How do you determine whether control objectives and the related control activities are appropriate?
Control objectives need to be individually tailored to the activities performed by the service organization. Moreover, they need to address “[a]ll the major aspects of the processing that may be relevant to user auditors…” (AICPA SAS 70 Audit Guide 4.13). Consequently, service organizations should organize a complete set of control objectives when defining the scope of the engagement. All the information presented in a SAS 70 report should be fairly stated and accurate and should not omit or distort information.
Another way to tell if the control objectives are appropriate is to ask management of the service organization or user organization to list the key processing activities provided to the user organization. This exercise will quickly yield the correct areas upon which the control objectives can be formed.
The control activities are another matter. Each control activity should specifically relate to the control objective. The following are examples of control objective and related control activities from actual reports:
Control Objective: Controls provide reasonable assurance that logical access to production application programs and data files is restricted to appropriately authorized personnel and programs.
Control Activity: The acceptable use policy applies to all current and future employees as well as consultants, temporary staff and vendors and applies to new hires requiring password access.
Commentary: The control does not specifically relate to restricting logical access. Policies are not controls.
Control Objective: Controls provide reasonable assurance that changes to the statement application are authorized, tested, approved, properly implemented, and documented.
Control Activity: Testing confirms the change meets the requirements outlined in the change management documentation.
Commentary: Testing confirms the change… This control activity is relevant to the tested portion of the control objective above.
Service auditors, service organizations, user auditors, and user organizations should take the time to identify the appropriate control objectives. In addition, the service auditor should make sure that the control activities specifically relate to the control objectives.