So what’s the purpose of my retelling this? Simple, to some greater or lesser extent this sort of thing happens often. Sometimes management or certain members of management do not want to put their credibility on the line although the auditor has too. This is a problem. Among other reasons, the onslaught of audit related litigation that has exploded in the past decade has not helped matter. The AICPA wanted management to stand side-by-side with the auditor when these internal control reports were issued. Moreover, it is only reasonable that management should have to provide a written and signed assertion in the report since the controls relate financial reporting at user organizations. So now the standard has changed and SSAE 16 reports include a written assertion from management and an opinion from the service auditor.

One great place to find controls objectives or learn about the wording of control objectives is in Appendix E of the AICPA’s SAS 70 audit guide.  In this appendix, you will find control objectives related to information systems (ie, IT general controls), securities custodian, portfolio accountant and some others.  There is no complete listing of controls since every service organization is different.  However, this is a good starting place to get an idea of the interrelationship between domains, control objectives, and related controls.  The audit guide can be purchased from the AICPA’s website.  Since the concept of control objectives is often foreign to clients undergoing a SAS 70 examination for the first time, this appendix can be useful in initial discussions with new clients.

There are basically four main types of internal controls that service organizations and their service auditors should be concerned with, which are namely: manual controls, IT dependent manual controls, application controls, and IT general controls. Of course there are innumerable variations on the specifics of controls, though these four control types are the focus.

Manual Controls: Examples of manual controls could be a supervisor review and sign-off of a document, or bank reconciliation. Manual controls are performed by individuals outside of a system.

IT Dependent Manual Controls: Similar to manual controls, these controls require some level of system involvement. For example, a system generated inventory shortage report that is reviewed  and addressed, or sales orders that require controller approval in the system.

Application controls: These types of controls may also be system configuration settings. For example, if the system is configured to alert a supervisor for problem tickets that are not resolved within 60 minutes, or a firewall rule-set is configured to limit certain types of practice.

IT General Controls: This type of control is usually the focal point of most SAS 70 audit examinations. IT general controls comprise of logical access, program change, and physical security. For example, user access administration controls are used so that the right people have the right access to system resources. This process and the controls supporting the process are IT general controls.

In addition to the types of controls named, these controls are either preventative or detective in nature.  All other things being equal, preventative controls are superior to detective.  It is usually easier to correct a situation before a problem occurs than to detect a problem after it happens.

If the controls in the SAS 70 audit report do not seem to fall into one of these four areas, it could be that a process is being described rather than a control.  Service auditors should work carefully with the service organizations to make sure that descriptions of the controls are accurate and support the achievement of the control objectives.

A SAS 70 audit should address “[a]ll of the major aspects of the processing that may be relevant to the user auditors in assessing the risks of material [financial statement] misstatement” (AICPA, 2009 SAS 70 Audit Guide 4.13).  This means addressing the risks associated with processing.  For example, a service organization may print statements for a user organization. How the service organization controls statement printing so that only the correct statements are printed must be addressed within the SAS 70 audit report.  A description of the controls in place and how specifically the service auditor tested those controls must be described in sections II and III of the report (respectively).

In many cases, specific service organization processing risks relate to a financial statement assertion such as existence, occurrence, valuation and allocation, measurement/accuracy, and completeness.  In the event that a particular risk does not correlate to one or more of the assertions noted, it could be that the risk is not appropriate for inclusion with the SAS 70 audit.  Likewise, if there are risks that relate to one or more of the aforementioned assertions, and the risk is not being addressed by the service auditor, the SAS 70 audit could be incomplete.  To appropriately identify risks, the service auditor should understand the flow of transactions specific to the services provided.  Failure to do this, often results in SAS 70 audit that misses the mark and worse, does not address service organization risks appropriately.

On May 13, 2010 Linford & Company entered into an agreement with a company in the healthcare industry to provide the company with SAS 70 audit services. Organizations providing services to regulated industries are increasingly being scrutinized over their internal control environments.

Currently, a SAS 70 examination is the only independent method for service organizations to represent to their clients/customers whether internal controls are placed in operation, suitably designed, and operating effectively (Type II only).  The industries that see the greatest regulation at this time are healthcare, financial services, and data center companies providing services in those industries.

Service auditors need to consider three primary areas when performing audit sampling: 1) sample method, 2) sample size, and 3) tolerable rate of deviation.

Sample Methods

There are four general methods of sampling that are used in a SAS 70 examination:
•    Simple Random Sampling: Every unit has the same probability of being selected.
•    Systematic Sampling: This method selects samples using internals which are a result of dividing the population of units by the sample size.
•    Haphazard Sampling: Like simple; however, random number generators are not normally used.
•    Block Sampling: Represents contiguous population items.

All Type II SAS 70 audits should follow one or more of these methods to test items in a population (eg,  logical access rights for a sample of system users).

Sample Size

There are two aspects of sampling risk. First, over reliance on the control, or in other words, the control is in fact not operating effectively. Second, under reliance on the control. This second risk leads to audit inefficiencies and is a more acceptable risk than the former. The service auditor needs to takes these into consideration when deciding on a sample size. There are tables in Appendix A of the audit sampling guide that should be useful to the service auditor that follows a statistical approach (simple and systematic methods).

Summary

Overall, the guidance is extensive for audit sampling. Service auditors should take a careful look at their methods to make sure they are aligned with the guidance. Moreover, service organizations may question the approach of the service auditor if the service auditor is only performing walkthroughs for the Type II examination.

Question Two: Can non-CPA organizations partner with CPA firms to perform SAS 70 audits?
Answer: No. If you think otherwise, contact any member of the AICPA SAS 70 Task Force (Hint: their names are in the SAS 70 Audit Guide). Any one of them would be more than happy to take down your information and have a dialogue with you about this topic.

Question Three: What are the ramifications to the service organization if one of the above has happened?
Answer: Any user organization and/or user auditor that relied on the SAS 70 audit report from the service organization may have placed unwarranted reliance on that SAS 70 report. In other words, the user organization’s financial statement audit may have to be performed again for each period in which there was unwarranted reliance. Moreover, it is illegal to depart from state laws in regards to performing attestation services.

SAS 70 is a reference to the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standard (SAS) Number 70 codified under the auditing standards (AU) 324 entitled “Service Organizations”. This standard provides extensive guidance for service auditors (ie, licensed audit firms) to use in the performance of the SAS 70 audit. Guidance also exists that states that the only type of organization that may perform a SAS 70 audits is a licensed CPA firm. The following bullets are selected excerpts from authoritative sources listing some, but not all, of the relevant guidance supporting the comments above:

• “[A]uditor should not assume responsibility for the predecessor auditor’s work or issue a report that reflects divided responsibility” (AICPA, AU315.16).
• “The independent auditor also has a responsibility to his profession, the responsibility to comply with the standards accepted by his fellow practitioners” (AICPA, AU110.10). This includes adherence to CPE, Ethics, and licensing requirements.
• “No person, partnership, professional corporation, or limited liability company shall, without an active certificate of certified public accountant or a valid registration: Attest or express an opinion, as an independent auditor” (Colorado Revised Statute 12-2-120 Unlawful Acts (6)(II)(B)).
• “The practitioner must adequately plan the work and must properly supervise any assistants” (AICPA, AT101.42).
• “Attest services may only be performed by a licensee operating in a licensed firm” (Uniform Accountancy Act, Section 7).

Question Four: What about SAS 73? Can’t a firm use the work of a specialist to preform the SAS 70?
Answer: The Auditing Standards Board did not envision this when SAS 73 was written.  Paragraph .06 of AU336 (the codification of SAS 73) states “The auditor’s education and experience enable him or her to be knowledgeable about business matters in general, but the auditor is not expected to have the expertise of a person trained for or qualified to engage in the practice of another profession or occupation.” Performing SAS 70 audits is not another profession or occupation, it IS THE PROFESSION AND OCCUPATION of the auditor.

In an effort to clarify standards and converge with international standards, changes to SAS 70 requirements have been  made by the AICPA. The new standard is Statements on Standards for Attestation Engagements (SSAE) 16 or SSAE 16. These changes, which affect the service organization and the service auditors completing the SSAE 16 engagement, will be effective for periods ending June 15, 2011.

What is Changing?

That proposed changes to the current SAS 70 standard will add additional detail to the report and require more input from the service organization. Some of the proposed changes include:

• Service organization will provide a written assertion that will be listed in the report with the service auditor opinion that is included in current reports
• Type 2 reports will include an opinion on the design of controls over the period under review and not just as of a point in time as it is currently
• Internal auditor assistance will have to be detailed in the report
• No reduction of testing performed will be allowed as the result of prior or other examinations even if completed during the period under review
• Users of the report will be restricted to customers of the client during the period under review for a type 2 and at the point of the description covered by the report for a type 1

How does this Affect Companies Receiving a New SSAE 16 Report?

While the main structure of the SAS 70 report will remain unchanged for most service organizations (most, but not all, include adequate descriptions of processes), additional information will be added to the reports, which in turn could require additional effort in completing the report. With the proposed changes, companies receiving the new SSAE 16 report will be required to take a more active role in the completion of the SSAE 16 through the inclusion of their own written assertion.

What do Companies do to Prepare?

The audit firm completing the SSAE 16 should be abreast of the changes and guide the company through any additional procedures or changes to existing procedures that will occur. Companies should start discussions with their audit firms now to better prepare for when the changes go into effect.