments, claims processing centres, Internet data centres, or other data processing service bureaux.
In an audit of a user organisation's financial statements, the user auditor obtains a sufficient understanding of the service provider's internal control to enable the planning of the audit as required by SAS No. 55, Consideration of Internal Control in a Financial Statement Audit. Identifying and evaluating relevant controls is generally an important step in the user auditor's overall approach. If a service organisation provides transaction processing or other data processing services to the user organisation, the user auditor may be required to gain an understanding of the controls at that service organisation.
This Audit Guide is designed to provide guidance to auditors reporting on a service organisation's controls; it also provides guidance to auditors of companies that use service organisations. This version of the standard is the up-to-date March 2009 version.
Publisher: AICPA
Format: Softcover
Publication Date: March 2009
Availability: In Stock
Order this essential SAS 70 audit guide today for immediate despatch!