Escolar Documentos
Profissional Documentos
Cultura Documentos
Background
SAS 70 was originally titled “Reports on the Processing of Transactions by Service Organizations” but was changed
by Statement on Auditing Standards No. 88 to "Service Organizations". The guidance contained in SAS 70 is
effective for all service auditors' reports dated after March 31, 1993.
SAS 55
In 1988, the AICPA issued SAS 55 [3], titled “Consideration of the Internal Control Structure in a Financial
Statement Audit”. SAS 55 required that financial statement auditors assess the internal control related to any process
that could impact the client’s financial reporting objectives. In cases where the client outsourced a critical process
that impacted the financial statements, the auditor was required to assess the internal control of that process as it is
performed by the service organization. For example, an auditor might be required to examine the manner in which a
payroll processing company controls the processing of payroll for its client. This situation was very detrimental to
many service organizations since all of their clients’ auditors have an obligation to perform the same internal control
assessment on them.
The overwhelming resources that service organizations were spending complying with requests from financial
auditors led the AICPA to issue SAS 70. In layman’s terms, SAS 70 allowed for one internal control review to be
performed on service organizations that examined all of the areas that the financial statement auditors were required
to consider to meet SAS 55 requirements. The resulting service auditor’s report (i.e. SAS 70 report) can be
distributed and relied upon by all of the financial statement auditors of the service organizations' clients. The extent
of that reliance is based on whether a Type I or Type II SAS 70 audit was performed.
Statement on Auditing Standards No. 70: Service Organizations 2
SAS 94
In 2001, SAS 55 was amended by SAS 94 [4], titled “The Effect of Information Technology on the Auditor’s
Consideration of Internal Control in a Financial Statement Audit”. SAS 94 obliges the financial statement auditors to
place an increased focus on the increasing role of information technology on meeting financial reporting objectives.
Given this change, SAS 70 reports are now placing similar emphasis on information technology’s role in the control
environment of service organizations. This helps to ensure that the SAS 70 report contains all of the information
required by user organization auditors.
SAS 109
In 2006, SAS 55 was superseded by SAS 109 (codified as AU 314 [5]) which provided an expanded theory regarding
an auditor's responsibility to understand the entity under audit including the information systems employed by the
entity under audit among other items. This understanding is to be used in determining certain risks associated with
the financial statements and audit.
User auditor
Traditionally, service auditor reports are primarily used as auditor-to-auditor communication. The auditors of the
service organization’s customers (i.e. user auditors) can use the service auditor’s report to gain an understanding of
the internal controls in operation at the service organization. Additionally, Type II service auditor reports can be used
by the user organizations’ auditors to assess internal control risk for the purposes of planning and executing their
financial audit.
This report is intended solely for use by the management of XYZ Service Organization, its user
organizations, and the independent auditors of its user organizations.
Audit frequency
Type 1 audits are typically performed no more than once per year; however, there is no technical reason for this
practice. In fact, many companies use the type 1 audit as a primer and tend to move on to a type 2 audit for the
purposes of subsequent audits. Sarbanes-Oxley Act (SOX) provisions that require a type 2 audit have made this a
very common practice.
Type 2 audits are also typically performed once per year; however, a small percentage of companies undergo
multiple type 2 audits during any 12 month period. There is no technical guidance that states, or even recommends, a
type 2 audit frequency requirement. It is generally expected that the frequency will be no less than once per year.
The SAS 70 audit guide recommends, but does not require, that type 2 examination periods be at least six months in
length. Companies generally choose a review period between six and 12 months. There is no requirement or
recommendation that the examination period fall completely within the calendar year.
SAS 70 audits are performed throughout the calendar year. Each service organization is responsible for making their
own decisions regarding the type of audit they undergo, the timing of the audit, and the review period of the audit in
the case of a type 2 audit.
User organizations will desire a type 2 audit report that has an examination period with as many months as possible
falling within their own fiscal year and an examination period end date that is within three months of their fiscal year
end. Most service organizations have many user organizations and often can not satisfy all of their clients if they
only perform one audit per year, regardless of the length of their review period. For example, a company could have
a 12 month Type 2 SAS 70 audit review period ending 12/31. This report would be less than ideal for clients with
6/30 fiscal year-ends because it will be six months "old" by that point in time. However, this issue does not render
the report useless and audit guidance and SOX guidance provide specific directions for dealing with this common
situation when it occurs.
Statement on Auditing Standards No. 70: Service Organizations 4
United Kingdom
A SAS 70 is similar to the United Kingdom guidance provided by the Audit and Assurance Faculty of the Institute of
Chartered Accountants in England and Wales. The technical release is titled AAF 01/06 which supersedes the earlier
FRAG 21/94 guidance.
Canada
In Canada, a similar report known as a Section 5970 report may be issued by a service organization auditor. It
usually gives two separate audit opinions on the controls in place. Furthermore, it may also give an opinion on the
operating effectiveness over a period. These reports tend to be quite long, with descriptions of the controls in place.
Statement on Auditing Standards No. 70: Service Organizations 5
India
Similar to the SAS 70 Report in the United States of America, reporting requirements are defined in India's Audit
and Assurance Standards 24 "Audit Consideration Relating to Entities Using Service Organizations". The AAS 24 is
issued by the Institute of Chartered Accountants of India, and is operative for all audits relating to periods beginning
on or after 1 April 2003.
References
[9]
[1] http:/ / umiss. lib. olemiss. edu:82/ record=b1038093
[2] http:/ / www. aicpa. org/ download/ members/ div/ auditstd/ AU-00324. PDF
[3] http:/ / umiss. lib. olemiss. edu:82/ record=b1038078
[4] http:/ / umiss. lib. olemiss. edu:82/ record=b1038121
[5] http:/ / www. aicpa. org/ download/ members/ div/ auditstd/ AU-00314. PDF
[6] AICPA AU Section 324 (http:/ / www. aicpa. org/ download/ members/ div/ auditstd/ AU-00324. PDF), para. 02
[7] PCAOB Auditing Standard No. 5 (http:/ / www. pcaob. org/ Rules/ Rules_of_the_Board/ Auditing_Standard_5. pdf), para. B17-B27
[8] AICPA Proposed Statement on Standards for Attestation Engagements, Reporting on Controls at a Service Organization (http:/ / www. aicpa.
org/ Professional+ Resources/ Accounting+ and+ Auditing/ Audit+ and+ Attest+ Standards/ Exposure+ Drafts+ of+ Proposed+ Statements/
Reporting+ Service+ Organization. htm)
[9] http:/ / www. aicpa. org/ Research/ Standards/ AuditAttest/ DownloadableDocuments/ AU-00324. pdf
External links
• AICPA (http://www.aicpa.org)
• Auditing Standards Board (http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/
Audit+and+Attest+Standards/Auditing+Standards+Board/)
• ICAI (http://www.icai.org)
Article Sources and Contributors 6
License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/