1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006...

transcript

SAS #70(as Amended by SAS #88)

Service OrganizationsNSAA IT Conference

September 28, 2006

Nashville, TN

Presented by:

Michael A. Billo, CISA, CGAP

PA Department of Auditor General

ObjectivesObjectives

• To recognize the use of a service organization

• To provide guidance in determining when controls at the service organization should be considered during the audit

• To understand the difference between a Type 1 and Type 2 review (report)

Overview and PurposeOverview and Purpose

SAS No. 70, as amended, is not applicable to every service provided by a service organization. It is applicable only if the service is part of the user organization’s information system.

Information System

… that which identifies, captures, and exchanges information (data) in a form and time frame that enables people to carry out their responsibilities.

… not always directly related to an audit of financial statements; however, the guidance talks heavily about f/s audits.

For this presentation …

Think of relevance of service organizations’ effects NOT ONLY on the financial statements

BUT…………..ALSO

On the Audit Objective(s)Audit Objective(s) !

Information System Indicatorsfrom SAS #88:

A service organization’s services are part of an entity’s information system if they affect any of the following:

Information System (SAS #88)

• How the entity’s transactions are initiated

• The accounting records, supporting information, and specific accounts in the financial statements involved in the processing and reporting of the entity’s transactions

Information System (SAS #88)

• The accounting processing involved from the initiation of the transactions to their inclusion in the financial statements, including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain, and access information

• The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures

So What is SAS 70 ?So What is SAS 70 ?

“SAS #70”

• … a separate review engagement designed to provide information about control objectives that may be relevant to other audit engagements depending on the other audit engagements’ objectives.

Purpose of SAS 70 Reports

• Primary purpose is to provide information to auditors of user organizations

• Not for public disclosure – too much detailed information could be a security risk

Definitions

• User organization

• User auditor

• Service organization

• Service auditor

User OrganizationUser Organization

The entity that has engaged a service organization and who is being audited.

User AuditorUser Auditor

The auditor of the user organization.

Service OrganizationService Organization

The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.

Service AuditorService Auditor

The auditor who reports on controls of a service organization that may be relevant to a user organization’s internal control.

Examples of Service Organizations

• Trust departments of banks and insurance companies

• Transfer agents, custodians, and recordkeepers for investment companies

• Mortgage servicers or depository institutions that service loans for others

Examples of Service Organizations

• Application Service Providers

• Internet Service Providers

• Other Information Technology Entities

Advantages of Service Organizations

• Controls at the service organization can be good – they do this kind of work all the time.

• Good controls are part of good customer service.

Be on guard though – some service organizations are not mindful of controls – or at least controls are not as important as service!

Internal Control

The concept of an entity’s internal control is fundamental to SAS No. 70, and is defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, as amended (94). Internal control is a process – effected by an entity’s board of directors, management, and other personnel – designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Internal Control (continued)

a) Reliability of financial reporting

b) Effectiveness and efficiency of operations,

c) Compliance with applicable laws and regulations.

Back to SAS #94

These service organization controls may represent or affect a user organization’s:

1. control environment,

2. risk assessment,

3. control activities,

4. information and communication, or

5. monitoring

components of internal control.

Internal Control (SAS #94)Components

1. Control Environment sets the tone of an organization, influencing the control consciousness of its people.

2. Risk Assessment is the entity’s identification and analysis of relevant risks to achievement of it objectives, forming a basis for determining how the risks should be managed.

3. Control Activities are the policies and procedures that help ensure management directives are carried out.

4. Information and Communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

5. Monitoring is a process that assesses the quality of internal control performance over time.

Aspects of Control Environment

• Integrity and ethical values• Commitment to competence• Board of Directors or audit committee

participation• Management’s philosophy and operating style• Organizational structure• Assignment of authority and responsibility• Human resource policies and practices

Aspects of Risk Assessment

• Changes in the operating environment• New personnel• New or revamped systems• Rapid growth• New technology• New business models, products, or activities• Corporate restructurings• Expanded foreign operations• New accounting pronouncements

Aspects of Information and Communication

… procedures, whether automated or manual, and records established by the service organization to:– Initiate, record, process, and report a user

organization’s transactions (as well as events and conditions) and maintain accountability for the related assets, liabilities, and equity.

– Provide an understanding of the individual roles and responsibilities pertaining to internal control over reporting.

Aspects of Information and Communication (cont’d.)

• Auditor must understand:– Classes of transactions – Procedures (automated & manual) – The related accounting records– How the information system captures other

events and conditions– The financial reporting process

Aspects of Monitoring

• Internal auditors

• Quality control

• External communications– Customer complaints– Regulators

Objectives and Components

There is a direct relationshipdirect relationship between the objectivesobjectives (which are what the entity strives to achieve) and the componentscomponents (which represent what is needed to achieve the objectives).

SAS No. 70 addresses the effect that a service organization may have on an entity’s (user organization’s) objectives.

We will focus on the overall internal controls of the user organizationuser organization, rather than specifically on the service organization’s internal controls – the overall assessment is the key!

More Definitions

ControlsControls – the policies and procedures an entity establishes to implement one or more aspects of the five components of internal control. Controls may exist at the user organization oror at the service organization.

More Definitions (continued)

Service organization’s controls – Controls at a service organization that are part of a user organization’s information system.

More Definitions (continued)

Control Objectives – Generally, financial statement reporting control objectives, but also may encompass compliance or operational control objectives.

Assertions are …

• Either explicit or implicit and can be classified according to the following broad categories:– Existence or occurrence– Completeness– Rights and obligations– Valuation or allocation– Presentation and disclosure

Examples of Assertions in User Organization’s Financial

Statementsand

Related Service Organization Control Objectives

Example (1)

• Existence or occurrence

• Savings deposits and withdrawal transactions are received from authorized sources.

Example (2)

• Completeness • Savings deposit and withdrawal transactions received from the user organizations initially are recorded completely and accurately.

• Output data and documents are complete and accurate and distributed to authorized recipients timely.

Example (3)

• Valuation or allocation • Programmed interest and penalties are calculated in conformity with the description.

• Output data and documents are complete and accurate and distributed to authorized recipients timely.;

Example (4)

• Completeness • Investment purchases and sales are recorded completely, accurately and timely.

Example (5)

• Valuation or allocation • Investment income is recorded accurately and timely.

Example (6)

• Rights and obligations • Investment purchases and sales are recorded completely, accurately, and timely.

When Is a Service Organization Important?

• In planning the audit when transactions, accounts, processes, or operations are subjected to controlscontrols that are, at least in part, physicallyphysically and operationally separateand operationally separate from the user organization.

How Do I Set Risk?

• Auditor may initially set control risk at maximum.

• Auditor may obtain evidence about the effectiveness of the design and operation of controls (TEST) to determine if a basis exists to set control risk below maximum.

What is Control Risk?

• The risk that a material misstatement could occur in a management assertion and will not be prevented or detected on a timely basis by the entity’s internal control.

• It is also the process of evaluating the effectiveness of an entity’s internal control in preventing or detecting significant failure to meet compliance or operational objectives (assertions).

What Must I do About Controls?

• Always gain an understanding of the design of controls and whether they have been placed in operation.

• Test those controls (if I want to reduce my control risk)

What are Key Controls?Where are Key Controls?

Controls that are considered critical critical by the user auditor to achieving specific control objectives

Whatever You Do….Whatever You Do….

You’ll have to use Auditor Judgment !

• Look at your Audit Universe• Consider your Audit Objectives• Balance and Gauge Your Audit Risk

and then…and then…

Make Decisions and Document Make Decisions and Document Your RationaleYour Rationale

So How DoSo How Do I Do This? I Do This?

• Use a step down / step through approach (some yes/no’s & if/then’s)

• You Must Know your audit objective and audit universe to do it!

Step 1

• What does the service organization do?

Step 2

• Does the service organization’s function/process relate to my audit objective and/or my audit universe?

• If NO I don’t need to consider controls at the service organization

• If YES, I proceed to Step 3

Step 3

• How much activity (transactions, accounts, processes, operations and/or procedures) of the user organization are at the service organization?

• How much internal control did the user org. (auditee) give up to the service org.?

• Gauge activity by dollars, volume, and other relevant thresholds.

Step 4

• Is the activity at the service organization minimal for the user organization?

• Is the audit approach at the user organization sufficient to give adequate audit coverage?

Now What?

• If the answers to both questions in Step 4 are YES, I don’t need a SAS 70 of the service organization – I have enough to plan my audit and assess control risk.

• If the answers to both questions in Step 4 are NO, I need to do more to understand controls at the service organization.

HOWEVER !!

• As government auditors – you may act conservatively and go the extra mile.

• Obtain the SAS 70, if available, just in case it contains BIG issues in the report.

• If a SAS 70 is not available, you may want to recommend obtaining one.

Step 5

• If the answers to the questions in Step 4 are NO, I have to do more.

• Is there a SAS 70?

• If YES, obtain it and evaluate it.

• How do I evaluate it – let’s start with the degree of interaction between the user org’s I/C and the service org’s I/C.

Degree of Interaction

• Refers to the extent to which a user organization is able to and elects to implement effective controls over the processing performed by the service organization.

How Do I Understand Interaction?

• Start with a review of the contract – what contractually should the service organization be doing for the user organization?

• Does the contract mention responsibility for controls?

• Interview and observe.

What Is High Interaction?

• Services provided by the service organization are limited to– Recording user organization transactions– Processing the related data

• User organization retains responsibility for authorizing transactions and maintaining related accountability

Example of High Interaction

• Employee benefit plan (EBP) uses a bank for a directed trust

– EBP makes investing decisions (bank not allowed to execute transactions without specific approval)

– EBP reconciles its own records of investments to the bank’s records

Example of Moderate Interaction

• Same employee benefit plan (EBP) using a directed trust

– EBP authorizes transactions

– EBP chooses not to generate independent investment records and relies on the bank’s statements

Example of Low Interaction

• Same employee benefit plan (EBP) uses a discretionary trust

– Bank is given broad authority to invest the plan’s assets

– EBP has no way to generate independent records

What If There’s No SAS 70?

• User auditor can ask the auditee (user organization) to request that a service auditor be engaged to perform procedures that will provide the necessary information.

• User auditor may visit the service organization and perform procedures there.

Another AlternativeAgreed-upon procedures

AICPA APR lists an agreed-upon procedure engagement as an alternative to have tests of controls performed.– However, you would need to understand the control

design in order to specify what tests needed to be performed.

– This alternative seems to be available when there is a type 1 report (no testing) describing the controls.

– The service organization hires the service auditor to perform testing.

What If You’ve Exhausted All Options?

The AICPA says…

“If the user auditor is unable to obtain sufficient evidence to achieve his or her audit objectives, the user auditor should qualify his or her opinion or disclaim an opinion on the financial statements because of a scope limitation.”

If you need to settle a bar bet …

AICPA APR says– “SAS 60 does not apply to a service auditor’s engagement because it provides guidance on identifying and communicating reportable conditions … during the audit of …financial statements.”

Two Types of Service Auditors’ Reports

Form and Content

Two Types of Reports

• Type 1 report – a report on controls placed in operation

• Type 2 report – a report on controls placed in operation and teststests of operating effectiveness

What’s the Difference?

• Type 1 – concludes on the design of the controls only – no testing– This type of report is useful only in “gaining an

understanding”

• Type 2 – includes tests of operating effectiveness – This type of report may allow user auditors to rely on

controls to reduce risk

Report Format

• Section 1 – Service Auditor’s Report -- the auditor’s opinion (section 1)

• Section 2 – Service Organization’s Description of Controls

• Section 3 – Information Provided by the Service Auditor

• Section 4 – Other Information Provided by the Service Organization

Format of Type 1 and Type 2 Reports Are Flexible

• However, the organization and presentation of the reports always should differentiate between:

1) The service auditor’s report (the opinion letter)

2) The service organization’s description of controls

3) Information provided by the service auditor

4) Other information provided by the service organization

Types and Sections Recap

• Type 1 and type 2 – refer to the entire document

• Sections 1, 2, 3, 4 – refer to only parts of the document

• Service auditors report – refers to section 1

Section 1 – The Service Auditor’s Report

• Letter issued by the service auditor expressing an opinion on the – Fairness of the presentation of the service

organization’s description of controls– The suitability of the design of the controls to achieve

specified control objectives– In a type 2 engagement – whether the specific controls

were operating with sufficient effectiveness to achieve the related control objectives

Section 1 Can Not Be Distributed Alone

• The service auditor’s report (section 1 – the letter issued by the service auditor) should not be distributed without the: – Accompanying description of the service

organization’s controls, and– The description of the service auditor’s tests of

operating effectiveness and the results of those tests (when applicable)

Section 2 – Service Organization’s Description of

Controls

• The service organization’s description of controls generally is prepared by the service organization.

• The service organization is responsible for the completeness, accuracy, and method of presentation of the description.

Section 2 – Description of Controls

• Service organization controls are considered relevant to a user organization’s internal control if they represent or affect a user organization’s internal control as it relates to audit objectives.

• The service organization’s description of controls should provide sufficient information to user auditors to understand how the service organization’s processing affects the components, BUT not so detailed as to potentially allow a reader to compromise security or other controls.

• The controls should be tailored to the service provided by the service organization, and if appropriate, help the user organization(s) achieve financial reporting, operational and compliance objectives.

Section 2 - Computer Processing

• Most service organizations depend primarily on computer processing to perform contractual services.

• The description of controls should include a synopsis of the computer environment and the related general computer controls and objectives.

Section 2 - General Computer Controls

• Program change controls

• Controls that restrict access to programs and data (physical and logical access controls)

• Controls that affect the processing of data (including application controls, such as program edits)

What about business continuity and disaster/contingency

planning?

• PlansPlans are not ControlsControls; therefore, control objectives should not include this topic.

• However, a service organization can include this topic in Section 4 (other information provided by the service organization).

Section 3 – Information Provided by the Service Auditor

– a description of the tests of the operating effectiveness of controls and the results of those tests (only in a type 2 report)

– Other information provided by the service auditor (optional in both type 1 and type 2 reports)

Tests of Operating Effectiveness

• The following elements should be included in the description:– The controls that were tested.– The control objectives the controls were intended to

achieve.– An indication of the nature, timing, extent, and results

of the tests applied in sufficient detail to enable user auditors to determine the effect of such tests on their assessment of control risk.

Other Information to Include

• Information that more fully describes the objectives of a service auditor’s engagement or information relating to regulatory requirements.

• Recommendations for improving the service organization’s controls.

Section 4 – Other Information Provided by the Service

Organization

• A service organization may wish to present other information, e.g., contingency plans, in this section that is NOT a part of the NOT a part of the description of controls – description of controls – and consequently, not covered by the service auditor’s opinion (section 1).

Who Determines What Type of Review (1 or 2)?

• Type of engagement should be determined by the service organization

• However, discussions between the management of the service organization and the management of the user organization(s) are advisable

So … What Would We Talk About?

• Discussions between the service organization and user organization(s) could identify:– Whether report will be type 1 or type 2– The services or applications that will be

covered by the report– Control objectives reviewed/tested

Procedures in a Type 1 Engagement

• Review the description of controls prepared by the service organization

• Inquire of appropriate management and staff

• Inspect documents to confirm management representations

• Observe control activities

Control objectives are usually specified by the service organization; however, they may be designated by an outside party, e.g., a regulatory agency or a user group

If specified by the service organization – they should be reasonable in the

circumstances and consistent with the service organization’s contractual

obligations.

If specified by an outside party, the outside party is responsible for their

completeness and reasonableness.

Using Type 1 and Type 2 Reports

• First – inquire about the professional reputation of the service auditor (guidance in SAS 70 AU section 324.19).

• Determine whether a given type 1 or type 2 report will meet audit objectives– READREAD the report the WHOLE REPORT !!!WHOLE REPORT !!!

The report alone does NOT provide the user auditor with the understanding necessary to plan the audit!

The auditor should consider the information in the type 1 or 2 report, and determine whether he or she has enough information to:

• Understand the aspects of the service organization’s controls that may affect the processing of the user organization’s transactions.

• Understand the flow of significant transactions through the service organization.

• Determine whether the control objectives are relevant to the user organization’s f/s assertions.

• Determine whether the service organization’s controls are suitably designed to prevent or detect processing errors that could result in material misstatements in the user organization’s f/s.

The user auditor should also determine whether the service organization’s description is as of a date that is as of a date that is appropriateappropriate for the user auditor’s purpose.

Careful on this -- controls may have changed!

Goal of Type 1 Procedures

• Express an opinion on whether the –– Description presents fairly, in all material respects,

• The service organization’s controls

• Placed in operation as of a specified date

– Design of controls would provide reasonable assurance that the control objectives would be achieved if those controls were complied with satisfactorily

– Note: NO TESTING!!

Purpose of a Type 1 Report

• Provide user auditors with information about the controls at the service organization

• Information should assist the user auditor in obtaining a sufficient understanding of the user organizations internal control to plan the audit (in accordance with SAS 94)

Type 1 - What Do We Do With This Understanding

of Internal Controls?

• Identify the types of misstatements that may occur in the user organization’s financial statements

• Consider the factors that affect the risk of material misstatement

• Design substantive tests

Type 2 – Something Extra

• In a type 2 engagement, the service auditor performs the procedures required for a type 1 engagement and

• Also performs testsAlso performs tests of specific controls to evaluate their operating effectiveness

Goal of Type 2 Procedures

• Express an opinion on whether the:– Controls were suitably designed to provide

reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.

Type 2 – Use by the User Auditor

Need to Consider:

1. Report on the operating effectiveness of the controls

2. Description of the tests of the operating effectiveness of controls that may be relevant to your audit objective

Type 2 – Use by User AuditorNeed to Determine Whether:

– The report provides adequate evidence of the nature, timing, extent and results of operating effectiveness for the user auditor to set control risk below maximum.

– The timing of the tests is appropriate for his/her purposes.

– The report identifies results of tests (exceptions and other information that could affect his/her considerations.

Must Also Consider Controls at the User Organization

• Controls at the user organization should complement the controls at the service organization

• User control considerations

Complimentary Controls

• In some cases, a service provided by the service organization may be designed with the assumption that certain controls will be implemented by the user organization.

• For example, user organizations authorize transactions before they are processed by the service organization.

Type 2 – Use by User Auditor

• The results of the testing may be part of the evidence the user auditor relies on to:– Assess control risk below the maximum for

certain management assertions affected by the service organization

– Reduce the extent of substantive procedures performed for those assertions.

Strong Warning!

• AICPA says: “Under no circumstances should the service auditor’s report (the letter issued by the service auditor) be the only basis for reducing the assessed level of control risk below the maximum.”

Never Eliminate Substantive Tests!

• Although a type 2 report (with testing) and other evidence may allow you to reduce your testing,

• “…Neither a type 1 nor a type 2 report is designed to provide a basis for assessing control risk sufficiently low to eliminate …substantive tests….”

Miscellaneous Issues/Considerations

Exceptions

• AICPA says:

“exceptions noted by the service auditor or a report modification in the service auditor’s report do not automatically mean that the service auditor’s report will not be useful in planning the auditor of a user organization’s financial statements or in assessing control risk.”

Miscellaneous Issues/ConsiderationsReportable Conditions

• If a user auditor sees reportable conditions in the SAS 70 report

• May be reportable conditions to the user organization – may need to include in report or management letter

Timing

• A SAS 70 report is “as of” a specific date

• How useful the SAS 70 report will be depends on how that date fits with your audit period.

Keep in Mind…

– The shorter the period coveredshorter the period covered by the specific test and the longer the time elapsedlonger the time elapsed since the performance of the test --- the less support for control risk reduction

Does the description of controls need to be updated?

• If the service organization’s description of controls is as of a date that precedes the beginning of the audit period, the user auditor should consider updating the information in the description to determine if there are changes in the service organization’s controls relevant to the processing of the user organization’s transactions.

Procedures to update may include:

• Discussions with user organization personnel who are in a position to know about changes at the service organization.

• A review of current documentation and correspondence issued by the service organization.

• Discussions with service organization personnel or with the service auditor.

Management Representation Letter

• In all engagements, a service auditor should obtain written representations from the service organization’s management.

• AU section 324.57 provides guidance as to the types of representations the service auditor should obtain.

Internal Auditors• A service organization may have an internal

audit department that performs test of controls as part of its audit plan.

• The service auditor may determine it effective and efficient to use the work.

• Service auditor should then consider the guidance in SAS No. 65

Engagements to Report ONLY on General Computer Controls

• Service organizations may engage an auditor to report only on its controls related to computer processing.

• Generally appropriate if the service organization provides only computer hardware and system software.

Service Organizations That Use

Other Service Organizations

Subservice Organizations

Apply what was learned previously to another

level!

One Big Difference• The service organization determines

whether its description will include controls of the subservice organization by using:

–The carve-out method (don’t include)

–The inclusive method (include)

Questions and

Comments

Thank you for your attention!

1 SAS #70 (as Amended by SAS #88) Service Organizations NSAA IT Conference September 28, 2006...

Documents