Counter Strike
SAS 70 Questions & Answers
d reads a “Service Auditor’s Report”?
Statement on Auditing Standard No.70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. It is used to report on the “processing of transactions by service organizations”, which can be done by completing either a SAS 70 Type I or Type II audit. A SAS 70 Type I is known as “reporting on controls placed in operation”, while a SAS 70 Type II is known as “reporting on controls placed in operation” and “tests of operating effectiveness”.
2. Why is my organization being asked to become SAS 70 certified?
There are a number of reasons why more and more organizations (i.e., service organizations) are being asked to become SAS 70 compliant. Primarily, it stems from the growing surge of legislation, such as the passing of the following recent laws; the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999, but most notably, the Sarbanes-Oxley Act of 2002, section 404 and 302. Collectively, these three rulings advocate protection of privacy, corporate accountability, and establishment of internal controls throughout organizations. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions.
Additionally, the overall growth in technology and its permeation into all layers of business has facilitated the growth of SAS 70 audits. IT facilities such as Internet Service Providers (ISP’s), data warehouses, along with insurance and other health related claims processing companies have grown exponentially in recent years. Therefore, an audit process to ensure data integrity and all related transactions was needed.
There is also a huge movement within the business culture of our nation, and globally, that data and all related IT transactions must be safe and secure at all times. Because such a heavy reliance is placed on computer systems, organizations are compelled now more than ever to ensure that data and all related processes and procedures are safe, secure, and IT controls are operating as designed, in an effective manner.
As a result, SAS 70 audits are widely becoming known as the “de facto due diligence document” throughout the country and the world regarding the reporting on an organization’s internal controls that have the ability to impact financial reporting.
3. What types of industries and organizations are having to become SAS 70 compliant?
Since the scope of SAS 70 audits has grown tremendously within the last few years, service organizations within almost every conceivable industry can be viewed as potential candidates for this type of audit. Below is just a partial listing of what Bambeck & O'Connor and many industry experts consider prime candidates for SAS 70 audits:
|
|
|
|
|
|
4. What are the advantages of becoming SAS 70 certified?
There are numerous advantages for both service organizations becoming SAS 70 certified and the users of SAS 70 reports.
- Benefits to Service Organizations: An unqualified (i.e., “clean”) opinion from a SAS 70 service auditor’s report demonstrates that your organization has effective controls that are in place. A Type I SAS 70 report would issue an unqualified opinion for a stated point in time (i.e., as of June 1, 2005), while a Type II report would also issue an unqualified opinion over a stated time period (i.e., for the period June 1, 2005 to November 30, 2005). An additional benefit to service organizations is the ability to leverage SAS 70 certification into a market differentiator against existing competitors who are vying for outsourcing contracts from user organizations. Becoming SAS 70 compliant also greatly decreases business interruption incidents by effectively removing the possibility of sporadic audits throughout the year for the sole purpose of satisfying requirements set forth by user organizations.
- Benefits to User Organizations: Ultimately, user organizations are able to gain a greater understanding and assurance of the internal controls in place at service organizations. SAS 70 certification signifies that service organizations have taken proactive steps in developing and implementing numerous controls throughout the identified platform being used to process transactions for user organizations. Furthermore, SAS 70 Type I and Type II reports assist external auditors for user organizations by cutting down on the time and costs of having to inquire on controls at service organizations.
5. What are the primary differences between a SAS 70 audit and the host of security assessments provided by IT consultants?
Because of the unique nature of what is allowed to be included in a SAS 70 report, auditors have implemented an exhaustive list of policies, procedures and related controls that must be examined for this type of engagement. Therefore, what makes this type of audit superior to any other type of internal control review is quite simply the scope of the engagement and the voluminous amount of information included in the final service auditor’s report. While IT security consultants focus primarily on general and application controls when conducting their assessments, SAS 70 auditors emphasize these features, and many more, such as operational and Human Resource issues, along with physical security guidelines and business continuity plans in the unlikely event of a business interruption disaster. In essence, the greater the scope, the more meaningful and useful the document is. And this is what makes SAS 70 superior to any other internal control review procedure.
6. Who can provide this type of service to my organization?
Only a Certified Public Accountant (CPA) or accounting firm can sign-off and issue a SAS 70 Type I or Type II service auditor’s report. While there are many IT professionals who engage in SAS 70 audit work, they are strictly prohibited from issuing a report, and therefore, should never be looked upon as a primary source for conducting this type of audit. While they may provide needed skill sets at times, they are generally deficient in many traditional accounting and auditing skills, and therefore, lack the ability to understand various components of a SAS 70 audit. Only a seasoned accountant, with both financial statement auditing and IT skills, should be considered as the primary source for SAS 70 engagements.
7. What are the primary differences between a SAS 70 Type I and Type II engagement?
A Type I report simply is issued for a particular date. For example, an accounting firm would examine a company’s controls and report on the processing of transactions and these controls for a specified point in time, such as June 1, 2005.
A Type II report is issued after a minimum six-month testing period has been completed. For example, an accounting firm would examine a company’s controls from June 1, 2005 to November 30, 2005 and report on the controls placed in operations and tests of operating effectiveness for that same period. Unlike a Type I, which consists of inquiry and observation of controls, a Type II would include testing of controls.
Listed below are contents found in a Type I and Type II report:
Information |
Type I |
Type II |
SAS 70 Service Auditor’s Report |
Required |
Required |
Description of Controls |
Required |
Required |
Information Provided by the Service Auditor (a detailed listing of controls and testing of operating effectiveness) |
Optional |
Required |
Information Provided by the Service Organization |
Optional |
Optional |
User organization Control Considerations (Controls that user organizations have in place) |
Optional |
Optional |
8. What should my organization expect to pay for these services?
Because most organizations conducting SAS 70 engagements have failed to produce and implement pricing strategies that meet the changing needs of service organizations, inconsistent and costly engagement fees are all too common. Bambeck & O'Connor’s Fixed Fee Philosophy has fundamentally changed the way SAS 70 engagements are priced. We believe in giving you an upfront, fixed quote, which we will adhere to throughout the engagement, with no additional costs. Our pricing philosophy is based on the following:
- A Fixed Fee Philosophy which includes all engagement costs, including what many firms traditionally call “out-of-pocket” expenses, such as travel, meals, and lodging.
- Strict adherence to the Fixed Fee Philosophy, even if additional work is deemed necessary after our scoping analysis is performed and subsequent fieldwork begins.
- A detailed analysis of exactly how your organization’s funds are being spent. We will include pricing for all activities within the engagement, even projected travel and lodging costs. It’s your money; you should know how it’s being spent.
9. What are the advantages of using your firm for SAS 70 certification?
Bambeck & O'Connor has developed customized templates for each specific industry, allowing us to perform at unprecedented levels of efficiency and attention to detail.
Our team members have years of experience in performing SAS 70 audits and we refined our process to ensue our clients the following:
-
Minimum business interruption when performing the engagement
-
A fixed fee. No approximations or hidden costs
-
Employing only industry experts, such as Certified Public Accountants and accredited IT professionals
10. Can you provide a detailed explanation on how your firm would approach and conduct a SAS 70 audit on my organization?
Bambeck & O'Connor has developed a customized audit process known as Roadmap to Compliance, which highlights the primary, critical steps needed to be taken to earn a Type I or Type II certification and subsequent issuance of a service auditor’s report. This methodology is based on years of research and working with clients on SAS 70 engagements. SAS 70 compliance for service organizations is achieved by diligently following these steps which can be viewed by visiting our BROCHURES tab, which contains adobe files of SAS 70 Type I and Type II audit processes.
11. What areas of my organization will you be conducting a SAS 70 audit on?
Because of the very specialized nature of SAS 70 audits, your entire organization does not go through this audit. Instead, the identified platform or platforms that are currently being used to conduct outsourcing activities related to user organizations is what will be audited along with other areas deemed vital by Bambeck & O'Connor. For example, if your service organization is conducting outsourcing activities relating to claims processing, then all processes and transaction relating to that specific platform will be under the scope of a SAS 70 audit. Moreover, a number of operational general controls will also be observed, such as the following:
- What is your organization’s corporate tone, known as “tone at the top”?
- Does your organization have effective hiring and termination policies?
- Does your organization have in place policies and manuals concerning work place professionalism and use of company property?
- What qualitative and quantitative procedures are in place throughout your organization that assist in maintaining effective internal controls?
- And many more…
It must be noted that these controls are inquired upon primarily to gain a better understanding of the overall corporate tone of the organization. The theory is based on the following: Good, sound controls in place for general operational areas are just as important as the highly specialized application controls found throughout software applications and the identified platforms. In essence, a SAS 70 audit is looking at a service organization that implements controls throughout various levels of its company, not just the identified platform being targeted by a SAS 70.
12. What industry standards do you use when conducting a SAS 70 audit?
SAS 70 auditing procedures utilize a combination of standards derived primarily from institutions having extensive experience in analyzing and developing critical general and applications controls. Many of these standards are recognized as globally accepted best practices approaches, and have been adopted by accountants and consultants worldwide. Listed below is a brief description of the standards used when conducting a SAS 70 audit.
COBIT
First released in 1996 and known as the “Control Objectives for Information and Related Technology”, COBIT is an internationally accepted standard for Information Technology security and control practices that is now in its third edition. Published by the IT Governance Institute, COBIT is fast becoming one of the key standards used by corporations around the globe who need a well-defined set of policies regarding internal control over information and related IT systems. COBIT is compliant with other standards, such as COSO and ISO 17799, and contains 34 high-level control objectives along with over 300 detailed control objectives.
Essentially, COBIT represents an authoritative, up-to-date control framework, a set of generally accepted control objectives, along with a complimentary product that allows the straightforward application of the Framework and Control Objectives - called the Audit Guidelines. COBIT applies to enterprise-wide information systems, such as personal computers, mini-computers, mainframes and distributed environments. Since the 1st edition of COBIT was released in 1996 it has been sold and implemented in over 100 countries throughout the world.
COSO
Known as the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, it originated in 1985 to address the questionable and fraudulent activities with financial reporting. Key concepts and principles of COSO are built on a theme advocating good, sound internal control practices within organizations. COSO defines internal control as a process, influenced by all personnel, such as the board of directors, senior management, and staff.
Over time, COSO has grown to include additional elements deemed vital for implementing effective internal control procedures. To date, the key concepts for COSO regarding internal control are the following:
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is influenced by people. It is not simply policy manuals and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an organization’s management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
The Internal Control – Integrated Framework along with the Enterprise Risk Management – Integrated Framework are two frameworks developed by COSO that spell out the critical principles and components of an effective enterprise risk management process, and how all important risks should be identified, assessed, responded to and controlled. It also provides a common language, so that executives, directors and others converse about risk management, they are truly communicating and understand one another.
ISO 17799
First published as a code of practice in the United Kingdom, it was renamed BS 7799 and published in 1995. Initially, there was not much acceptance due to a number of pressing IT issues, such as the coming Y2K compliance. A major overhaul was conducted in 1999, resulting in it being published as an ISO standard in December of 2000. ISO 17799 is a comprehensive set of controls comprising best practices in information security. Its main intention is to serve as a reference point for identifying a range of controls that are needed for situations where information systems are used in industry and commerce. The standard consists of eleven sections, as opposed to just ten in the 2000 standard editions. They are the following:
| 1. Security Policy | 6. Communications and Operations Management |
| 2. Organizing Information Security | 7. Access Control |
| 3. Asset Management | 8. I.S. Acquisition, development and maintenance |
| 4. HR Security | 9. Information Security Incident Management |
| 5. Physical and Environmental Security | 10. Business Continuity |
11. Compliance |
|
FFIEC
Established in 1979, the Federal Financial Institutions Examination’s Council prescribes uniform principles and standards for the federal examination of financial institutions. Many well-known governmental bodies, such as the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System (FRB) use these standards for reviewing financial organizations. The FFIEC routinely publishes information directly relating to such topics as Systems Development Life Cycle (SDLC), Business Continuity and Disaster Recovery, along with guidelines for implementing general and application controls.
13. After completion of the audit, what documentation will my organization receive as evidence of SAS 70 certification?
Upon completion of a SAS 70 audit, a CPA or accounting firm will then issue a SAS 70 Service Auditor’s Report. This report will include a voluminous amount of data concerning a service organization, such as the following:
Independent Service Auditor’s Report
Also named the Independent Accountant’s Report, this signed letter will be presented at the beginning of the Service Auditor’s report, stating the opinion of the service auditor. If the SAS 70 audit conducted was a Type I, the service auditor would sign-off as either an unqualified (i.e., clean) opinion or a qualified opinion, on the report of controls placed in operation as of a specific point in time. If the audit conducted was a Type II, the service auditor would sign-off as either an unqualified or qualified opinion, on the report of controls placed in operation and tests of operating effectiveness. Great attention is given to this document by both the service organization and user organizations.
Elements of Internal Control
Within each service organization are a number of essential internal control components, which are examined during a SAS 70 audit. Each control gives valuable insight into the processes and procedures within these service organizations. Developed by COSO and known as SAS 55/SAS 78, the internal control framework consists of the following:
- Control Environment - The control environment sets the tone of an organization and influences the control consciousness of its members. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people.
- Risk Assessment - Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of operating objectives. Risk assessment is the identification and analysis of risks relevant to the achievement of objectives. This forms a basis for determining how the risks should be managed. Because of ongoing changes in economic, regulatory, and operating conditions, mechanisms are needed to identify and deal with the special risks associated with change.
- Control Activities - Control activities are the policies and procedures that help ensure that management directives are carried out and that necessary actions are taken to address risks to achieving the entity's objectives. Control activities operate throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.
- Information and Communication - Pertinent information must be identified, captured, and communicated in both a form and a timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operations, financial, and compliance-related information that make it possible to run and control an operation. Such systems deal with both internally generated data, as well as information about external events, activities, and conditions.
- Monitoring - Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations depends primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported to the upper operational hierarchy.
Systems Development Life Cycle and Change Management
A vital piece of a SAS 70 service auditor’s report lies within the processes that take place throughout the different cycles. In particular, attention is paid to the controls in the following environments and how an organization institutes and facilitates changes within the SDLC and the company:
- Design cycle
- Development cycle
- Testing cycle
- Production cycle
- Maintenance cycle
General Computer Controls
General controls are seen as the necessary framework that must be in place for the success of application controls. General controls can be found in the following areas:
- Logical Security
- Physical Security
- Environmental Security
- Network Security
- Computer operations
Application Controls
The primary function of these controls are to ensure the completeness and accuracy of the records and the validity of the entries made from both manual and programmed processing. Both Type I and Type II SAS 70 service auditor’s reports will include a detailed examination of application controls.
Other Material
Depending on the type of SAS 70 audit being conducted, additional areas may be included in the service auditor’s report, which are the following:
- Information Provided by the Service Auditor: This is reserved for a Type II engagement and details the testing and operating effectiveness of the control objectives and the controls specified by the user organization.
- Information Provided by the Service Organization: This material can be included for a Type I and Type II audit. Generally, it may include network topography diagrams or other types of miscellaneous materials, along with a service organization’s business continuity and disaster recovery policies and procedures.
- Client Control Considerations: This section illustrates the important relationship between the service organization and users of SAS 70 audit. It stipulates that the company requiring the audit also has an obligation to adhere to sound internal control policies within their own corporation.
14. How long is a “Service Auditor’s Report” valid for?
A service auditor report is valid for one full calendar year for both a SAS 70 Type I and a Type II audit. For example, if a service organization received a Type I service auditor’s report for reporting of controls on July 1, 2004, then it is valid until July 1, 2005. For SAS 70 Type II service auditor’s reports, if a report was issued that covered the period from June 1, 2004 to November 30, 2004, then the report is valid until November 30, 2005. Depending on a service organization’s needs and their client’s needs, testing for year two would begin approximately 6 months before the report expires. This is done to keep the SAS 70 certification valid at all times.
15. Will my organization need to be SAS 70 certified every year?
If your organization is being asked to become SAS 70 certified, then it is highly likely that continued certification will become a requirement. Why? Because organizations are now just beginning to feel the trickle down effects of Sarbanes-Oxley and many other regulatory provisions. In addition, user organizations that may not even fall under regulatory requirements are pushing service organizations to have their internal controls certified.
Lastly, now more than ever, there is a huge push within the business community to have internal controls and related processes and procedures certified, no matter what the cost and who the industry is. The scope is quite enormous, and will more than likely continue to expand at an exponential rate.
16. Ultimately, who uses and reads a “Service Auditor’s Report”?
Traditionally, service auditor’s reports were used primarily as an auditor to auditor document. This is dramatically changing as service organizations are making this document available to potential clients who are inquiring about a service organizations internal controls. With that said, its primary function is still a document used between and auditor of the service organization and the auditor of a user organization, but is now incorporating a marketing element within it.
