Printer Friendly
The Free Library
17,762,122 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

SAS 70: new life for an old audit standard; Following Sarbanes-Oxley legislation, the standard governing internal controls for third-party providers is getting serious attention--a dozen years after it was issued.


For the past decade, a growing host of companies have sought to streamline their operations by outsourcing (1) Contracting with outside consultants, software houses or service bureaus to perform systems analysis, programming and datacenter operations. Contrast with insourcing. See netsourcing, ASP, SSP and facilities management.  functions that, while necessary, do not draw on their core competencies A core competency is something that a firm can do well and that meets the following three conditions specified by Hamel and Prahalad (1990):
  1. It provides customer benefits
  2. It is hard for competitors to imitate
  3. It can be leveraged widely to many products and markets.
. Increasingly, companies have sought to engage experienced third parties to perform such routine tasks as administering payroll, managing information technology, procuring Procuring, in general, is the act of acquiring goods or services, usually by contract. It may refer to:
  • Procurement, a business process to acquire goods or services.
  • Procuring, the act of aiding a prostitute in the arrangement of a sex act with a customer.
 goods and collecting cash, just to name a few.

A recent survey by Accenture found that nearly half of the respondents plan to outsource some portion of their procurement The fancy word for "purchasing." The procurement department within an organization manages all the major purchases.  functions in the next three to four years. Yet, while this outsourcing trend can be a win-win for the company, the service provider and investors, it also adds a layer of internal control risk that must be considered in this Sarbanes-Oxley world.

To be sure, this internal control risk is not new. In fact, the American Institute of Certified Public Accountants With over 330,525 CPA members (in August 2006), the American Institute of Certified Public Accountants (AICPA) is the largest professional organization of Certified Public Accountants (CPAs) in the United States of America.  (AICPA AICPA

See American Institute of Certified Public Accountants (AICPA). ) went so far as to issue an audit standard designed to address this risk back in 1992. Statement on Auditing Standard (SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. ) No. 70, titled simply, Service Organizations, was and is the definitive standard by which user organizations (companies that use outsourced service providers) and their auditors can gain comfort that controls at the third-party service providers are adequate to prevent or detect a related material error that could impact the user organization's financial statements.

However, for a variety of reasons, the SAS 70 standard has often been misused, misapplied or ignored in the dozen or so years since its adoption.

SAS 70 -- A Tale of Two Types

SAS 70 allows for the auditor of a third-party service provider ("service auditor") to issue one of two different internal control reports, commonly called "Type I" and "Type II" reports. These two reports have very powerful, yet very limited purposes. Type I reports only describe controls in place at a service provider, and assess the effective design of those controls.

Type II reports go one step further. The service auditor actually tests the controls in place and reaches a conclusion about whether they are operating effectively. This distinction is important, because the standard requires independent auditors Independent Auditor

An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report.

Notes:
These auditors aren't affiliated with the company being audited.  of the service provider's customers (the "user auditors") to use these two reports in different manners.

User auditors can use a Type I report only to understand the third-party service provider's controls that impact their clients and to plan the audit work of their client's financial statements. Since Type I reports don't contain conclusions about the effective operation of the controls, the user auditor cannot gain assurance from those reports that the service provider's controls actually work. Accordingly, if the user auditors intend to rely on those controls, they may have to perform tests of critical controls at the service provider's location.

Multiply that effort times the number of customers a service provider might have, and you could have a lot of user auditors wandering around service providers doing duplicative controls testing. Type II reports help solve this dilemma by giving the user organizations and their auditors an opinion on the effective operation of the service provider's critical controls.

Historical Misapplication misapplication,
n the use of incorrect or improper procedures while administering treatment; results from inadequacy in experience, training, skills, or knowledge. May also result from impairment or incompetence.  

But herein lies the rub. Type II reports are significantly more expensive than Type I reports. And, since service providers aren't required by law or standard to issue any type of internal control report, they often compromise with their customers and engage their audit firms to issue only a Type I report.

User auditors, happy to have any type of internal control report (even one they aren't supposed to rely on to conclude on the effective operation of critical controls) have often accepted the Type I report and then not followed up with proper control testing at the service provider.

In many cases, service providers have simply refused to provide any internal control report to their customers--and again, user auditors haven't stepped up to demand them or require that they be allowed to conduct independent control tests at the service provider. However, Sarbanes-Oxley and the events that preceded it are beginning to close the gap between the intended and actual use of the SAS 70 report.

Nearly every one of the recent and highly publicized pub·li·cize  
tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es
To give publicity to.

Adj. 1. publicized - made known; especially made widely known
publicised  financial statement failures can be traced back to a breakdown in internal controls. While those breakdowns are not usually attributed to third-party service providers, they are nonetheless, linked to the overall system of internal controls at these companies. It is also a fact that when financial statements fail, auditors get sued; and when auditors get sued, they usually lose.

Wrap all of that together in a nice neat package, and you have an investing public and a regulatory environment that now have renewed focus on the adequacy of internal controls. You also have auditors who will no longer simply trust that there are no control problems that might impact their audit clients' financial statements without some level of effective evaluation and testing.

In addition, CEOs and CFOs of public companies are finding it harder to sign all of these new quarterly and pending annual internal control certifications and assertions without some evaluation of the controls in place at significant third-party service providers. Hence the rebirth re·birth  
n.
1. A second or new birth; reincarnation.

2. A renaissance; a revival: a rebirth of classicism in architecture. , and in some cases, the new birth of the SAS 70 report.

What the Future Holds

Users of significant third-party services--even those that are not public companies--can expect to see an increased focus by independent auditors on the risks and mitigating controls A Mitigating Control is type of control used in auditing to discover and prevent mistakes that may lead to uncorrected and/or unrecorded misstatements that would generally be related to control deficiencies.  at any significant third-party service providers. If the services provided by those organizations could materially impact your financial statements, your auditor is required to consider them in planning and performing its audit of your organization's financial statements. Here are a few things your auditor will likely be looking for Looking for

In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with.  in a good SAS 70 report:

* Is it dated during your fiscal year under audit, preferably relatively close to your fiscal year-end Fiscal Year-End

The completion of a one-year, or 12-month, accounting period.

Notes:
The reason that a company's fiscal year often differs from the calendar year and does not close on Dec 31, is due to the nature of company's needs. ? (If your year-end is Dec. 31, 2004, your auditor can't rely on a Dec. 31, 2003 SAS 70 report, since it does not address controls for the year under audit.)

* Does it address all of the control objectives that are critical to your financial statements? (Your auditor is required to consider this question in planning and performing the audit of your financial statements. If the report does not have the right scope, your auditor may still have to perform evaluations and testing at the service provider.)

* Does it identify specific controls that the service organization expects your organization to perform? SAS 70 reports typically identify certain controls that the service provider expects the user to execute. For example, the service provider may not have control over access to computers and information systems within your organization that might impact the services being provided.

In such a case, the SAS 70 report might state that the service provider expects you to control access to those information systems. You should review those expectations and consider their impact on your organization.

If you are a third-party service provider, get ready for a flood of demands for Type II SAS 70 reports. To the extent that your customers' auditors require these reports, you may find your competitors gaining a leg up by offering them. On the other hand, you might turn this into your own competitive advantage by marketing the fact that you obtain an annual Type II SAS 70 report.

But be careful: SAS 70 reports are not marketing tools in and of themselves. They are restricted reports, intended only for the use of the management of the service provider, their customers and their customers' independent auditors. SAS 70 reports should not be used to say to the world, "Look at us. Our auditors say we have great controls." The controls your service auditor is opining o·pine  
v. o·pined, o·pin·ing, o·pines

v.tr.
To state as an opinion.

v.intr.
To express an opinion: opined on the defendant's testimony.  on relate to very specific control objectives that could affect financial reporting at your customers, not your overall operations or effectiveness as a service provider.

Finally, also be on the lookout for in search of; looking for.

See also: Lookout  changes in the standard, at least for public companies. The SEC's Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies.  (PCAOB PCAOB Public Company Accounting Oversight Board ) is now responsible for setting auditing standards for public companies. For now, PCAOB has adopted the existing SAS 70 standard, but could take on a project to "enhance" that model. In any case, the requirement to evaluate and test internal controls at third-party service providers is finally here to stay. Regardless of which side of the equation your organization is on, now is the time to consider the implications for the current fiscal year.

Trent Gazzaway is National Director, Corporate Governance Corporate Governance

The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law.  Advisory Services advisory services

advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal , for Grant Thornton LLP This article or section is written like an .
Please help [ rewrite this article] from a neutral point of view.
Mark blatant advertising for , using . . He is based in Charlotte, N.C., and can be reached at Trent Gazzaway@gt.com or 704.632.6834.
COPYRIGHT 2004 Financial Executives International
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Internal Controls
Author:Gazzaway, Trent
Publication:Financial Executive
Geographic Code:1USA
Date:May 1, 2004
Words:1426
Previous Article:What did you get from ERP and what can you get? Many corporations are still looking for a meaningful return on all their investments in enterprise...
Next Article:Using analytics to 'hit it out of the ballpark': no longer just for the fortune 1000 companies, today's analytics solutions provide access to highly...
Topics:



Related Articles
The new accounting environment: companies face a paradigm shift in how they conduct business.
PCAOB issues internal control standards ED.(financial Reporting)(Brief Article)
Defining moment for good governance: research from both Financial Executives Research Foundation and Robert Half international find that...
Hackett: companies stint on technology.(Compliance)
Ask FERF (financial executives research foundation) about ... internal control audits.(Resources)
Section 404 compliance: telling it like it is; It's 'showtime' for reporting on internal controls, and Financial Executives Research Foundation...
Trust services: a better way to evaluate I.T. controls: fulfilling the requirements of section 404.(information technology)
Why should private companies implement Sarbanes-Oxley? While public companies must comply with provisions of the Sarbanes-Oxley Act, that's not the...
Regulation: a help or hindrance to business growth?(FEI@75)(financial reporting)

Terms of use | Copyright © 2010 Farlex, Inc. | Feedback | For webmasters | Submit articles