Question One: Can non-CPA organizations perform SAS 70 audits?
Question Two: Can non-CPA organizations partner with CPA firms to perform SAS 70 audits?
Answer: No. If you think otherwise, contact any member of the AICPA SAS 70 Task Force (Hint: their names are in the SAS 70 Audit Guide). Any one of them would be more than happy to take down your information and have a dialogue with you about this topic.
Question Three: What are the ramifications to the service organization if one of the above has happened?
Answer: Any user organization and/or user auditor that relied on the SAS 70 audit report from the service organization may have placed unwarranted reliance on that SAS 70 report. In other words, the user organization’s financial statement audit may have to be performed again for each period in which there was unwarranted reliance. Moreover, it is illegal to depart from state laws in regards to performing attestation services.
SAS 70 is a reference to the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standard (SAS) Number 70 codified under the auditing standards (AU) 324 entitled “Service Organizations”. This standard provides extensive guidance for service auditors (ie, licensed audit firms) to use in the performance of the SAS 70 audit. Guidance also exists that states that the only type of organization that may perform a SAS 70 audits is a licensed CPA firm. The following bullets are selected excerpts from authoritative sources listing some, but not all, of the relevant guidance supporting the comments above:
- “[A]uditor should not assume responsibility for the predecessor auditor’s work or issue a report that reflects divided responsibility” (AICPA, AU315.16).
- “The independent auditor also has a responsibility to his profession, the responsibility to comply with the standards accepted by his fellow practitioners” (AICPA, AU110.10). This includes adherence to CPE, Ethics, and licensing requirements.
- “No person, partnership, professional corporation, or limited liability company shall, without an active certificate of certified public accountant or a valid registration: Attest or express an opinion, as an independent auditor” (Colorado Revised Statute 12-2-120 Unlawful Acts (6)(II)(B)).
- “The practitioner must adequately plan the work and must properly supervise any assistants” (AICPA, AT101.42).
- “Attest services may only be performed by a licensee operating in a licensed firm” (Uniform Accountancy Act, Section 7).
Question Four: What about SAS 73? Can’t a firm use the work of a specialist to preform the SAS 70?
Answer: The Auditing Standards Board did not envision this when SAS 73 was written. Paragraph .06 of AU336 (the codification of SAS 73) states “The auditor’s education and experience enable him or her to be knowledgeable about business matters in general, but the auditor is not expected to have the expertise of a person trained for or qualified to engage in the practice of another profession or occupation.” Performing SAS 70 audits is not another profession or occupation, it IS THE PROFESSION AND OCCUPATION of the auditor.