1

Andrew E. Nolan

PricewaterhouseCoopers LLP

New York, NY

SAS 70 UpdateSAS 70 UpdateFiduciary and Investment Risk Management Fiduciary and Investment Risk Management

Association, Inc.Association, Inc.

Anniversary National Training ConferenceAnniversary National Training Conference

Washington D.C.Washington D.C.

April 12, 2006April 12, 2006

2

Topics to be addressed

Brief SAS 70 primer

Interplay of SAS 70 and SOX 404

Trends in SAS 70 examinations

3

SAS 70 Primer

SAS 70 “Service Organizations” – organizations that process transactions for other (user) organizations

SAS 70 pertains to controls over processing of financial transactions

SAS 70’s are utilized by user organizations and their auditors in connection with an audit of the financial statements of a user organization

2 types of reports:

Type I – design of controls and whether placed in operation

Type II – Type I plus operating effectiveness

Generally 6 month coverage period

Sub-service organizations:

Organizations that provide services to a service organization

2 methods of treatment SAS 70: 1) all inclusive; 2) “carve out”

E.g.’s of service organization – mutual fund transfer agent, custodian, investment advisor, fund accounting agent

E.g.’s sub-service organization – data center operator, pricing service

4

Interplay of SAS 70 and SOX 404

SOX 404 – directs SEC to establish rules regarding annual reports of public companies to have an internal control report which shall:

1. State responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting

2. Contain an assessment of the effectiveness of internal control structure for financial reporting

5

Interplay of SAS 70 and SOX 404

SOX 302 – directs SEC to establish rules for periodic reports of public companies requiring CEO and CFO to each certify that The signing officer has read the report

The report does not contain any untrue statement or omit any material fact

The financial statements are fairly presented

The signing officers

Are responsible for maintaining internal controls

Have designed controls to make material facts known to such officers

Have evaluated effectiveness of controls within 90 days prior to the report

Have presented in the report conclusions on effectiveness of controls

Have disclosed to the audit committee all significant deficiencies, fraud involving management who have a significant role in controls

Have disclosed whether there were any significant changes in controls, including corrective actions

6

Interplay of SAS 70 and SOX 404

PCAOB – AS 2 “An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements” Use of service organization does not reduce management’s responsibility to

maintain effective internal control over financial reporting

If SAS 70 Type II report available, management of the user organization and the user auditor may evaluate whether the report provides sufficient evidence to support management’s report and opinion

Need to consider Time period covered vs. dates of management’s assessment of controls

Scope of the report

Results of tests

7

Interplay of SAS 70 and SOX 404

PCAOB FAQ’s

Q24 – What types of outsourcing activities as part of a company’s internal control over financial reporting?

A24 – Part of internal control structure if affects significant classes of transactions, initiation and authorization of transactions, maintenance of accounting records, etc. (e.g. bank trust department). SAS 70 not applicable to organizations that simply execute transactions (e.g. bank checking account)

Q25 – Is a SAS 70 Type II report issued more than six months prior to management’s assessment of controls current enough to provide evidence regarding operating effectiveness of controls?

A25 – No “bright line” test, but the older the report the less useful.

Q26 - Can registered accounting firms obtain evidence from a non-registered firm?

A26 - Yes

8

Interplay of SAS 70 and SOX 404

SEC FAQ’s

Q24 – May management rely on a SAS 70 Type II report issued by the service auditor of the third-party service organization of the auditor is the same auditor as the registrant?

A14 – Yes, as long as the registrant doesn’t engage the service auditor to perform the SAS 70.

9

Trends in SAS 70 Examination

Expansion of universe of service organizations

Type I reports – decreased usefulness

Increased frequency of SAS 70 reporting

Application of PCAOB standards by analogy in SAS 70 engagements:

Sampling

Evaluation of exceptions

Compensating controls

Change in date of SAS 70 report

Qualified opinions

Elimination of non-financial statement related controls

CCO reporting

Service auditor and financial statement auditor same firm

10

Questions???