Press Releases
Green River Capital and GR Financial - SAS70 FAQ
Can you explain the process at the 50,000 foot level?
How do I read a SAS 70 audit report?
What areas does Green River Capital and GR Financial Control Objectives cover?
What are the benefits of a SAS 70 certification?
What is the difference between a Type I and Type II SAS 70 Service Auditor’s Report?
How are SAS 70 audit reports generally distributed?
Can I have a control objective related to Business Continuity and/or Disaster Recovery?
How does a service organization "pass" or "fail" a SAS 70 audit?
Is SAS 70 going to be replaced? What is SSAE 16?
Will I be at a disadvantage if my competitors achieve SAS70 certification before I do?
Can you explain the process at the 50,000 foot level?
A SAS 70 is an audit engagement that reviews and tests the effectiveness of a provider’s internal controls based on the AICPA Statement of Accounting Standards No. 70. The deliverable of the engagement is the Service Auditor’s Report.
In general the service auditor’s report may contain:
Ø Independent Service Auditors opinion
Ø Description of Controls in place at the service organization
Ø Description and results of tests for the effectiveness of controls
-Back to top-
How do I read a SAS 70 audit report?
Since Service Auditor Reports are traditionally an auditor-to-auditor communication, reading the report for the first time can be challenging. The following three main sections provide the reader a framework.
Independent Service Auditor's Report
The Independent Service Auditor's Report should be easy to identify in the audit report. This is typically a one to two page letter from the independent auditors to the management of the service organization. The language of the opinion generally follows fairly explicit guidelines as determined by the American Institute of Certified Public Accountants (AICPA). The opinion describes the auditor's approach and the scope of the audit. An important item to look for is the date the controls were evaluated and the date(s) the controls were placed into operation. This is an easy way to determine if you are looking at a Type I or Type II report. For example, if the controls were evaluated at a point in time, but you don't see a paragraph discussing the operating effectiveness of the controls over a period of time, then you are most likely looking at a Type I report.
The Service Organization's Description of Controls
The service organization's description of controls is the responsibility of the service organization. In many cases, the service auditor will assist the service organization in preparing the description. The description of controls generally should contain the following information:
Ø Aspects of the service organization's control environment; risk assessment processes; information and communication processes; and monitoring processes that may affect the services provided to user organizations, as it relates to an audit of financial statements;
Ø Control objectives and related controls; and
Ø Complimentary controls that may be required at user organizations.
Most of the above items are presented in a narrative format with flowcharts or diagrams to illustrate the control activities. The service organization may also provide background information on the services they provide (e.g. extent of data center locations, applications supported, etc.) and the type of processing environment they maintain.
Description and results of tests for the effectiveness of controls
This section of the Service Auditor's Report features a description of the service auditor's tests of operating effectiveness of controls and the results of those tests (this is included in a Type II report). The following elements should be included in the description:
Ø The controls that were tested;
Ø The control objectives the controls were intended to achieve; and
Ø An indication of the nature, timing, extent, and results of the tests supplied in sufficient detail to enable user auditors to determine the effect of such tests on their assessments of control risks.
The above information is generally provided in a table format or matrix format for ease of reference. The service auditor may also provide recommendations for improving the service organization's controls in this section of the report.
-Back to top-
What areas does Green River Capital and GR Financial Control Objectives cover?
1. System software change management
2. Application change management
3. Physical access
4. Logical access
5. Backup and recovery
6. Job scheduling
7. Asset boarding
8. Due Diligence / Asset administration
9. Processing
10. Billing fees and expenses
11. Cash receipts
12. Re-directs and overpayment
-Back to top-
What are the benefits of a SAS 70 certification?
There are benefits for both the service organization and the user organization.
For the service organization an unqualified SAS 70 opinion:
Ø Demonstrates that the organizations controls over processes, infrastructure and applications have been reviewed and deemed effective by an independent third party.
Ø Provides a competitive advantage in the market place. User organizations are more likely to retain services of organizations that have formally established the effectiveness of their internal controls.
Ø Provides a single seal of approval that can be provided to multiple user organizations. Thereby freeing up resources that would otherwise be allocated to responding to individual audit requests and questionnaires from each user organization.
For the user organization an unqualified SAS 70 opinion:
Ø Provides the user organization reasonable assurance that service organization has established internal controls that are operating effectively.
Ø Provides insight into the nature of the service organization’s controls and an independent party’s assessment of their effectiveness.
Ø Alleviates the burden and cost of performing their own audit on the service organization.
-Back to top-
What is the difference between a Type I and Type II SAS 70 Service Auditor’s Report?
A Type I report includes the service organization’s description of its controls and objectives, and an auditor’s opinion on the suitable design of the controls in meeting the specified objectives. The Type I report reflects an opinion at a specified point in time.
A Type II report, in addition to the Type I components includes a test and evaluation of the effectiveness of the internal controls. The Type II attests, with reasonable assurance, to the effectiveness of the controls in meeting the specified objectives over a period of time, typically six months.
-Back to top-
How are SAS 70 audit reports generally distributed?
At the conclusion of a SAS 70 audit engagement, the service auditor will issue a Service Auditor's Report. The audit reports are then provided to the service organization for distribution to their respective user organizations (i.e. customers) and the independent auditors of the user organizations (i.e. user auditors). The user organizations are usually responsible for obtaining the audit report from the service organization and then distributing it to their auditors.
-Back to top-
Can I have a control objective related to Business Continuity and/or Disaster Recovery?
In recent years, the topics of Business Continuity and Disaster Recovery have taken on increased significance as customer organizations attempt to understand how capable their service provider is of handling a business interruption. Recent events such as the Code Red virus and the Nimda worm, as well as the catastrophe of September 11th, have demonstrated that organizations must have contingency plans in place to mitigate such risks.
Therefore, many organizations that use a third party service organization have a vested interest in the adequacy of their service provider's business continuity and disaster recovery efforts. Historically, service providers have included a control objective related to business continuity in their description of controls as part of the SAS 70 examination. However, business continuity planning is a concept that addresses how an organization mitigates future risks as opposed to actual controls that provide user auditors with a level of comfort surrounding the processing of transactions. Because of this ambiguity, the AICPA has recently provided the following guidance:
"A service organization's plans related to business continuity and contingency planning generally is of interest to the management of user organizations. If a service organization wishes to describe its business continuity and contingency plans, such information may be included in Section Four (4), "Other Information Provided by the Service Organization." Because plans are not controls, a service organization should not include in its description of controls (Section Two of the report) a control objective that addresses business continuity or contingency planning."
Therefore, controls related to business continuity and disaster recovery can still be disclosed, but the description of these activities should be included in Section Four of the final service auditor's report.
-Back to top-
How does a service organization "pass" or "fail" a SAS 70 audit?
At the conclusion of a SAS No. 70 service auditor's examination ("SAS 70 audit"), the service auditor renders an opinion on the following:
Ø Whether or not the service organization's description of controls is presented fairly.
Ø Whether or not the service organization's controls are designed effectively.
Ø Whether or not the service organization's controls are placed in operation as of a specified date.
When the service auditor concludes that the above items have been accomplished, the service auditor renders what is referred to as an "unqualified opinion." While a SAS 70 audit is technically not a "pass" or "fail" audit, the receipt of an unqualified opinion from the service auditor is often referred to as "passing" the audit.
-Back to top-
Is SAS 70 going to be replaced? What is SSAE 16?
Yes, SAS 70 will be effectively replaced by a new attestation standard for reporting on service organizations.
Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. Once issued, SSAE 16 will effectively replace SAS 70 as the standard for reporting on service organizations. It is expected that SSAE 16 will be formally issued in June 2010 with an effective date of June 15, 2011. SSAE 16 was drafted with the intention and purpose of updating the US service organization reporting standard so that it mirrors and complies with the new international service organization reporting standard – ISAE 3402.
For service organizations that currently have a SAS 70 service auditor’s examination (“SAS 70 audit”) performed, some changes will be required to effectively reporting under the new SSAE 16 standard. However, it is currently anticipated that these changes will not be significant.
-Back to top-
Will I be at a disadvantage if my competitors achieve SAS70 certification before I do?
A SAS 70 examination establishes that the controls of a service provider have been examined by an independent audit firm. An unqualified SAS 70 opinion can distinguish a provider from its competitors. In head to head comparison a user organization is likely to be more comfortable selecting a service organization that has substantiated the existence of robust controls through a SAS 70 examination. In most cases, a SAS 70 is likely to be a significant differentiator. In fact, many companies are successfully using SAS 70 as a marketing tool.
-Back to top-
For More Information:
SAS 70 Statement on Auditing Standards
SAS 70 on Wikipedia