Mastering SAS 70 Audit Reports for Service Organizations Evaluating Internal Controls Issues With Type I and Type II Reports

Transcription

1 presents Mastering SAS 70 Audit Reports for Service Organizations Evaluating Internal Controls Issues With Type I and Type II Reports A Live 110-Minute Teleconference/Webinar with Interactive Q&A Today's panel features: Mark Agulnik, Senior Manager, Assurance Services, MarcumRachlin, Fort Lauderdale, Fla. Eric Wright, Technology Shareholder, Schneider Downs, Pittsburgh Scott Price, Director, A-lign CPAs, Tampa, Fla. Steve Thompson, Shareholder, Schneider Downs,, Pittsburgh Powell Jones, Business Advisory Services Manager, Grant Thornton, Atlanta Wednesday, June 16, 2010 The conference begins at: 1 pm Eastern 12 pm Central 11 am Mountain 10 am Pacific You can access the audio portion of the conference on the telephone or by using your computer's speakers. Please refer to the dial in/ log in instructions ed to registrations.

2 For Continuing Education purposes, please let us know how many people are listening at your location by closing the notification box and typing in the chat box your company name and the number of attendees. Then click the blue icon beside the box to send. For live event only.

3 If the sound quality is not satisfactory and you are listening via your computer speakers, please dial and enter your PIN when prompted. Otherwise,,please send us a chat or e- mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance.

4 Mastering SAS 70 Audit Reports For Service Organizations Webinar June 16, 2010 Mark Agulnik, MarcumRachlin Scott Price, A-lign CPAs Ei Eric Wright, WihtSh Schneider Downs Steve Thompson, Schneider Downs Powell Jones, Grant Thornton

5 Today s Program Key Terms Of SAS 70 Slides 6-30 (Mark Agulnik) Changing Uses Of SAS 70 Reports Slides (Scott Price) Audit Requirements, Preparation Tactics Slides (Eric Wright and Steve Thompson) SSAE 16/ISAE 3402 Slides (Powell Jones) 5

6 Key Terms Of SAS 70 Mark Agulnik, MarcumRachlin

7 What Is SAS 70? Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It represents that a service organization has been through an in-depth audit of its control objectives and control activities. In today's global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. SOX has also affected the importance of SAS 70 audit reports, as many service organizations or service providers including data centers, credit car processing centers and payroll processors host and/or process critical data. SAS 70 does not provide any prescribed guidance regarding scope definition, testing approach or requirements to establish compliance. The standard leaves the responsibility to the service provider and auditor to define appropriateness. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 7

8 History Of Internal Control/SAS 70 Guidance Statement Date Issued Title of Statement SAP No. 29 October 1958 Scope of the Independent Auditor s Review of Internet Control SAP No. 41 November 1971 Reports on Internal Control SAP No. 54 November 1972 The Auditor s Study and Evaluation of Internal Control SAP No. 3 December 1974 The Effects of EDP on the Auditor s Study and Evaluation of Internal Control SAS No. 44 December 1982 Special-Purpose Reports on Internal Accounting Control at Service Organizations SAS No. 48 July 1984 The Effects of Computer Processing of the Audit of Financial Statements SAS No. 55 April 1988 Consideration of Internal Control in a Financial i Statement t taudit SAS No. 70 April 1992 Service Organizations SAS No. 78 December 1995 Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55 SAS No. 88 December 1999 Service Organizations and Reporting on Consistency SAS No. 94 May 2001 The Effect of Information Technology on the Auditor s Consideration of Internal Control in a Financial Statement Audit PCAOB No. 2 March 2004 An Audit of Internal Control over Financial Reporting in Conjunction with an Audit of Financial Statements. Note: Appendix B refers to Service Organizations. PCAOB No. 5 May 2007 An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements. Note: Appendix B17-B27 covers Service Organization considerations. ISAE No December 2009 Assurance Reports on Controls at a Service Organization. SSAE No. 16 June 2010 Reporting on Controls at a Service Organization FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 8

9 Relevant Definitions User organization - The entity that has engaged a service organization and whose financial statements are being audited User auditor - The auditor who reports on the financial statements of the user organization Service organization - The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system Service auditor - The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 9

10 Relevant Definitions (Cont.) Report on controls placed in operation (KNOWN AS A SAS 70 TYPE 1) - A service auditor's report on a service organization's description of its controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, and on whether they had been placed in operation as of a specific date Report on controls placed in operation and tests of operating effectiveness (KNOWN AS A SAS 70 TYPE 2) - A service auditor's report on a service organization's description of its controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements, on whether such controls were suitably designed to achieve specified control objectives, on whether they had been placed in operation as of a specific date, and on whether the controls that were tested were operating with sufficient i effectiveness to provide reasonable, but not absolute, assurance that the related control objectives were achieved during the period specified FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 10

11 Guidance To Service Auditors On Assessing A Service Organization s Internal Controls And Issuing A Report The service auditor is responsible for the representations in his or her report and for exercising due care in the application of procedures that support those representations. Although a service auditor's engagement differs from an audit of financial statements conducted in accordance with generally accepted auditing standards, it should be performed in accordance with the general standards and with the relevant fieldwork and reporting standards. Although the service auditor should be independent from the service organization, it is not necessary for the service auditor to be independent from each user organization. The service auditor may become aware of illegal acts, fraud or uncorrected errors attributable to the service organization s management or employees that may affect one or more user organizations. The service auditor errors, fraud and illegal acts are discussed in Sect. 312, Audit Risk and Materiality in Conducting an Audit, and Sect. 317, Illegal Acts by Clients. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 11

12 Guidance To Service Auditors On Assessing Service Organization s Internal Controls And Issuing A Report (Cont.) No single specific test of controls is always necessary, applicable or equally effective in every circumstance and every engagement. Therefore, the auditor should use professional judgment to determine what constitutes sufficient appropriate audit evidence under the specific circumstances of the engagement. Meet with management prior to commencement of SAS 70 and determine who wants the SAS 70 and for what purpose. The SAS 70 only has value if it is meeting the user s objectives. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 12

13 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations As required by SAS 109, an auditor should obtain an understanding di of each of fthe five components of fthe entity's internal control sufficient to assess the risks of material misstatement and to design the nature, timing and extent of further audit procedures. The auditor should use such knowledge to: A: Identify types of potential misstatements and consider factors that affect the risks of material misstatements B: Design tests of controls to determine the nature, timing and extent of procedures to be performed FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 13

14 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.) If the user organization significantly uses a service organization, in obtaining an understanding of the entity's internal control sufficient to assess the risks of material misstatement, the auditor may need to obtain an understanding of the controls of the service organization. High degree of interaction: When the user organization initiates transactions and the service organization executes and does the accounting processing of those transactions, there is a high degree of interaction between the activities at the user organization and those at the service organization. If the user organization implements highly effective internal controls over the processing of transactions ti at the service organization, the user auditor may not need to gain an understanding of the controls at the service organization in order to plan the audit. For example, if the user organization has such controls, the user auditor could obtain an understanding di of the controls by performing a walk-through at the user organization. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 14

15 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.) Low degree of interaction: When the service organization initiates, executes and does the accounting processing of the user organization s transactions, there is a lower degree of interaction between the activities at the user organization and those at the service organization. In these circumstances, it may not be practicable for the user organization to implement effective controls for those transactions. If the user organization has a low degree of interaction and has not placed into operation effective internal controls over the activities of the service organization, the user auditor would most likely need to gain an understanding of the relevant controls at the service organization in order to plan the audit. The understanding can be obtained by: Reviewing i a copy of the service auditor s report on the service organization s description of its controls, and/or Contacting the service organization to obtain specific information, and/or Visiting the service organization to make inquiries and observations, review documentation and perform the necessary procedures, and/or Requesting that a service auditor be engaged to perform procedures that will provide the necessary information FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 15

16 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.) Information about the nature of the services provided by a service organization that are part of the user organization s information system, and the service organization s controls over those services, may be available from a wide variety of sources, such as the following: User manuals System overviews Technical manuals The contract between the user organization and the service organization Reports by service auditors, internal auditors or regulatory authorities on the service organization s controls If the user auditor is unable to obtain sufficient audit evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 16

17 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.) When the user obtains an understanding of the internal control, including reviewing the user organization s SAS 70, the user auditor may identify certain user organization controls that, if effective, would permit the user auditor to assess control risk as low or moderate for particular assertions. Note: Although a type 1 report is sufficient for the user auditor to obtain an understanding of the internal control to determine whether the controls are designed and implemented, it is not sufficient in assess control risk below maximum in order to reduce substantive ti procedures. In order for the user auditor to assess risk below maximum (relating to the service auditors internal controls), the user auditor may: A: Rely on the service auditor s report on controls placed in operation and tests of operating effectiveness (type 2 SAS 70 report) B: Tests of controls performed by the user auditor at the service organization C: Test the user organization s controls over the activities of the service organization FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 17

18 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.) If the user auditor decides to use a service auditor s report, the user auditor should consider the extent of the evidence provided by the report about the effectiveness of controls intended to prevent or detect material misstatements in the particular assertions. A user auditor should determine whether the specific tests of controls and results in the service auditor s report are relevant to assertions that are significant in the user organization s financial statements. The user auditor remains responsible for evaluating the evidence presented by the service auditor and for determining its effect on the assessment of control risk at the user organization. In evaluating these factors, user auditors should also keep in mind that, for certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less support for control risk reduction the test may provide. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 18

19 Guidance To User Auditors Of Financial Statements For An Entity Using One Or More Service Organizations (Cont.) In considering whether the service auditor s report is satisfactory for his or her purposes, the user auditor should make inquiries concerning the service auditor's professional reputation. Appropriate sources of information concerning the professional reputation of the service auditor are discussed in Sect. 543, Part of Audit Performed by Other Independent Auditors. When assessing a service organization s controls and how they interact with a user organization's controls, the user auditor may become aware of the existence of significant deficiencies or material weaknesses in internal control. In such circumstances, the user auditor should consider the guidance provided in Sect. 325, Communicating Internal Control Related Matters Identified in an Audit (SAS 112/115). FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 19

20 Type 1 - Reports On Controls Placed In Operation Note: The following apply to both type 1 and type 2 reports The information necessary for a report on controls placed in operation ordinarily is obtained through discussions with appropriate service organization personnel and through h reference to various forms of documentation, such as system flowcharts and narratives. The description should contain a discussion of the features of the service organization s controls that would have an effect on a user organization's internal control. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 20

21 Type 1 - Reports On Controls Placed In Operation (Cont.) They may include controls within the control environment, risk assessment, control activities, information and communication, and monitoring components of internal control. The control environment may include hiring practices and key areas of authority and responsibility. Risk assessment may include the identification of risks associated with processing specific transactions. Control activities may include policies and procedures over the modification of computer programs, and are ordinarily designed to meet specific control objectives. Information and communication may include ways in which user transactions are initiated and processed. Monitoring may include the involvement of internal auditors, audit committee, etc. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 21

22 Type 1 - Reports On Controls Placed In Operation (Cont.) Although a service auditor s report on controls placed in operation is as of a specified date, the service auditor should inquire about changes in the service organization s controls that may have occurred before the beginning of fieldwork. If the service auditor believes that the changes would be considered significant by user organizations and their auditors, those changes should be included in the description of the service organization s controls. If the service auditor concludes that the changes would be considered significant by user organizations and their auditors, and the changes are not included in the description of the service organization s controls, then the service auditor should describe the changes in his or her report. Such changes include: Procedural changes made to accommodate provisions of a new Statement of Financial Accounting Standards Major changes in an application to permit online processing Procedural changes to eliminate previously identified deficiencies FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 22

23 Type 1 - Reports On Controls Placed In Operation (Cont.) Changes that occurred more than 12 months before the date being reported on normally would not be considered significant, because they generally would not affect user auditors considerations. The description of controls and control objectives required for these reports may be prepared by the service organization. If the service auditor prepares the description of controls and control objectives, the representations in the description remain the responsibility of the service organization. A service auditor s report expressing an opinion on a description of controls placed in operation at a service organization should contain: A: A specific reference to the applications, services, products or other aspects of the service organization covered. B: A description of the scope and nature of the service auditor s procedures. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 23

24 Type 1 - Reports On Controls Placed In Operation (Cont.) C: Identification of the party specifying the control objectives D: An indication that the purpose of the service auditor s engagement was to obtain reasonable assurance about whether (1) the service organization s description presents fairly, in all material respects, the aspects of the service organization's controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements; (2) the controls were suitably designed to achieve specified control objectives; and (3) such controls had been placed in operation as of a specific date. E: A disclaimer of opinion on the operating effectiveness of the controls F: The service auditor s opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization s controls that had been placed in operation as of a specific date and whether, in the service auditor's opinion, the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 24

25 Type 1 - Reports On Controls Placed In Operation (Cont.) G: A statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to future periods any evaluation of the description H: Identification of the parties for whom the report is intended If the service auditor believes that the description is inaccurate or insufficiently i complete for user auditors, then the service auditor s report should so state and should contain sufficient detail to provide user auditors with an appropriate understanding. If there are significant deficiencies in the design or operation of the service organization s controls that preclude the service auditor from obtaining reasonable assurance that specified control objectives would be achieved, then the report should be modified. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 25

26 Type 1- Reports On Controls Placed In Operation (Cont.) In our opinion, except for the matter referred to in the preceding paragraph, the accompanying description of the aforementioned application presents fairly, in all material respects, the relevant aspects of XYZ Service Organization s controls that t had been placed in operation as of [insert date]. For the service auditor to express an opinion on whether the controls were suitably designed to achieve the specified control objectives, it is necessary that: A: The service organization identify and appropriately describe such control objectives and the relevant controls B: The service auditor consider the linkage of the controls to the stated control objectives C: The service auditor obtain sufficient appropriate audit evidence to reach an opinion FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 26

27 Type 2 - Reports On Controls Placed In Operation And Tests Of Operating Effectiveness In addition to the requirements of type 1, there are additional requirements to type 2 Similar to type 1, the information necessary for a report on controls placed in operation ordinarily is obtained through discussions with appropriate service organization personnel and through reference to various forms of documentation, such as system flowcharts and narratives. However with a type 2, the service auditor must perform tests of controls. The service auditor applies tests of controls to determine whether specific controls are operating with sufficient effectiveness to achieve specified control objectives. Sect. 350, Audit Sampling, as amended, provides guidance on the application and evaluation of audit sampling in performing tests of controls. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 27

28 Type 2 - Reports On Controls Placed In Operation And Tests Of Operating Effectiveness (Cont.) A service auditor s report expressing an opinion on a description of controls placed in operation at a service organization and tests of operating effectiveness should contain: A: A specific reference to the applications, services, products or other aspects of the service organization covered [same as type 1] B: A description of the scope and nature of the service auditor s procedures [same as type 1] C: Identification of the party specifying the control objectives [same as type 1] D: An indication that the purpose of the service auditor s engagement was to obtain reasonable assurance about whether (1) the service organization s description presents fairly, in all material respects, the aspects of the service organization s controls that may be relevant to a user organization s internal control as it relates to an audit of financial statements; (2) the controls were suitably designed to achieve specified control objectives; and (3) such controls had been placed in operation as of a specific date [same as type 1] FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 28

29 Type 2 - Reports On Controls Placed In Operation And Tests Of Operating Effectiveness (Cont.) E: The service auditor s opinion on whether the description presents fairly, in all material respects, the relevant aspects of the service organization s controls that had been placed in operation as of a specific date and whether, in the service auditor s opinion, the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily [same as type 1] F: A reference to a description of tests of specific service organization controls designed to obtain evidence about the operating effectiveness of those controls in achieving specified control objectives. The description should include the controls that were tested, the control objectives the controls were intended to achieve, the tests applied, and the results of the tests. The description should include an indication of the nature, timing and extent of the tests, as well as sufficient detail to enable user auditors to determine the effect of such tests on user auditors' assessments of control risk. To the extent that the service auditor identified causative factors for exceptions, determined the current status of corrective actions, or obtained other relevant qualitative information about exceptions noted, such information should be provided [only type 2]. FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 29

30 Type 2 - Reports On Controls Placed In Operation And Tests Of Operating Effectiveness (Cont.) K: A statement that the service auditor has performed no procedures to evaluate the effectiveness of controls at individual user organizations [only type 2] L: A statement of the inherent limitations of the potential effectiveness of controls at the service organization and of the risk of projecting to the future any evaluation of the description or any conclusions about the effectiveness of controls in achieving control objectives [same as type 1] M: Identification of the parties for whom the report is intended [same as type 1] FLORIDA P A S S NEW I O N YORK NEW I N JERSEY T E G R I T CONNECTICUT Y E X C PENNSYLVANIA E L L E N C E GRAND CAYMAN A Division of Marcum LLP 30

31 Changing Uses Of SAS 70 Reports Scott Price, A-lign CPAs

32 Original Uses Of SAS 70 Reports Communicate operational controls to comply with SAS 55 Communicate controls and control testing results needed for user organization financial statement audit purposes Communicate controls and control ltesting ti results to company management and Board of Directors 32

33 Evolution Of SAS 70 Report Uses Comply with contractual obligations Comply with regulatory requirements HIPAA Gramm-Leach-Bliley FFIEC FDIC 33

34 Evolution Of SAS 70 Report Uses (Cont.) Communicate business continuity/disaster recovery controls Removal of business continuity/disaster recovery controls in 2002 audit guide Part of initial iti and annual vendor due diligence Requirement in requests for proposals (RFPs) 34

35 Effect Of Sarbanes-Oxley Caused SAS 70 audit changes Increase requirements for Type 2 SAS 70 audits Change in ending review period Increase in number of 12-month review periods Improvement in testing methods Additional user control consideration focus SAS 70 audit qualifications affect SOX 404 compliance 35

36 Marketing Benefits Of SAS 70 Audits Compliance with request for proposal requirements Competitive advantages Press release completion Reduced audit costs to user organizations 36

37 Not a certification i Common SAS 70 Report Misconceptions Not a security audit Not good for one-year period Sarbanes-Oxley does not mandate completion Not tfor cloud computing Not a restricted distribution report 37

38 Audit Requirements, Preparation Tactics Eric Wright, Schneider Downs Eric Wright, Schneider Downs Steve Thompson, Schneider Downs

39 Agenda For This Section Determining the service areas to test Setting testing locations and parameters Identifying control objectives and activities Proper length of the testing period How clients should prepare for a SAS 70 audit Common mistakes/best t practices 39

40 Determining Service Areas To Test 1. Determine who the user organizations are The first step in determining what service areas will be tested in a SAS 70 audit is to identify who the user organizations are and how the services provided by the service organization are likely to affect user organizations. Part of this determination should include whether user organizations are regulated by governmental agencies and if so, what impact such regulations will have on the scope of the engagement. 40

41 Determining Service Areas To Test (Cont.) 2. Determine what controls are relevant to users Service organization controls are considered relevant to a user organization s internal control if they represent or affect a user organization s internal control as it relates to an audit of financial statements. Service organizations generally should be able to identify the types of relevant assertions to which their controls are likely to relate. Certain aspects of the services provided or processing performed by the service organization may not be relevant to user organizations and their auditors, or may be beyond the scope of the engagement. Determining what areas are relevant to user organizations and their auditors is an important step early in the process. 41

42 Determining Service Areas To Test (Cont.) 3. Determine what controls/service areas are required by users Contractual obligations i of the service organization i may be another determining factor as to what service areas should be covered by the SAS 70 audit. Reviewing contracts with customers, and determining whether contracts include details relative to controls for which the service organization is responsible, is a key step that should be performed in conjunction with determining i what controls are relevant to users. 42

43 Determining Service Areas To Test (Cont.) 4. Identify risks that threaten achievement of control objectives Based on the determinations i of controls that are relevant to users and the controls that are required by users, service organization management should identify the risks that threaten the achievement of the control objectives over the core processes, systems and applications that are likely to have an impact on user organizations financial statements. 43

44 Setting Testing Locations And Parameters In conjunction with identifying the service areas to be tested, service organizations should identify the locations where controls reside and determine what locations should be included in the scope of the SAS 70 audit. Additionally, once user organizations are identified, the fiscal years of the user organizations should be identified. Type 2 service auditor reports are most useful when the examination period includes as many months as possible within user organizations fiscal years and is available for the user auditors to plan their audit procedures. Thus, the fiscal years of users are a key factor to consider for setting testing ti parameters. 44

45 Identifying Internal Control Objectives And Activities i i Once the service areas to be tested have been determined, control objectives and related control activities can be identified and documented within the service organization s description of controls. The service organization is responsible for preparing the detailed description of controls. The description of controls typically y should include the aspects of the service organization s control environment, risk assessment, information and communication systems, and monitoring that may affect the services provided to user organizations, as it relates to an audit of financial statements. The description should also include the control objectives and related controls, as well as any changes to controls since the later of the date of the last report or within the last 12 months. The process for identifying the control objectives and related control activities should include evaluation and linkage to the risks identified during the determination of service areas to be tested. The SAS 70 audit should typically include only those control objectives and related controls that relate to relevant financial statement assertions and mitigate the identified risks. 45

46 Proper Length Of The Testing Period To be useful to user auditors, Type 2 examination periods are ordinarily il six to 12 months in length. In certain situations, ti there are some reasons that may warrant the report period to cover less than six months, including: Controls cannot be tested for operating effectiveness for a six-month period, due to the service auditor being engaged close to the date by the which the SAS 70 report is to be issued. The service organization or a particular system or application has been in operation for less than six months. Significant changes have been made to the controls, and it is not practical to wait six months to issue a report or to issue a report prior to and after the changes. 46

47 How Clients Should Prepare For SAS 70 Audit 1. Determine who the user organizations are 2. Determine what controls are relevant to or required by user organizations 3. Identify risks 4. Set testing locations and parameters 5. Identify internal control objectives and activities 6. Determine the proper length of the testing period 7. Ensure there is proper evidence to support that controls to be tested should be retained 8. Sometimes, system changes to retain evidence will affect the performance of your system. 9. Control environment should be assessed for sustainability 10.Changes in processes, systems and the control environment must be considered and incorporated into the description of controls. 47

48 How Clients Should Prepare For SAS 70 Audit (Cont.) Additional procedures that service organizations should consider when preparing p for a SAS 70 audit include: Conducting a self assessment or readiness assessment to determine whether controls are in place and properly designed. Readiness assessments can help identify opportunities for control optimization and for improvement opportunities to processes and controls. They can also facilitate evaluation of documentation maintained to support operation of controls. Appointing one or two (one operational and one IT) service organization personnel to facilitate coordination of the SAS 70 audit procedures and documentation requests Conducting training of service organization employees to communicate the importance of the SAS 70 audit, to set expectations for the audit, to build awareness of the SAS 70 audit requirements, and to support a control-minded culture 48

49 Common Mistakes/Best Practices During the walk-through or process identification stage, process owners interviewed are not accurate in describing the process. Inaccurate narratives Inaccurate testing plan Results in duplication of effort as process is re-defined No accountability at the service organization to manage the process Inefficient process for management and auditor Need a proactive review of narrative and tests of controls each year to incorporate changes fresh look Insufficient documentation to evidence the control exists or can be tested Inconclusive testing Removal of control from report, which could affect achievement of the control objective Have controls to capture data for entire period to ensure completeness of the populations used for testing Inability to conclude on the full size of the population 49

50 Common Mistakes/Best Practices (Cont.) Lack of ownership as to who will write or prepare Section II of the report Report delays/missed deadlines Poorly written narratives not aligned with control objectives Report flow of Section II narrative is not cohesive or in agreement with Section III Controls described in narrative not included or tested in Section III Controls listed and tested within Section III not described in narrative 50

51 Contact Information Steve Thompson, Assurance Advisory Services Shareholder (412) or Eric Wright, Technology Advisory Services Shareholder (412) or Frank Dezort, Internal Audit and Risk Advisory Services Senior Manager (412) or Holly Russo, Internal Audit and Risk Advisory Services Manager (412) or h d Heather Haemer, Internal Audit and Risk Advisory Services Manager (412) or hhaemer@schneiderdowns.com h d 51

52 SSAE 16/ISAE 3402 Powell Jones, Grant Thornton

53 Agenda 1. Need for new standards 2. Recommended steps for service organizations 3. Key differences in new standards 4. Applying the right standard 2010 Grant Thornton LLP. All rights reserved. 53

54 What lies ahead for auditing controls at a service organization? 2010 Grant Thornton LLP. All rights reserved. 54

55 1. Need For New Standards Since 1992, SAS 70 has been the recognized standard. Changes in regulatory landscape generated need for additional information not covered by SAS 70 Need for global standard (ISAE 3402) Globalization of process outsourcing Converge standards in the U.S. (SSAE 16) Minimal differences with ISAE Grant Thornton LLP. All rights reserved. 55

56 1. Need For New Standards Timing Effective for reports with periods ending on or after June 15, 2011 Early adoption permitted 2010 Grant Thornton LLP. All rights reserved. 56

57 2. Recommended Steps For Service Organizations 1. Review internal monitoring and/or testing processes to determine if they are sufficient to support the written management assertion required by the standards d 2. Select and document the criteria that management would use to support its written management assertion 3. Identify the risks that threaten the achievement of the control objectives 2010 Grant Thornton LLP. All rights reserved. 57

58 2. Recommended Steps For Service Organizations (Cont.) 4. If reliance on sub-service organizations, determine if the carve-out or inclusive method would be used If the inclusive method is selected, initiate conversations with sub-service organizations regarding the new requirements (e.g., written assertion from the sub-service service provider in the report) 5. Review the existing SAS 70 description of controls and make any necessary enhancements to include any missing components to fully describe the system 2010 Grant Thornton LLP. All rights reserved. 58

59 2. Recommended Steps For Service Organizations (Cont.) 6. Develop a communication plan regarding the new standards for your customer-facing employees, and sales and contract teams 7. Consider effects, if any, on customer contracts and contract templates 2010 Grant Thornton LLP. All rights reserved. 59

60 3. Key Differences In New Standards Changes To Description Of The System Section II will include more robust description of the service organization s system aspects of the service organization s control environment, risk assessment process, information and communicating systems (including relevant business processes), control activities and monitoring activities that are relevant to the services provided Grant Thornton LLP. All rights reserved. 60

61 3. Key Differences In New Standards Changes To Description Of The System (Cont.) Additional information could include: - Services provided and related procedures - Initiation, authorization, recording, processing, reporting - Classes of transactions processed - Processes to prepare reports for customers - Other aspects of COSO framework - Changes during period 2010 Grant Thornton LLP. All rights reserved. 61

62 3. Key Differences In New Standards Management s Written Assertion SAS 70 SSAE 16 Auditor s report need not be accompanied by management s written assertion Management s written assertion required to accompany auditor s report If a service organization uses subservice organization(s) and elects to use the inclusive method, the subservice organization(s) assertion also accompanies the auditor s report Management s assertion must include the suitable criteria used for its assessment 2010 Grant Thornton LLP. All rights reserved. 62

63 3. Key Differences In New Standards Type 2 Reporting SAS 70 SSAE 16 For Type 2 reports, the opinion on fair presentation of the system and suitability of design is as of a point in time. For Type 2 reports, the opinion on fair presentation of the system and suitability of design is for the period covered by the report. Level of work effort is expected to be minimal! 2010 Grant Thornton LLP. All rights reserved. 63