SAS 70: New life for an old audit standard
Companies in Hawaii have sought to engage experienced third parties to perform routine tasks such as administering payroll, managing information technology, procuring goods and collecting cash, just to name a few.
While this outsourcing trend can be a win-win for the company, the service provider and company's stakeholders, it also adds a layer of internal control risk that must be considered.
This risk is not new at all. In fact, the American Institute of Certified Public Accountants went so far as to issue an audit standard designated to address this risk back in 1992.
Its "Statement on Auditing Standard (SAS) No. 70," titled simply Service Organizations, was and is the definitive standard by which user organizations (companies that use outsourced service providers) and their auditors can gain comfort that controls at the third-party service providers are adequate to prevent or detect a material error that could affect the user organization's financial statements.
SAS 70 allows for a third-party service provider to engage an auditor to issue on of two different internal control reports, commonly called "Type I" and "Type II" reports. These reports have very powerful, yet very limited, purposes.
Type I reports describe only controls in place at the service provider, and assess the effective design of those controls.
Type II reports go a step further. The service auditor actually tests the controls in place and reaches a conclusion about whether they are operating effectively.
User auditors can use a Type I report only to understand the third-party service provider's controls that affect their clients and to plan the audit work of their client's financial statements. Since Type I reports don't contain conclusions about the effective operation of the controls, the user auditor cannot gain assurance from those reports that the service provider's controls actually work.
Type II reports give the user organization and their auditors an opinion on the effective operation of the service provider's critical controls.
Users of significant third-party services can expect to see an increased focus by their auditors on the risks and mitigating controls at any significant third-party service provider. If the service provided by those organizations could materially affect your financial statements, your auditor is required to consider them in planning and performing its audit of your organization's financial statements.
Here are a few things you should be looking for in a good SAS 70 report:
» Is it dated during your fiscal year under audit, preferably relatively close to your fiscal year-end?
» Does it address all of the control objectives critical to your financial statements?
» Does it identify specific controls that the service organization expects your organization to perform?
For example, the SAS 70 report might state that the service provider expects you to control access to those information systems. You should review those expectations and consider their impact on your organization.
In any case, the requirement to evaluate and test internal controls at third-party service providers is finally here to stay. Regardless of which side of the equation your organization is on, now is the time to consider the implications.
Lawrence Chew is an assurance senior manager in the Honolulu office of Grant Thornton LLP. He can be reached at Lawrence.Chew@gt.com