Upload
dunn
View
25
Download
4
Embed Size (px)
DESCRIPTION
SAS 70 Update Fiduciary and Investment Risk Management Association, Inc. Anniversary National Training Conference Washington D.C. April 12, 2006. Andrew E. Nolan PricewaterhouseCoopers LLP New York, NY. Topics to be addressed. Brief SAS 70 primer Interplay of SAS 70 and SOX 404 - PowerPoint PPT Presentation
Citation preview
1
Andrew E. Nolan
PricewaterhouseCoopers LLP
New York, NY
SAS 70 UpdateSAS 70 UpdateFiduciary and Investment Risk Management Fiduciary and Investment Risk Management
Association, Inc.Association, Inc.
Anniversary National Training ConferenceAnniversary National Training Conference
Washington D.C.Washington D.C.
April 12, 2006April 12, 2006
2
Topics to be addressed
Brief SAS 70 primer
Interplay of SAS 70 and SOX 404
Trends in SAS 70 examinations
3
SAS 70 Primer
SAS 70 “Service Organizations” – organizations that process transactions for other (user) organizations
SAS 70 pertains to controls over processing of financial transactions
SAS 70’s are utilized by user organizations and their auditors in connection with an audit of the financial statements of a user organization
2 types of reports:
Type I – design of controls and whether placed in operation
Type II – Type I plus operating effectiveness
Generally 6 month coverage period
Sub-service organizations:
Organizations that provide services to a service organization
2 methods of treatment SAS 70: 1) all inclusive; 2) “carve out”
E.g.’s of service organization – mutual fund transfer agent, custodian, investment advisor, fund accounting agent
E.g.’s sub-service organization – data center operator, pricing service
4
Interplay of SAS 70 and SOX 404
SOX 404 – directs SEC to establish rules regarding annual reports of public companies to have an internal control report which shall:
1. State responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting
2. Contain an assessment of the effectiveness of internal control structure for financial reporting
5
Interplay of SAS 70 and SOX 404
SOX 302 – directs SEC to establish rules for periodic reports of public companies requiring CEO and CFO to each certify that The signing officer has read the report
The report does not contain any untrue statement or omit any material fact
The financial statements are fairly presented
The signing officers
Are responsible for maintaining internal controls
Have designed controls to make material facts known to such officers
Have evaluated effectiveness of controls within 90 days prior to the report
Have presented in the report conclusions on effectiveness of controls
Have disclosed to the audit committee all significant deficiencies, fraud involving management who have a significant role in controls
Have disclosed whether there were any significant changes in controls, including corrective actions
6
Interplay of SAS 70 and SOX 404
PCAOB – AS 2 “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements” Use of service organization does not reduce management’s responsibility to
maintain effective internal control over financial reporting
If SAS 70 Type II report available, management of the user organization and the user auditor may evaluate whether the report provides sufficient evidence to support management’s report and opinion
Need to consider Time period covered vs. dates of management’s assessment of controls
Scope of the report
Results of tests
7
Interplay of SAS 70 and SOX 404
PCAOB FAQ’s
Q24 – What types of outsourcing activities as part of a company’s internal control over financial reporting?
A24 – Part of internal control structure if affects significant classes of transactions, initiation and authorization of transactions, maintenance of accounting records, etc. (e.g. bank trust department). SAS 70 not applicable to organizations that simply execute transactions (e.g. bank checking account)
Q25 – Is a SAS 70 Type II report issued more than six months prior to management’s assessment of controls current enough to provide evidence regarding operating effectiveness of controls?
A25 – No “bright line” test, but the older the report the less useful.
Q26 - Can registered accounting firms obtain evidence from a non-registered firm?
A26 - Yes
8
Interplay of SAS 70 and SOX 404
SEC FAQ’s
Q24 – May management rely on a SAS 70 Type II report issued by the service auditor of the third-party service organization of the auditor is the same auditor as the registrant?
A14 – Yes, as long as the registrant doesn’t engage the service auditor to perform the SAS 70.
9
Trends in SAS 70 Examination
Expansion of universe of service organizations
Type I reports – decreased usefulness
Increased frequency of SAS 70 reporting
Application of PCAOB standards by analogy in SAS 70 engagements:
Sampling
Evaluation of exceptions
Compensating controls
Change in date of SAS 70 report
Qualified opinions
Elimination of non-financial statement related controls
CCO reporting
Service auditor and financial statement auditor same firm
10
Questions???