presents Mastering SAS 70 Audit Reports for Service

presents

Mastering SAS 70 Audit Reports for Service Organizations

presents

for Service OrganizationsEvaluating Internal Controls Issues With Type I and Type II Reports

A Live 110-Minute Teleconference/Webinar with Interactive Q&AToday's panel features:

Mark Agulnik, Senior Manager, Assurance Services, MarcumRachlin, Fort Lauderdale, Fla.Eric Wright, Technology Shareholder, Schneider Downs, Pittsburgh

Scott Price, Director, A-lign CPAs, Tampa, Fla.Steve Thompson, Shareholder, Schneider Downs, Pittsburghp , , , g

Powell Jones, Business Advisory Services Manager, Grant Thornton, Atlanta

Wednesday, June 16, 2010

The conference begins at:The conference begins at:1 pm Eastern12 pm Central

11 am Mountain10 am Pacific10 am Pacific

You can access the audio portion of the conference on the telephone or by using your computer's speakers.Please refer to the dial in/ log in instructions emailed to registrations.

For Continuing Education purposes, gplease let us know how many people are listening at your location by g y y

• closing the notification box • and typing in the chat box your• and typing in the chat box your

company name and the number of attendeesattendees.

• Then click the blue icon beside the box to sendto send.

For live event only.For live event only.

• If the sound quality is not satisfactory• If the sound quality is not satisfactory and you are listening via your computer speakers please dial 1-866-873-1442speakers, please dial 1 866 873 1442 and enter your PIN when prompted. Otherwise, please send us a chat or e-, pmail [email protected] so we can address the problem.

• If you dialed in and have any difficulties during the call, press *0 for assistance.

Mastering SAS 70 Audit Reports For Service

Organizations Webinarg

June 16, 2010June 16, 2010

Mark Agulnik, [email protected]

E i W i ht S h id D St Th S h id D

Scott Price, A-lign CPAs [email protected]

Eric Wright, Schneider Downs Steve Thompson, Schneider [email protected] [email protected]

Powell Jones, Grant [email protected]

Today’s ProgramToday s ProgramKey Terms Of SAS 70 Slides 6-30 (Mark Agulnik)(Mark Agulnik)

Changing Uses Of SAS 70 Reports Slides 31-37

(Scott Price)

A dit R i t P ti T ti Slid 38 51Audit Requirements, Preparation Tactics Slides 38-51

(Eric Wright and Steve Thompson)

SSAE 16/ISAE 3402 Slides 52-63

(Powell Jones)

5

Key Terms Of SAS 70 y

Mark Agulnik, MarcumRachlinMark Agulnik, MarcumRachlin

What Is SAS 70?

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA)Accountants (AICPA). It represents that a service organization has been through an in-depth audit of its

control objectives and control activities. In today's global economy, service organizations or service providers must y g y, g p

demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers.

SOX has also affected the importance of SAS 70 audit reports, as many service organizations or service providers including data centers credit car processingorganizations or service providers including data centers, credit car processing centers and payroll processors host and/or process critical data.

SAS 70 does not provide any prescribed guidance regarding scope definition, testing approach or requirements to establish compliance. The standard leaves the

ibilit t th i id d dit t d fi i tresponsibility to the service provider and auditor to define appropriateness.

P A S S I O N I N T E G R I T Y E X C E L L E N C EP A S S I O N E X C E L L E N C EA Division of Marcum LLPA Division of Marcum LLP

FLORIDA NEW YORK NEW JERSEY CONNECTICUT PENNSYLVANIA GRAND CAYMAN 7

History Of Internal Control/SAS 70 GuidanceStatement Date Issued Title of Statement

SAP No. 29 October 1958 Scope of the Independent Auditor’s Review of Internet Control SAP No. 41 November 1971 Reports on Internal Control

SAP N 54 N b 1972 Th A dit ’ St d d E l ti f I t l C t lSAP No. 54 November 1972 The Auditor’s Study and Evaluation of Internal ControlSAP No. 3 December 1974 The Effects of EDP on the Auditor’s Study and Evaluation of Internal Control

SAS No. 44 December 1982 Special-Purpose Reports on Internal Accounting Control at Service Organizations

SAS No. 48 July 1984 The Effects of Computer Processing of the Audit of Financial Statements SAS N 55 A il 1988 C id ti f I t l C t l i Fi i l St t t A ditSAS No. 55 April 1988 Consideration of Internal Control in a Financial Statement Audit

SAS No. 70 April 1992 Service Organizations SAS No. 78 December 1995 Consideration of Internal Control in a Financial Statement Audit: An Amendment to

Statement on Auditing Standards No. 55 SAS No. 88 December 1999 Service Organizations and Reporting on Consistencyg p g y

SAS No. 94 May 2001 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit

PCAOB No. 2 March 2004 An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. Note: Appendix B refers to Service Organizations.

PCAOB No 5 May 2007 An Audit of Internal Control over Financial Reporting that is Integrated with an AuditPCAOB No. 5 May 2007 An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. Note: Appendix B17-B27 covers Service Organization considerations.

ISAE No. 3402 December 2009 Assurance Reports on Controls at a Service Organization.

SSAE No. 16 June 2010 Reporting on Controls at a Service Organization



Relevant Definitions User organization - The entity that has engaged a service

organization and whose financial statements are being audited

User auditor - The auditor who reports on the financial statements of the user organization

Service organization - The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system

Service auditor - The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit oforganization's internal control as it relates to an audit of financial statements



Relevant Definitions (Cont.) Report on controls placed in operation (KNOWN AS A SAS 70 TYPE 1) - A

service auditor's report on a service organization's description of its controls that may be relevant to a user organization's internal control y gas it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date

Report on controls placed in operation and tests of operating effectiveness (KNOWN AS A SAS 70 TYPE 2) - A service auditor's report on a service organization's description of its controls that may be relevant to a user organization's internal control as it relates to an audit of financialorganization s internal control as it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the controls that were tested were

ti ith ffi i t ff ti t id bl b t toperating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified



Guidance To Service Auditors On Assessing A Service Organization’s Internal Controls And Issuing A Report

The service auditor is responsible for the representations in his or her report and for exercising due care in the application of procedures that support those representations.those representations.

Although a service auditor's engagement differs from an audit of financial statements conducted in accordance with generally accepted auditing standards, it should be performed in accordance with the general standardsstandards, it should be performed in accordance with the general standards and with the relevant fieldwork and reporting standards.

Although the service auditor should be independent from the service organization, it is not necessary for the service auditor to be independentorganization, it is not necessary for the service auditor to be independent from each user organization.

The service auditor may become aware of illegal acts, fraud or uncorrected errors attributable to the service organization’s management or employeeserrors attributable to the service organization s management or employees that may affect one or more user organizations. The service auditor errors, fraud and illegal acts are discussed in Sect. 312, Audit Risk and Materiality in Conducting an Audit, and Sect. 317, Illegal Acts by Clients.



Guidance To Service Auditors On Assessing Service Organization’s Internal Controls And Issuing A Report (Cont.)

No single specific test of controls is always necessary, applicable or equally effective in every circumstance and every engagement. Therefore, the auditor should use professional judgment to determine what constitutes sufficient appropriate audit evidence under the specific circumstances of the engagementengagement.

Meet with management prior to commencement of SAS 70 and determine who wants the SAS 70 and for what purpose The SAS 70 only has value ifwho wants the SAS 70 and for what purpose. The SAS 70 only has value if it is meeting the user’s objectives.



Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations

As required by SAS 109, an auditor should obtain an d t di f h f th fi t f th tit 'understanding of each of the five components of the entity's

internal control sufficient to assess the risks of material misstatement and to design the nature, timing and extent of further audit proceduresof further audit procedures.

The auditor should use such knowledge to:

A: Identify types of potential misstatements and consider factors that affect the risks of material misstatements

B: Design tests of controls to determine the nature, timing and extent of procedures to be performed



Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.)

If the user organization significantly uses a service organization, in obtaining an understanding of the entity's internal control sufficient to assess the risks of material misstatement, the auditor may need to obtain an understanding of the controls of the service organizationservice organization.

High degree of interaction:

When the user organization initiates transactions and the service organization executes and does the accounting processing of those transactions there is aexecutes and does the accounting processing of those transactions, there is a high degree of interaction between the activities at the user organization and those at the service organization.

If the user organization implements highly effective internal controls over the i f t ti t th i i ti th ditprocessing of transactions at the service organization, the user auditor may

not need to gain an understanding of the controls at the service organization in order to plan the audit.

For example, if the user organization has such controls, the user dit ld bt i d t di f th t l b f iauditor could obtain an understanding of the controls by performing a

walk-through at the user organization.




Low degree of interaction:

When the service organization initiates, executes and does the accounting processing of the user organization’s transactions, there is a lower degree of p g g , g

interaction between the activities at the user organization and those at the service organization. In these circumstances, it may not be practicable for the user organization to implement effective controls for those transactions.

If the user organization has a low degree of interaction and has not placed into operation effective internal controls over the activities of the service organization, the user

auditor would most likely need to gain an understanding of the relevant controls at the service organization in order to plan the audit. The understanding can be obtained by:

R i i f th i dit ’ t th i i ti ’ Reviewing a copy of the service auditor’s report on the service organization’s description of its controls, and/or

Contacting the service organization to obtain specific information, and/or

Visiting the service organization to make inquiries and observations, review documentation and perform the necessary procedures, and/or

Requesting that a service auditor be engaged to perform procedures that will provide the necessary information




Information about the nature of the services provided by a service organization that are part of the user organization’s information system, and the service organization’s controls over those services, may be available from a wide variety of sources such as the following:available from a wide variety of sources, such as the following:

User manuals System overviews

T h i l l Technical manuals The contract between the user organization

and the service organization Reports by service auditors, internal auditors

or regulatory authorities on the service organization’s controls

If the user auditor is unable to obtain sufficient audit evidence to achieve hi h dit bj ti th dit h ld lif hi hhis or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation.




When the user obtains an understanding of the internal control, including reviewing the user organization’s SAS 70, the user auditor may identify certain user organization controls that, if effective, would permit the user auditor to assess control risk as low or moderate for particular assertionsuser auditor to assess control risk as low or moderate for particular assertions.

Note: Although a type 1 report is sufficient for the user auditor to obtain an understanding of the internal control to determine whether the controls are designed and implemented, it is not sufficient in assess control risk below

i i d t d b t ti dmaximum in order to reduce substantive procedures.

In order for the user auditor to assess risk below maximum (relating to the service auditors internal controls), the user auditor may:

A: Rely on the service auditor’s report on controls placed in operation and tests of operating effectiveness (type 2 SAS 70 report)

B Tests of controls performed b the ser a ditor B: Tests of controls performed by the user auditor at the service organization

C: Test the user organization’s controls over the activities of the service organization



g


If the user auditor decides to use a service auditor’s report, the user auditor should consider the extent of the evidence provided by the report about the effectiveness of controls intended to prevent or detect material misstatements in the particular assertions.

A user auditor should determine whether the specific tests of controls and results in the service auditor’s report are relevant to assertions that areresults in the service auditor s report are relevant to assertions that are significant in the user organization’s financial statements.

The user auditor remains responsible for evaluating the evidence presented by the service auditor and for determining its effect on the assessment of controlthe service auditor and for determining its effect on the assessment of control risk at the user organization. In evaluating these factors, user auditors should also keep in mind that, for certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less support for control risk reduction the test may providethe less support for control risk reduction the test may provide.




In considering whether the service auditor’s report is satisfactory for his or her purposes, the user auditor should make inquiries concerning the service auditor's professional reputation. Appropriateconcerning the service auditor s professional reputation. Appropriate sources of information concerning the professional reputation of the service auditor are discussed in Sect. 543, Part of Audit Performed by Other Independent Auditors.

When assessing a service organization’s controls and how they interact with a user organization's controls, the user auditor may become aware of the existence of significant deficiencies or materialbecome aware of the existence of significant deficiencies or material weaknesses in internal control. In such circumstances, the user auditor should consider the guidance provided in Sect. 325, Communicating Internal Control Related Matters Identified in an Audit (SAS 112/115).



Type 1 - Reports On Controls Placed In Operation

Note: The following apply to both type 1 and type 2 reports

The information necessary for a report on controls placed in operation ordinarily is obtained through discussions with appropriate service organization

l d th h f t i fpersonnel and through reference to various forms of documentation, such as system flowcharts and narratives.

The description should contain a discussion of the features of the service organization’s controls that would have an effect on a user organization's ginternal control.



Type 1 - Reports On Controls Placed In Operation (Cont.)

They may include controls within the control environment, risk assessment, control activities, information and communication and monitoring components of internal controlcommunication, and monitoring components of internal control.

The control environment may include hiring practices andkey areas of authority and responsibility.

Risk assessment may include the identification of risks associated with processing specific transactions.

Control activities may include policies and procedures over Control activities may include policies and procedures over the modification of computer programs, and are ordinarily designed to meet specific control objectives.

Information and communication may include ways in which Information and communication may include ways in which user transactions are initiated and processed.

Monitoring may include the involvement of internal auditors, audit committee etc



audit committee, etc.


Although a service auditor’s report on controls placed in operation is as of a specified date, the service auditor should inquire about changes in the service organization’s controls that may have occurredchanges in the service organization s controls that may have occurred before the beginning of fieldwork.

If the service auditor believes that the changes would be considered significant by user organizations and their auditors, those changes should g y g , gbe included in the description of the service organization’s controls.

If the service auditor concludes that the changes would be considered significant by user organizations and their auditors, and the changes are not included in the description of the service organization’s controls thennot included in the description of the service organization s controls, then the service auditor should describe the changes in his or her report. Such changes include: Procedural changes made to accommodate provisions of a new

Statement of Financial Accounting Standards Major changes in an application to permit online processing Procedural changes to eliminate previously identified deficiencies




Changes that occurred more than 12 months before the date being reported on normally would not be considered significant, because they generally would not affect user auditors’ considerations.because they generally would not affect user auditors considerations.

The description of controls and control objectives required for these reports may be prepared by the service organization. If the service auditor prepares the description of controls and control objectivesauditor prepares the description of controls and control objectives, the representations in the description remain the responsibility of the service organization.

f A service auditor’s report expressing an opinion on a description of controls placed in operation at a service organization should contain:

A: A specific reference to the applications, services, products or th t f th i i ti dother aspects of the service organization covered.

B: A description of the scope and nature of the service auditor’s procedures.




C: Identification of the party specifying the control objectives

D: An indication that the purpose of the service auditor’s engagement was to obtain reasonable assurance about whether (1) the servicewas to obtain reasonable assurance about whether (1) the service organization’s description presents fairly, in all material respects, the aspects of the service organization's controls that may be relevant to a user organization’s internal control as it relates to an audit of financial statements; (2) the controls were suitably designed tofinancial statements; (2) the controls were suitably designed to achieve specified control objectives; and (3) such controls had been placed in operation as of a specific date.

E: A disclaimer of opinion on the operating effectiveness of the controls E: A disclaimer of opinion on the operating effectiveness of the controls

F: The service auditor’s opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization’s

controls that had been placed in operation as of a specific date andcontrols that had been placed in operation as of a specific date and whether, in the service auditor's opinion, the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily



satisfactorily


G: A statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to future periods any evaluation of the description

H: Identification of the parties for whom the report is intended

If the service auditor believes that the description is inaccurate or i ffi i tl l t f dit th th i dit ’insufficiently complete for user auditors, then the service auditor’s report should so state and should contain sufficient detail to provide user auditors with an appropriate understanding.

If there are significant deficiencies in the design or operation of the service organization’s controls that preclude the service auditor from obtaining reasonable assurance that specified control objectives would be achieved then the report should be modifiedwould be achieved, then the report should be modified.



Type 1- Reports On Controls Placed In Operation (Cont.)

In our opinion, except for the matter referred to in the preceding paragraph, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service O i ti ’ t l th t h d b l d i ti f [i tOrganization’s controls that had been placed in operation as of [insert date].

For the service auditor to express an opinion on whether the controls p pwere suitably designed to achieve the specified control objectives, it is necessary that:

A: The service organization identify and appropriately describe A: The service organization identify and appropriately describe such control objectives and the relevant controls

B: The service auditor consider the linkage of the controls to the stated control objectivesthe stated control objectives

C: The service auditor obtain sufficient appropriate audit evidence to reach an opinion



Type 2 - Reports On Controls Placed In Operation And Tests Of Operating Effectiveness

In addition to the requirements of type 1, there are additional requirements to type 2

Similar to type 1 the information necessary for a report on controlsSimilar to type 1, the information necessary for a report on controls placed in operation ordinarily is obtained through discussions with appropriate service organization personnel and through reference to various forms of documentation, such as system flowcharts and narratives.

However with a type 2, the service auditor must perform tests of controls.

The service auditor applies tests of controls to determine whether specific controls are operating with sufficient effectiveness to achieve specified control objectives. Sect. 350, Audit Sampling,achieve specified control objectives. Sect. 350, Audit Sampling, as amended, provides guidance on the application and evaluation of audit sampling in performing tests of controls.



Type 2 - Reports On Controls Placed In Operation And Tests Of Operating Effectiveness (Cont.)

A service auditor’s report expressing an opinion on a description of controls placed in operation at a service organization and tests of operating effectiveness should contain:

A: A specific reference to the applications, services, products or other aspects of the service organization covered [same as type 1]

B: A description of the scope and nature of the service auditor’s procedures [same as type 1]

C: Identification of the party specifying the control objectives[same as type 1]

D: An indication that the purpose of the service auditor’s engagement was to obtain reasonable assurance about whether (1) the service organization’s description presents fairly, in all material respects, the aspects

of the service organization’s controls that may be relevant to a user organization’s internal control as it relates to an audit of financial

statements; (2) the controls were suitably designed to achieve specified control objectives; and (3) such controls had been placed in operation as of a specific date [same as type 1]




E: The service auditor’s opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of a specific date and whether, in the service auditor’s opinion the controls were suitably designed toin the service auditor s opinion, the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily [same as type 1]

F: A reference to a description of tests of specific service organization controls designed to obtain evidence about the operating effectiveness of those controls in achieving specified control objectives. The description should include the controls that were tested, the control objectives the controls were intended to achieve, , j ,the tests applied, and the results of the tests. The description should include an indication of the nature, timing and extent of the tests, as well as sufficient detail to enable user auditors to determine the effect of such tests on user auditors' assessments of control risk. To theof such tests on user auditors assessments of control risk. To the extent that the service auditor identified causative factors for exceptions, determined the current status of corrective actions, or obtained other relevant qualitative information about exceptions noted such information should be provided [only type 2]



noted, such information should be provided [only type 2].


K: A statement that the service auditor has performed no procedures to evaluate the effectiveness of controls at individual user organizations [ l t 2][only type 2]

L: A statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to the future any evaluation of the description or any conclusions about the effectiveness of controls in achieving control objectives[same as type 1]

M: Identification of the parties for whom the report is intended M: Identification of the parties for whom the report is intended[same as type 1]



Changing Uses Of SAS 70 R tReports

Scott Price, A-lign CPAsScott Price, A lign CPAs

Original Uses Of SAS 70 Reports

• Communicate operational controls to comply with SAS 55

• Communicate controls and control testing results needed for user• Communicate controls and control testing results needed for user organization financial statement audit purposes

C i t t l d t l t ti lt t• Communicate controls and control testing results to company management and Board of Directors

32

Evolution Of SAS 70 Report Uses

• Comply with contractual obligations

• Comply with regulatory requirements– HIPAA– Gramm-Leach-Bliley– FFIEC– FDIC

33

Evolution Of SAS 70 Report UsesEvolution Of SAS 70 Report Uses (Cont.)

• Communicate business continuity/disaster recovery controls Removal of business continuity/disaster recovery controls in 2002– Removal of business continuity/disaster recovery controls in 2002 audit guide

P t f i iti l d l d d dili• Part of initial and annual vendor due diligence

• Requirement in requests for proposals (RFPs)

34

Effect Of Sarbanes-Oxley

• Caused SAS 70 audit changesIncrease requirements for Type 2 SAS 70 audits– Increase requirements for Type 2 SAS 70 audits

– Change in ending review period– Increase in number of 12-month review periods– Improvement in testing methods– Additional user control consideration focus– SAS 70 audit qualifications affect SOX 404 compliance

35

Marketing Benefits Of SAS 70 Audits

• Compliance with request for proposal requirements

• Competitive advantages

• Press release completion

• Reduced audit costs to user organizations

36

Common SAS 70 ReportCommon SAS 70 Report Misconceptions

N ifi i• Not a certification

• Not a security audit

• Not “good” for one-year period

• Sarbanes-Oxley does not mandate completion

N t f l d ti• Not for cloud computing

• Not a restricted distribution report

37

Audit Requirements, P ti T tiPreparation Tactics

Eric Wright, Schneider DownsEric Wright, Schneider Downs Steve Thompson, Schneider Downs

Agenda For This SectionAgenda For This Section• Determining the service areas to test

• Setting testing locations and parameters

• Identifying control objectives and activities

• Proper length of the testing period

• How clients should prepare for a SAS 70 audit

C i t k /b t ti• Common mistakes/best practices

39

Determining Service Areas To TestDetermining Service Areas To Test

1. Determine who the user organizations are

The first step in determining what service areas will be tested in a SAS 70 audit is to identify who the user organizations are and how the services provided by the service organization are likely to affect user organizations.

Part of this determination should include whether user organizations are regulated by governmental agencies and if so, what impact such regulations will have on the scope of the engagement.

40

Determining Service Areas To Test (Cont )Determining Service Areas To Test (Cont.)

2. Determine what controls are relevant to users

Service organization controls are considered relevant to a user organization’s internal control if they represent or affect a user organization’s internal control as it relates to an audit of financial statements. Service organizations generally should be able to identify the types of relevant assertions to which their controls are likely to relate.

Certain aspects of the services provided or processing performed by the service organization may not be relevant to user organizations and their auditors, or may be beyond the scope of the engagement.

Determining what areas are relevant to user organizations and their auditors is an important step early in the process.

41


3. Determine what controls/service areas are required by users

C l bli i f h i i i b hContractual obligations of the service organization may be another determining factor as to what service areas should be covered by the SAS 70 audit.

Reviewing contracts with customers, and determining whether contracts include details relative to controls for which the service organization is responsible, is a key step that should be performed in

j ti ith d t i i h t t l l t tconjunction with determining what controls are relevant to users.

42


4. Identify risks that threaten achievement of control objectives

B d h d i i f l h l dBased on the determinations of controls that are relevant to users and the controls that are required by users, service organization management should identify the risks that threaten the achievement of the control objectives over the core processes, systems andof the control objectives over the core processes, systems and applications that are likely to have an impact on user organizations’ financial statements.

43

Setting Testing Locations And ParametersSetting Testing Locations And Parameters

In conjunction with identifying the service areas to be testedIn conjunction with identifying the service areas to be tested, service organizations should identify the locations where controls reside and determine what locations should be included in the scope of the SAS 70 audit.

Additionally, once user organizations are identified, the fiscal years of the user organizations should be identified. Type 2 service auditor reports are most useful when the examination periodauditor reports are most useful when the examination period includes as many months as possible within user organizations’ fiscal years and is available for the user auditors to plan their audit procedures. Thus, the fiscal years of users are a key factor to

id f tti t ti tconsider for setting testing parameters.

44

Identifying Internal Control Objectives And A i i iActivities

Once the service areas to be tested have been determined, control objectives and related control activities can be identified and documented within the service organization’s description of controls. The service organization is responsible for preparing the detailed description of controls.

The description of controls typically should include the aspects of the service p yp y porganization’s control environment, risk assessment, information and communication systems, and monitoring that may affect the services provided to user organizations, as it relates to an audit of financial statements. The description should also include the control objectives and related controls, as p j ,well as any changes to controls since the later of the date of the last report or within the last 12 months.

The process for identifying the control objectives and related control activities should include evaluation and linkage to the risks identified during the determination of service areas to be tested. The SAS 70 audit should typically include only those control objectives and related controls that relate to relevant financial statement assertions and mitigate the identified risks.

45

Proper Length Of The Testing PeriodProper Length Of The Testing Period

To be useful to user auditors, Type 2 examination periods are di il i t 12 th i l th I t i it ti thordinarily six to 12 months in length. In certain situations, there are

some reasons that may warrant the report period to cover less than six months, including:

• Controls cannot be tested for operating effectiveness for a six-month period, due to the service auditor being engaged close to the date by the which the SAS 70 report is to be issuedissued.

• The service organization or a particular system or application has been in operation for less than six months.

• Significant changes have been made to the controls, and it is not practical to wait six months to issue a report or to issue a report prior to and after the changes

46

report prior to and after the changes.

How Clients Should Prepare For SAS 70 AuditHow Clients Should Prepare For SAS 70 Audit1. Determine who the user organizations are2. Determine what controls are relevant to or required by user2. Determine what controls are relevant to or required by user

organizations3. Identify risks4. Set testing locations and parameters5. Identify internal control objectives and activities 6. Determine the proper length of the testing period7. Ensure there is proper evidence to support that controls to be7. Ensure there is proper evidence to support that controls to be

tested should be retained8. Sometimes, system changes to retain evidence will affect the

performance of your system.9 C l i h ld b d f i bili9. Control environment should be assessed for sustainability10.Changes in processes, systems and the control environment must

be considered and incorporated into the description of controls.

47

How Clients Should Prepare For SAS 70 Audit (C t )(Cont.)

Additional procedures that service organizations should consider when preparing for a SAS 70 audit include:p p g

• Conducting a self assessment or readiness assessment to determine whether controls are in place and properly designed. Readiness assessments can help identify opportunities forReadiness assessments can help identify opportunities for control optimization and for improvement opportunities to processes and controls. They can also facilitate evaluation of documentation maintained to support operation of controls.

• Appointing one or two (one operational and one IT) service organization personnel to facilitate coordination of the SAS 70 audit procedures and documentation requests

Conducting training of service organization employees to• Conducting training of service organization employees to communicate the importance of the SAS 70 audit, to set expectations for the audit, to build awareness of the SAS 70 audit requirements, and to support a control-minded culture

48

Common Mistakes/Best PracticesCommon Mistakes/Best Practices

• During the walk-through or process identification stage, process owners interviewed are not accurate in describing the p gprocess.

• Inaccurate narratives• Inaccurate testing plan• Results in duplication of effort as process is re-defined

• No accountability at the service organization to manage the process

• Inefficient process for management and auditor• Need a proactive review of narrative and tests of controls each year

to incorporate changes – fresh lookto incorporate changes fresh look

• Insufficient documentation to evidence the control exists or can be tested

• Inconclusive testing• Removal of control from report which could affect achievement of• Removal of control from report, which could affect achievement of

the control objective

• Have controls to capture data for entire period to ensure completeness of the populations used for testing

I bili l d h f ll i f h l i• Inability to conclude on the full size of the population

49

Common Mistakes/Best Practices (Cont )Common Mistakes/Best Practices (Cont.)

• Lack of ownership as to who will write or prepare Section II of the reportp

• Report delays/missed deadlines• Poorly written narratives not aligned with control objectives

• Report flow of Section II narrative is not cohesive or inReport flow of Section II narrative is not cohesive or in agreement with Section III

• Controls described in narrative not included or tested in Section III• Controls listed and tested within Section III not described in

narrative

50

Contact InformationContact Information

Steve Thompson, Assurance Advisory Services Shareholder(412) 697 5258 or sthompson@schneiderdowns com(412) 697-5258 or [email protected]

Eric Wright, Technology Advisory Services Shareholder(412) 697 5328 or ewright@schneiderdowns com(412) 697-5328 or [email protected]

Frank Dezort, Internal Audit and Risk Advisory Services Senior Manager(412) 697 5347 or fdezort @schneiderdowns com(412) 697-5347 or fdezort @schneiderdowns.com

Holly Russo, Internal Audit and Risk Advisory Services Manager(412) 697 5337 h @ h id d(412) 697-5337 or [email protected]

Heather Haemer, Internal Audit and Risk Advisory Services Manager(412) 697 5433 hh @ h id d(412) 697-5433 or [email protected]

51

SSAE 16/ISAE 3402

Powell Jones, Grant Thornton

Agenda

1. Need for new standards

2. Recommended steps for service organizations

3. Key differences in new standards

4. Applying the right standard

© 2010 Grant Thornton LLP. All rights reserved. 53

What lies ahead for auditing controls at a service organization?g


1. Need For New Standards

• Since 1992, SAS 70 has been the recognized standard.

• Changes in regulatory landscape generated need forChanges in regulatory landscape generated need for additional information not covered by SAS 70

• Need for global standard (ISAE 3402)• Globalization of process outsourcing

• Converge standards in the U.S. (SSAE 16)g ( )• Minimal differences with ISAE 3402


1. Need For New Standards – Timing

• Effective for reports with periods di ft J 15 2011ending on or after June 15, 2011

• Early adoption permitted


2. Recommended Steps For Service Organizations

1. Review internal monitoring and/or testing processes to determine if they are sufficient to support the written

t ti i d b th t d dmanagement assertion required by the standards

2. Select and document the criteria that management would use to support itsmanagement would use to support its written management assertion

3. Identify the risks that threaten the achievement of the control objectives


2. Recommended Steps For Service Organizations (Cont )Organizations (Cont.)

4. If reliance on sub-service organizations, determine if the carve-out or inclusive method would be used

• If the inclusive method is selected, initiate conversations with sub-service organizations regarding the new requirements (e g written assertion from the sub-servicerequirements (e.g., written assertion from the sub service provider in the report)

5. Review the existing SAS 70 description of controls and make any necessary enhancements to include any missing components to fully describe the system


2. Recommended Steps For Service Organizations (Cont )Organizations (Cont.)

6. Develop a communication plan regarding the new standards for your customer-facing employees, and sales and contract teams

7. Consider effects, if any, on customer contracts and contract templates


3. Key Differences In New Standards –Changes To Description Of The SystemChanges To Description Of The System

• Section II will include more robust description of the service organization’s system

“… aspects of the service organization’s control environment risk assessment process information andenvironment, risk assessment process, information and communicating systems (including relevant business processes), control activities and monitoring activities that are relevant to the services provided.”


3. Key Differences In New Standards –Changes To Description Of The System (Cont )Changes To Description Of The System (Cont.)

• Additional information could include:- Services provided and related procedures

- Initiation, authorization, recording, processing, reporting- Classes of transactions processed- Processes to prepare reports for customers

Oth t f COSO f k- Other aspects of COSO framework- Changes during period


3. Key Differences In New Standards –Management’s Written AssertionManagement’s Written Assertion

SAS 70 SSAE 16Auditor’s report need not be accompanied by

Management’s written assertion required to accompany auditor’s reportbe accompanied by

management’s written assertion

accompany auditor’s reportIf a service organization uses subservice organization(s) and elects to use the inclusive method the subservice organization(s) assertionmethod, the subservice organization(s) assertion also accompanies the auditor’s reportManagement’s assertion must include the suitable criteria used for its assessment


3. Key Differences In New Standards –Type 2 ReportingType 2 Reporting

SAS 70 SSAE 16For Type 2 reports, the opinionon fair presentation of the

For Type 2 reports, the opinion on fair presentation of the system and suitability ofon fair presentation of the

system and suitability of design is as of a point in time.

presentation of the system and suitability of design is for the period covered by the report.

Level of work effort is expected to be minimal!


Documents

presents Mastering SAS 70 Audit Reports for Service