Type I & Type II SAS 70 Audits
Effective June 15, 2011, SAS 70 was superseded by SSAE 16. Due to the longstanding SAS 70 Audit standard, A-lign CPAs continues to display educational information regarding SAS 70 Audits during the transition to SSAE 16.
What is a SAS 70 Audit?
Many companies use outside service organizations to accomplish tasks that affect the entity’s financial statements. Auditors performing the financial statement audits for the user entity may need to obtain information about those services, the related service organization controls, and their effects on the user entity’s financial statements. A service auditor may be engaged to issue a SAS 70 audit report on the service organization’s controls. An audit performed in accordance with Statement on Auditing Standard No. 70 (SAS 70) provides the user entity and the auditor of the user entity a report on the service organization’s internal controls for the specific service(s) provided to the user entity. The user auditor can then utilize the SAS 70 audit report to assess the risks of material misstatement in a user entity’s financial statements.
SAS 70 Diagnostic
A SAS 70 Reporting and Diagnostic engagement provides service organizations with a benchmark of their preparedness for a SAS 70 compliance audit.
Type I SAS 70 Audits
Type I SAS 70 audits provide independent third party assurance by a licensed CPA firm as to whether control activities described by a service organization are suitably designed to meet specified control objectives and whether the controls were placed in operation as of a particular date.
Type II SAS 70 Audits
Type II SAS 70 audits provide independent third party assurance by a licensed CPA firm as to whether control activities described by a service organization are suitably designed to meet specified control objectives and were in place and operating effectively over a period of time, generally six to twelve months.
Click here to view the composition of a SAS 70 Audit Report.
Determining the scope of the SAS 70 compliance audit is one of the most challenging facets of the project. It is imperative that the scope of the audit meets the expectations and needs of our clients’ customers. We will conduct interviews with client personnel to determine the source of the SAS 70 audit need.
Due to the non-traditional use of Type I and Type II SAS 70 audit services in today’s audit arena, the need for the SAS 70 audit may not always relate to our client’s impact of the outsourced operations on their customers’ financial reporting objectives. Many companies are asked for SAS 70 audits as a means of understanding the company’s security, confidentiality or availability controls. Our SAS 70 audit company will work with the client after the initial interview process to align the control objectives within the scope of the audit with the client’s SAS 70 reporting and compliance audit need.
Preparation for Type I and Type II SAS 70 Audit Fieldwork and Testing Procedures
A-lign™ understands that our clients’ time is extremely valuable. We utilize information request lists that are customized to the scope of the client’s audit and employed as a tool to have documentation gathered prior to our onsite fieldwork. The information request list can be sent upon the engagement of A-lign™ as the auditor but, at a minimum, is typically sent four weeks prior to fieldwork. As necessary, we can conduct meetings to discuss our requests and ensure that the client fully understands the information needed to complete the audit. By gathering the documentation prior to our arrival, the client can ensure the lowest possible audit fee and increase the efficiency of their personnel.
Type I and Type II SAS 70 Audit Fieldwork and Testing Procedures
Onsite fieldwork and testing procedures are the most time intensive part of the SAS 70 audit services for both the client and our audit team. The client’s completion of the information request list prior to our onsite visit greatly impacts the efficiency of the fieldwork and testing procedure phase. Our approach for testing includes both onsite and offsite testing. This method allows our team to limit our interruption of the daily operation of our clients. Onsite fieldwork will consist of audit team members performing interviews, observation of controls, and, in the case of a Type II SAS 70 audit, sampling testing for the in-scope control objectives. By utilizing A-lign™ ClientConnect, offsite testing can be performed using the numerous means of electronic communication available. By performing a portion of the audit testing offsite, we are able to provide our clients with an extremely competitive pricing model for the audit. Any recommendation or testing exception will be fully communicated with designated client personnel prior to the end of fieldwork and testing closing meeting. This is a crucial step in our process to ensure that all client personnel are in agreement with recommendations and findings before presentation to senior management.
SAS 70 Reporting
A-lign™ prides itself on its efficient and timely reporting process. While many firms take 30 days or more to issue a report, A-lign’s project plans call for a draft report to be issued to the client within 10 business days of fieldwork completion. The draft will undergo a rigorous quality control review before issuance to the client. The draft report is submitted in word format to the client to allow the client to suggest wording changes directly to the draft report. Once the draft is returned to A-lign™, along with the management representation letter, the final report will be prepared for printing. Within five business days after the approval of the draft, the return of the signed management representation letter and any responses to testing exceptions, we will deliver 3 bound copies, an unbound copy, and electronic copy of the report.
For a free phone consultation, or for more information about our SAS 70 audit services and reporting, please submit the short form to the right, or call 1-888-702-5446 today.