Prüfung von Outsourcing mit SAS70

Transcription

1 Prüfung von Outsourcing mit SAS70 AGENDA Historical flashback Reasons for the standard Major contents Potential areas of SAS 70 application Audit approach and Responsibility Client and Service Provider benifits Presented by Tamer Basman, CISA Seite 1 Historical flashback I As early as the 1960 s the Auditing Standards Board recognized the need for service providers to report on their controls to their customers (the users ) Historically, a CPA s primary service was the audit of financial services Generally Accepted Auditing Standards (GAAS) was created to provide uniform standards for the profession GAAS was promulgated via Statements on Auditing Standards (or SAS) (pre-sox) All SAS s collectively have been codified in the AICPA literature in the AU (short for audit ) series of pronouncements AICPA=American Institute of Certified Public Accountants Seite 2 1

2 Historical flashback II The concept of Internal Control is fundamental to an audit of Financial Statement (F/S) SAS 55 first documented standards for the auditor s consideration of Internal Controls (I/C) in a F/S audit SAS 78 updated SAS 55 to incorporate the COSO framework SAS 94 updated SAS 55/78 to reflect the impact of current technologies on I/C These SASs are codified in Section AU319 SAS 70 is codified in GAAS as section AU 324 COSO:Committee of Sponsoring Organizations of the Treadway Commission Seite 3 Reasons for the standard I Applying a Service Organization to a User Organization Service Organization Services Provided Scope of a SAS 70 Report Services Outsourced User Organization Seite 4 2

3 Reasons for the standard II The early service providers were computer service bureaus, offering single applications The F/S auditor of a user of a service provider is NOT relieved of their professional responsibilities under AU319 Internal Controls at the service provider that relate to the financial statements of the user organization must still be considered Seite 5 Reasons for the standard III What is SAS 70? An audit conducted in accordance with Statement on Auditing Standard (SAS) No. 70 is a highly specialized audit of the design and operational effectiveness of a service organization s internal controls over processing transactions for user organizations. A report issued by an independent auditor under Statement on Auditing Standards No. 70 Covers controls exercised by a service organization on behalf of its customers Relates to the user organization s financial statement assertions SOX 404 Audit relevance Seite 6 3

4 Major contents I Parties involved in SAS 70 Company A (Service Organization) CPA Firm (Service Auditor) Company A s Customers (User Organizations and Internal Auditors) CPA Firm (User Organization Third Party Auditor) Seite 7 Major contents II Audit approach Control environment Risk assessment Information and communication systems Monitoring Control Activities COSO Framework is also adopted by the PCAOB Standard No.2 refer to PCAOB p.a-11, paragraph 14 SAS 70 recognizes COSO Framework refer to AICPA Audit Guide(May 2004) par 2.17 and 2.28 Seite 8 4

5 Major contents III Audit approach COSO Framework Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed both at the entity and the activity level Control Activities These policies and procedures help ensure management directives are carried out Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that supports all other control components Monitoring Internal control systems need to be monitored a process that assesses the quality of the system s performance over time Seite 9 Major contents IV SAS 70 Report Components Report Contents Type I Type II 1. Independent service auditor's report (i.e. opinion). 2. Service organization's description of controls. 3. Information provided by the independent service auditor; includes a description of the service auditor's tests of operating effectiveness and the results of those tests. 4. Other information provided by the service organization (e.g. glossary of terms). Optional Optional Optional Seite 10 5

6 Potential areas of SAS 70 application Application Service Providers Medical Claims Processing Employee Benefits Processing Banking Service Bureaus Credit Card Processing Internet Service Providers Trust Departments of banks and insurance companies Transfer agents, custodians or record-keepers for investment companies Mortgage services or depository institutions that service loans for others Regional Transmission Organizations Seite 11 Responsibility I Report Sections and Responsibility I. SECTION Independent Service Auditors Report II. Company A Description of Controls and Procedures RESPONSIBILITY External Auditor (Service Provider) Service Provider III. Tests of Operating Effectiveness External Auditor (Service Provider) IV. Other Information Provided by Company A (Optional) Service Provider Seite 12 6

7 Responsibility II Refer to AICPA Audit Guide (May 2004) Section 4.05 to 4.28 The Service Provider is responsible for: Determining control objectives Providing description of internal controls Determining the report type Communicating significant changes to environment The Service auditor is responsible for: Being independent first and foremost Determining appropriateness of control objectives Examining description of controls Conducting appropriate tests of controls Expressing an opinion Seite 13 Client and Service Provider benifit To reduce disruption from multiple user audits Communicate information about the service provider s internal control s SAS reports are for the benefit of our client, their customers and their customers auditors only. Seite 14 7

8 Questions and Answers? Contact: Tamer Basman Seite 15 8