Risks to the Service Organization

Posted by Newel on May 20, 2010 in Blog | 0 comments

What Risks Should be Covered in a SAS 70 Audit?

A SAS 70 audit should address “[a]ll of the major aspects of the processing that may be relevant to the user auditors in assessing the risks of material [financial statement] misstatement” (AICPA, 2009 SAS 70 Audit Guide 4.13).  This means addressing the risks associated with processing.  For example, a service organization may print statements for a user organization. How the service organization controls statement printing so that only the correct statements are printed must be addressed within the SAS 70 audit report.  A description of the controls in place and how specifically the service auditor tested those controls must be described in sections II and III of the report (respectively).

In many cases, specific service organization processing risks relate to a financial statement assertion such as existence, occurrence, valuation and allocation, measurement/accuracy, and completeness.  In the event that a particular risk does not correlate to one or more of the assertions noted, it could be that the risk is not appropriate for inclusion with the SAS 70 audit.  Likewise, if there are risks that relate to one or more of the aforementioned assertions, and the risk is not being addressed by the service auditor, the SAS 70 audit could be incomplete.  To appropriately identify risks, the service auditor should understand the flow of transactions specific to the services provided.  Failure to do this, often results in SAS 70 audit that misses the mark and worse, does not address service organization risks appropriately.