Why Are There Offset Dates for SAS 70 Audit Report Coverage Periods?
Without a doubt, SAS 70 audit coverage periods cause more confusion amongst service organizations and for that matter service auditors then probably any other aspect of the examination itself. First, it is important to note that by definition, coverage periods only apply to Type II examinations. The reason, Type II reports must cover a minimum of a six-month period to be any use to the user auditor while Type I reports are as of a point in time (see the February 12, 2010 blog posting).
So why do most SAS 70 reports have an October 1st of one year start date and a September 30th of the next year end date? The reason is straightforward though there are a couple components to reasons. One, user auditors perform their internal control testing in support of the financial statement audit before their clients’ (ie, user organizations) fiscal year-end. For most companies based in the United States, year-ends are December 31st. For a SAS 70 report to be of any utility to a user auditor, the report must be in their hands during the Fall. The information contained within the SAS 70 will determine the nature and extent of the audit procedures the user auditor performs during this time. No report = no reliance. Two, most service organizations that receive a SAS 70 need to demonstrate to their user organizations an uninterrupted period of operating effectiveness for the overall control environment. Hence, most SAS 70 reports are not dated from January 1st through September 30th each year. This would leave a three month gap without any independent assurance. Less assurance translates to more risk.
Why Then Do Some Reports Have a December 31st End Date?
There could be a couple of reasons, although one of them is not really acceptable. It could be that the service organizations’ primary (ie, most important) user organizations have fiscal year-ends of in the 1st quarter. Alternatively, some service auditors may not understand the utility of the SAS 70 audit reports for user auditors. If the later is the case, re-read AU324 starting with paragraphs .04-.16.