SAS FAQ

What is a SAS 70 audit?
What is the value or benefit of a SAS 70 audit?
What is the difference between a Type I and a Type II report?
Does the audit firm have to be registered with the Public Company Accounting Oversight Board (PCAOB)?
Do we need a national or big CPA firm to perform our SAS 70 audit?
What is included in a description of controls?
What is the time investment associated with a SAS 70 audit?
How often do I have to have a SAS 70 audit performed?

1. What is a SAS 70 audit?
   SAS 70 is an acronym for the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standard (SAS) 70, titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 basically defines the rules an auditor must follow to assess the internal controls of a service organization and issue a service auditor’s report. The definition of a service organization is a company that processes or performs certain services or procedures on the behalf of another company. Examples of service organizations are medical claims processors, credit processing organizations, application service providers (ASPs), data centers, trust companies and accounts receivable or payable outsourcing companies.
   
   There are two levels of service for a SAS 70 audit. A Type I service auditor’s report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor’s report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the testing period.
2. What is the value or benefit of a SAS 70 audit?
   A SAS 70 audit offers many potential benefits to service organizations. While it is easy to list the benefits you will receive from going through the SAS 70 audit – it is difficult to assign a dollar value to them. However, as our clients can attest to – they feel the SAS 70 audit was very beneficial and the cost was not a factor once the project was completed.
   
   The following are just a few examples of the benefits that our clients have experienced:
   • A SAS 70 report allows the business owners or management to have a sense of security and pride that their controls are adequate.
   • A SAS 70 report allows a company to provide their clients and prospects with an independent third party review of their internal controls.
   • A SAS 70 report may allow new sources of revenue by moving up market.
   • A SAS 70 audit often provides a company with a competitive advantage over its competitors.
   • A SAS 70 report is often accepted by interested parties such as clients, clients’ auditors and regulatory agencies, as a substitute for sending in their own auditors.
   • Normally, our SAS 70 project results in numerous operational and internal control enhancement opportunities.
   Even if you have audited financial statements – if you host data and/or process data for others – there is a strong likelihood that you will still need a SAS 70 audit. On the other hand – if you don’t have audited financial statements – and you are a service organization – you will still need a SAS 70 audit. The SAS 70 audit process does not cover your internal financial statements or the procedures related to your internal accounting process.
3. What is the difference between a Type I and a Type II report?
   Service auditor reports vary in content based on whether the report is a Type I or Type II report. The following table outlines the sections included in each type of service auditor’s report.

   Report Section	Type I Report	Type II Report
   Independent Service Auditors' Report	Included	Included
   Service Organization's Description of Controls	Included	Included
   Information Provided by the Service Auditor (i.e. Tests Applied to Assess the Operating Effectiveness of the Control Activities)	Not Included	Included
   Other Information Provided by the Service Organization (i.e. Management's Response to Testing Exceptions, marketing materials, etc.)	Optional	Optional

   As you can see from the table above, a Type II report covers all the same items as a Type I report, except it includes testing of the controls in order to report on the operating effectiveness of those controls. A Type II audit is more complex and time consuming as it examines a sample of the transactions underlying those controls during the six to twelve month testing period.
4. Does the audit firm have to be registered with the Public Company Accounting Oversight Board (PCAOB)?
   According to the PCAOB, Staff Questions and Answers # 26 on Auditing Standard No. 2 – Internal Control dated June 23, 2004 and revised on July 27, 2004, the CPA firm performing the SAS 70 audit does not have to be registered with the PCAOB, unless the information included in the SAS 70 plays a substantial role in the financial auditor’s opinion. Normally, this is not the case and thus a non-PCAOB registered CPA firm can perform your SAS 70 audit.
   
   HA is not a member of the PCAOB because the SAS 70 audits we perform for our client base does not play a substantial role in their customer’s financial audits. Many of our clients have publicly traded customers and their auditors have been satisfied with our report and non-member status of the PCAOB. However, HA is registered with the AICPA and is a member of the AICPA Peer Review program as well as being licensed in each state we perform services in. By participating in the Peer Review Program, we are audited every three years for compliance with professional standards, ethics and continuing education.
   
   The entire question and answer from the PCAOB is included here for reference:
   
   Q26. Can a registered public accounting firm in the integrated audit of an issuer obtain evidence from a service auditor's report issued by a non-registered public accounting firm?
   
   A26. Yes. Paragraph B24 of Auditing Standard No. 2 directs the auditor to make inquiries concerning the service auditor's reputation, competence and independence in determining whether the service auditor's report provides sufficient evidence to support management's assessment and the auditor's opinion on internal control over financial reporting. Auditing Standard No. 2 does not require that the service auditor be a registered public accounting firm.
   
   The auditor should be aware of how evidence obtained from a service auditor's report issued by a non-registered firm interacts with the Board's registration rules. Any public accounting firm that "plays a substantial role in the preparation or furnishing of an audit report" with respect to any issuer must register with the Board. Because of the nature of the service auditor's report (the user auditor could have performed tests of controls at the service organization himself or herself but, instead, may have chosen to obtain evidence from a service auditor's report), when a registered public accounting firm obtains evidence from a service auditor's report in the audit of an issuer, the service auditor has participated in the audit of the issuer. If the service auditor's work, measured in terms of either services or procedures, meets the "substantial role" threshold (as defined in Rule 1001(p)(ii)) for the audit of the user organization, the service auditor is required to be registered with the Board.
5. Do we need a national or big CPA firm to perform our SAS 70 audit?
   NO - It is not necessary to have a national or big CPA firm perform your SAS 70 audit. The AICPA, as well as the PCAOB, only requires that the CPA firm possess the necessary competence to perform a SAS 70 audit, adhere to standard independence requirements for independent external auditors and be reputable.
   
   HA has many clients that provide evidence that a national or big CPA firm is not required to perform a SAS 70 audit. A SAS 70 audit performed by a qualified CPA firm is as reliable as any other. National or big CPA firms have well known names, but that name recognition does not equate to the quality of personnel performing your SAS 70 audit. Decision makers need to focus on the experience and expertise of the project team and not just the name of the firm. An emphasis should also be placed on the fees associated with the experience and expertise of the audit team.
   
   It is important to recognize that although most CPA firms could perform a SAS 70 audit, at typically lower fees, it is not advisable to utilize a firm that does not have extensive experience. Due diligence and thought should be undertaken to ensure that the firm and especially the personnel that perform the audit, have the appropriate level of SAS 70 experience and expertise. This will enhance your SAS 70 experience and help avoid the common issues associated with having an inexperienced audit firm or personnel, perform the SAS 70 audit.
6. What is included in a description of controls?
   This is normally the longest section of the SAS 70 report. The description of controls is management’s discussion of the controls, policies & procedures and organization of the company. The description should provide the reader with enough detail information about the service organization’s controls to gain an understanding of how things work. Service organization controls are considered a component of a user organizations’ internal control, therefore a user auditor is concerned with a service organization’s controls.
   • Control Environment – The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
   • Risk Assessment – Risk assessment is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
   • Control Activities – Control activities are the policies and procedures that are performed by the company to service their clients. Control activities usually fall into one of two areas – General Controls and Application Specific Controls, which are client specific. Typical general control areas include, but are not limited to, the following areas:
     • Organization and Management
     • Human Resources – hiring and training of personnel
     • Computer Operations
     • Physical and Environmental Security
     • Change Management for Application Software and Systems
     • Information Security
     • Data Communications
     • Information and Communication Systems
   • Application specific controls change for every client. They are the control activities implemented to achieve the successful processing of client’s transactions or the actual services performed on the client’s behalf. These control activities vary significantly from client to client; however, there are typically some commonalities between service organizations in the same industry.
   • Monitoring – Monitoring is a process that assesses the quality of internal control performance over time.
   The description of controls should be presented at a level of detail that provides user auditors with sufficient information to plan the audit as described in SAS No. 70 and SAS No. 55. The description does not need to address every aspect of the service organization’s processing or the services provided to user organizations. In summary, the service organization’s description of controls should generally contain the following information:
   • Discussion of the company’s organization and management; hiring policies and training of personnel; information and communication systems; risk assessment and monitoring.
   • Control objectives and related control activities.
   • Changes to your controls since the date of the last report or within the last twelve months.
7. What is the time investment associated with a SAS 70 audit?
   The time investment related to a SAS 70 can vary significantly. The factors that should be considered by a service organization are described below.
   • Type of Engagement – A Type I SAS 70 audit is much less involved than a Type II audit. The testing procedures related to a Type II audit, as well as the difference in review period, cause the audit to require significantly more fieldwork than a Type I audit of the same service organization.
   • Client Involvement – Client involvement can be the most significant factor in the time investment related to a SAS 70. Clients that designate a point person for managing the collection of documents should see reduced time requirements from their auditors.
   Overall, however, our clients feel that due to our teamwork approach – their investment is not near as invasive as their peers may have experienced. If this is your first SAS 70 – it will be more time encompassing due to the drafting of the description of controls – but HA provides you with examples and templates to assist you in that process. With HA – you are not alone in the process – but receive a coach and teammate to help you in preparing for the audit. We have developed checklists and templates to help you understand the process and identify your controls as well as walk you through the process to eliminate headaches and heartburn.
8. How often do I have to have a SAS 70 audit performed?
   Normally, whether you have a Type I or Type II audit performed it is not more than once a year. In the case of a Type I audit, companies usually have only one audit performed per year. These companies typically present the report to their user organizations as the annual Type I review and often refer to it by the year in which the audit was performed (i.e., 2007 SAS 70 Audit or 2007 Type I SAS 70 Audit).
   
   In the case of a Type II audit, companies usually have only one audit performed in a twelve month period. Most companies have an audit performed that has a review period that falls completely within the calendar year. The most common periods for SAS 70 audits are six, nine or twelve months. Six months is the minimum suggested period according to AICPA guidance, however, your clients and their auditors will most generally request a twelve month coverage period without any gaps.