Fall 2009 issue of Horizons

Raise Your Expectations CERTIFIED PUBLIC ACCOUNTANTS AND BUSINESS CONSULTANTS

Gaining Market Share through the Use of a SAS 70 Completing a control assurance report (SAS 70) can differentiate you from your peers and provide a competitive advantage in the marketplace. Statement on Auditing Standards No. 70, Service Organizations, prescribes the guidance for an independent auditor to examine and report on a service organization’s internal controls. The SAS 70 report was designed to enable user auditors to obtain an understanding of the controls over activities, processes and functions performed at a service organization that are part of a user organization's overall internal control environment. This examination results in a report with limited distribution to the organizations using the service organization’s services and their financial statement auditors. The report provides the following information: • Auditor’s opinion • Comprehensive description of systems, processes, and the controls and control environment at the service organization What is a SAS 70? By Audrey Katcher, CPA, CISA

• Auditor’s tests of the controls and the results of those tests • Definition of the controls for the client to perform in support of the overall achievement of control objectives (user control considerations) • Other information provided by the service organization (such as information about disaster recovery processes and other definitions/terms) Organizations that process information for others, host applications/technology for others or perform other types of outsourcing may need a SAS 70. Such entities often include: • Application/Internet Service Providers, IT hosting entities • Fund administrators • Insurance claims third-party administrators • Trust departments of banks SAS 70 Terminology Key definitions per the AICPA Audit Guide for Service Organizations include: User organization: The entity that has engaged a service organization and whose financial statements are being audited. User auditor: The auditor who reports on the financial statements of the user organization. Service organization: The entity (or segment of an entity) that provides services to a user organization that are part of the user organization's information system. Service auditor: The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to an audit of financial statements. Who typically has a SAS 70?

14 u fall 2009 issue