BC54: Preparing for a SAS 70 Audit

Transcription

1 BC54: Preparing for a SAS 70 Audit Kathleen Lucey Montague Risk Management kalucey@montaguetm.com tel:

2 What is SAS 70? History and Purpose What does it include? Type 1 vs. Type 2 Grades Audit Preparation Process Cost estimates References 2

3 SAS 70 History Statement on Auditing Standards (SAS) No. 70, Service Organizations: American Institute of Certified Public Accountants (AICPA). April May 2005 AICPA Guidance: Service Organizations, Applying SAS No. 70, as Amended Other relevant standards: Auditing Standard AS 2, PCAOB: Appendix B: SAS 70 service auditor s report format satisfies requirement to assess operating effectiveness of controls at a service organization. Auditing Standard AS 5, PCAOB, July Guidance on most important matters for internal controls auditing. Appendix B17-B27 notes the important role played by SAS 70 audit reports in assuring the operating effectiveness of internal controls at a service organization. Supports Section 404 of SOX. ISAE 3402, IAASB, Assurance Reports on Controls at a Third Party Service Organization, December 2007 draft. 3

4 SAS 70 Audit Purpose Not required by any government agency. Generally requested by services users (customers) whose SOX 404 auditors ask them to request it. The audited firm itself determines the specific content: control objectives and implementing controls; complementary controls. Safe and Sound audit: gives third-party validation that provided service is reliable. 4

5 SAS 70 Audit Purpose The primary purpose of a SAS 70 audit is SALES: INCREASED MARKET SHARE OR COMPETITIVE ADVANTAGE. 5

6 Type 1 vs. Type 2 Type 1 audits presence and effectiveness of controls supporting designated control objectives at a single point in time: snapshot. Type 2 audits presence and effectiveness of controls supporting designated control objectives over an appropriate interval generally 6-9 months. 6

7 SAS 70 Grades No qualifications = controls are complete and achieve their objectives. One or more qualifications = one or more controls are not complete and/or do not achieve their objectives. No opinion: Too few controls and/or too little data to evaluate control effectiveness in designated areas. No bright line between multiple qualifications and No opinion. 7

8 Preparing for a SAS 70 Audit Select Organizational areas to be audited: Must cover all departments and physical locations that could reasonably affect the correctness and reliable delivery of services to customers. The entire organization may not need to be audited. May lead to a request for a SAS 70 audit from one or more critical suppliers to the services provider. Consider conducting a pre-audit by an external firm to ascertain the level of company preparedness. 8

9 Preparing for a SAS 70 Audit Write and implement policies and procedures as necessary to support controls. Ensure that sufficient personnel are assigned to support their use. Be prepared to demonstrate the effectiveness of controls, as well as how they interlock. Be prepared to demonstrate effectiveness in writing, and especially in reports from automated systems. 9

10 Preparing for a SAS 70 Audit (more) Allocate staff or contract resources to perform audit preparation and pre-audit assessment team support. Interview and select pre-audit test firm. Schedule pre-audit assessment. Assess audit readiness; decide whether to proceed. Interview and select audit firm to perform SAS 70 audit. Schedule. Allocate staff support. Allocate additional staff or contract resources to support full SAS 70 audit (more for Type 2 than for Type 1). 10

11 Sample Control Objective Areas Organization and Administrative Controls Computer Operations Controls Program Development and Documentation Controls 11

12 Sample Control Objective Areas Physical Security Controls Environmental Protection Controls Logical Security Controls 12

13 Sample Control Objective Areas System Software Maintenance Controls Disaster Recovery and Business Continuity Controls Telecomm & Network Controls 13

14 Finding a SAS 70 Audit Firm Cannot be your usual auditor. If the auditor is not a recognized name, the value of the audit decreases. Choose one that is known in your services market. Get references from any firm being considered. Talk to the references. Ask about pricing. 14

15 Expense Elements 1. Preparation and support activities by internal or contract staff. 2. Pre-audit assessment by external audit firm. 3. Preparation: loss of productivity of internal staff, or cost of contract staff. If the organization if immature, this can be very expensive. 4. Type 2 is much more expensive than Type 1. Consider doing a Type 1 while you prepare for a Type Purchase and implementation of enabling tools: software, equipment, training, additional staff. 15

16 Expense Elements 6. Additional staff to support more robust control environment: this can be particularly expensive in less formal, less mature organizations. 7. Dedicated staff (internal or contract) to support auditors throughout the audit. 8. Audit firm engagement. 16

17 In summary 1. Do not automatically commit to provide a SAS 70 audit in order to get a contract signed. The cost may be more than the value of the contract. 2. Spend the time to calculate the realistic costs of obtaining a no qualifications SAS 70 audit for your firm. It may not be to your advantage to do a SAS 70 audit if your company culture is not mature. 3. If you do not have experience in this area, accept that you need to learn from experienced people. 4. A SAS 70 audit may provide a strategic competitive advantage ---or it may not. It depends on your market. It is too costly to take on without serious thought. 17

18 References Industry Organization Website American Institute of Certified Public Accountants AICPA source for official SAS 70 and other auditing publications International Auditing and Assurance Standards Board Information Systems Audit and Control Association IT Governance Institute. Home of the Control Objectives for Information and related Technology (CobIT) Public Company Accounting Oversight Board Securities and Exchange Commission