Guide to Understanding SAS 70 Reports

Transcription

1 Guide to Understanding SAS 70 Reports Authors: Norm Parkerson, Business Advisory Services Executive Director and Brett Williams, Business Advisory Services Partner In today s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers (user organizations). One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor s Report prepared in accordance with Statement on Auditing Standards No. 70 issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). This article is a guide to reviewing and analyzing SAS 70 reports. When it comes to understanding Statement on Auditing Standards No. 70 reports, more commonly known as SAS 70s, the age-old maxim, there are no dumb questions except those not asked has never been more applicable. But finding the right balance between asking too many questions and not enough can be a challenge. Either we ask too many uninformed questions and subject ourselves to being taken advantage of or we do not ask enough questions and run head first into the proverbial brick wall, standing up rubbing our heads and saying, I meant to do that. By obtaining a basic level of understanding on how to read a SAS 70, you can place yourself in a situation where you ask smart questions and can ultimately achieve greater insight into your service provider s business. SAS 70s, by design, are a means of auditor-to-auditor communication. A service organization s auditor generates a report on the organization s internal controls so that their customers and their customer s financial auditors can understand the control environment at the service organization. Regardless of how the reports are used, the ultimate burden of assessing your service organization s internal controls lies with you. With this in mind, the ability to identify the rudimentary truths and effectively use the information contained Key definitions in a SAS 70 becomes a requirement in order to understand its implications to your control environment. By not presenting the facts in layman s terms, the non-audit readers are often left wondering how to gain this understanding. Take the time to learn how to read a SAS 70 report and you will gain more knowledge and develop an insight into your service organization s business that cannot be achieved by depending on your auditor for interpretation. Trends impacting use of SAS 70 reports Increasing amount of outsourced activities Growth of outsourced service providers including: Payroll functions Data centers Accounting functions Third-party retirement plan administrators Third-party health care administrators Sarbanes-Oxley Act of 2002 requires reporting on the effectiveness of internal controls, including those relating to outsourced activities Service Organization: Company providing outsourced service Sub-service Organization: Company providing service to your service organization Service Auditor: Auditor performing SAS 70 review of the service organization User Organization: Organization receiving the outsourced service User Auditors: External auditors of the client organization receiving the outsourced service This article first appeared in College & University Auditor, Summer 2009

2 SAS 70 report basics SAS 70 reports come in two forms, Type I and Type II. The objectives of a Type I report are to provide reasonable assurance that: 1. A set of controls has been placed in operation as of a specified point in time 2. The description of those controls is fairly represented by management 3. The controls are suitably designed to achieve the control objectives specified by management The objectives of a Type II report are to provide reasonable assurance that 1. All of the objectives specified of a Type I report are met (see previous paragraph) and 2. Tests applied to specific controls identified by management demonstrate operating effectiveness of the controls for a specified period of time SAS 70 reports are comprised of four sections: I. The independent service auditor s report or the opinion section. II. Information provided by the service organization, typically a description of the overall control environment and the internal controls and control objectives related to the process being reviewed. III. Information provided by the service auditor, typically includes control objectives, control activities, tests performed and in the case of a Type II report results of tests. IV. Supplemental material provided by the service organization. I. Independent Service Auditor s Report (Opinion Section) The opinion section of the SAS 70 provides legitimacy to the SAS 70 report. This section describes the scope of the review and articulates the service auditor s opinion on the results of the review. This section provides a lot of information in a small amount of space. The first thing you need to determine is whether or not the SAS 70 report addresses the service organization s activities that are relevant to your organization. Typically, the first sentence of the opinion is going to explain, at a high level, the scope of the review. Pay particular attention to whether the report excludes certain locations, products and/ or services that might be of importance to your business. Secondly, readers of the SAS 70 report may not notice that the opinion may or may not apply to the service organization s own third party service providers (referred to as sub-service organizations). For example, a service provider may outsource its datacenter to a sub-service organization. Many times the scope of the report will not include a review of the control environment at the sub-service organizations. The opinion section will describe whether or not the controls at sub-service organizations are included or excluded from the review. If sub-service organizations are excluded from the review, you need to assess the risks posed to your organization related to the services provided by these sub-service organizations. If you deem one or more of these sub-service organizations important to your organization, you need to determine how you are going to gain comfort with the applicable control environments. You may be able to obtain a separate SAS 70 report from the sub-service organization. If not, you might consider conducting your own review of the controls in place at the subservice organization. Additionally, your external auditor may have to conduct an independent review of the controls in place at the sub-service organizations. Key difference: Type I vs. Type II Type I report does NOT include testing or an opinion related to the operating effectiveness of controls over a specified period of time. You should also consider influencing your service organization to expand the scope of their SAS 70 to include the subservice organizations in future reports. Thirdly, you need to determine whether the SAS 70 report is a Type I or a Type II report. Both Type I and Type II reports include two common components (opinions) and the Type II report includes an additional opinion. The common opinion components of the Type I and Type II reports are statements similar to these: 1. The accompanying description of controls of the Company presents fairly the Company s controls that had been placed in operation as of a point in time (i.e., March 31, 2007). This statement confirms that the service auditor has reviewed management s description of controls and believes that the controls are fairly described. Additionally, the service auditor is confirming that the controls were in place as of the specified date. If the report is a Type II report, this description section will describe the control environment as of the last day of the report period. 2

3 Key questions to ask yourself Scope: Does the report address the service organization s activities relevant to your organization? Sub-service organizations: Does the report include or exclude the control environment at important sub-service organizations? Type I vs. Type II: Is the report a Type I or Type II report? Period: Does the period reviewed satisfy the requirements of your organization and your external auditor? As such, if the service organization made changes to controls throughout the audit period, the new/revised controls may show up as exceptions in a Type II report since the controls may not have been operating throughout the period. 2. Controls are suitably designed to provide reasonable assurance that the specified Control Objectives would be achieved if the described controls were complied with satisfactorily and the user organizations applied the controls contemplated in the design of the Company s controls. This statement addresses what is referred to as suitability of design or design effectiveness. The service auditor has concluded that the service organization has the appropriate controls in place in order to achieve the Control Objectives included in the report. Because the Control Objectives are defined by management, as a reader, you will need to make sure that the Report contains appropriate control objectives to prevent, detect, and/ or mitigate the risks applicable to your organization. Also, note that this opinion assumes that the user organizations applied the controls contemplated in the design of the Company s controls. This statement assumes that the user organization has certain controls in place and that if your company does not have these controls in place, the Control Objective may not be properly designed and/or operating effectively. See the User Control Consideration Section for further discussion. The third opinion is applicable only to Type II reports and may be stated in language similar to this: the controls that were tested were operating with sufficient effectiveness to provide reasonable assurance that the related control objectives specified were achieved during the period from month, day, year to month, day, year. 3. If the above statement (3.) is absent from the report, you are reading a Type I report and its value to your organization is rather limited as it does not offer any assurance that the controls were operating effectively over a specified period of time. The Auditor s Report may list exceptions to the opinion for errors and/ or omissions that were identified during the Auditor s review and testing. Note that just because a Company has an exception does not mean that the report cannot be used by your organization. Exceptions in the opinion section are indicative of issues large enough to prohibit control objectives from being achieved. These exceptions are important enough that the Auditor believes that it rises to a level that the control objective is not designed effectively (applicable to Type I and Type II reports) or the control objective is not operating effectively (applicable only to Type II reports). Section III (Information Provided by the Service Auditor) of the report will disclose all material exceptions to specific control activities some of which do not result in the failure to achieve a specific Key points related to the opinion Generally, controls must be in place for a minimum of six months in order for the service auditor to opine on operating effectiveness. Scope is defined by the service organization not the service auditor. Control Objectives and related controls are defined by the service organization and not the service auditor. Generally, only exceptions that result in the failure to achieve a control objective are disclosed in the opinion section of the report. control objective. Such exceptions are not included in Section I (the opinion section) of the report. However, if you are using the SAS 70 to determine if specific controls are in place at the service organization, it will be more important to look at Section III which details testing of controls and the related results. So again, you must understand what risks you need to address in order to properly evaluate the content of the SAS 70 as it applies to your organization. II. Information Provided by the Service Organization (Management) The opinion section of the independent service auditor report cannot be distributed without management s description of the service organization s controls and in the case of a Type II report, details from the service auditor s test of operating effectiveness of the controls. The section immediately following the independent auditor s opinion is typically information provided by the service organization. In this section, the service organization can document a broad range of items, but at a minimum should include the description of the organizations internal controls related to the processes covered by the SAS 70. It should be noted that the information in this section is not necessarily in the scope of the SAS 70 report or tested by the service auditor. The reader must reference 3

4 the information provided by the service auditor (see Section III of a SAS 70 Report) to determine which controls were in scope for the SAS 70 report. The information provided by the service organization should primarily be used to describe the control objectives and corresponding controls. Control objectives are chosen by the service organization. The objectives should be chosen rationally and reflect the contracted obligations the service organization has to its clients. There should also be sufficient information provided so that the user organization can understand how the service organization s processing can be used to achieve compliance, financial reporting, and operational objectives. The section should also provide a description of the Information Technology (IT) environment including which systems are in use and the related IT general computer controls (ITGC) and objectives. ITGCs should include controls related to logical and physical access, program change control, operations and applicable application controls. Plans, such as disaster recovery and business continuity are not included because a plan cannot be a control. If a service organization chooses to include this type of information, it would be found in section IV of the report under supplemental material provided by the service organization. An important component of this section is referred to as User Control Considerations. This section of the report is straightforward but should not be overlooked. This section describes Key points related to information provided by management control activities that the service organization expects to be in place at the user organizations (your organization). These controls can be critical to the service auditor s opinion that the controls are suitably designed to achieve the stated control objectives. However, the service auditor does not perform test procedures to determine operating effectiveness of these controls. The user organization is responsible for ensuring that the stated controls are in place and operating effectively. You need to evaluate whether or not the stated user controls apply to your organization and determine whether or not the controls are in place and operating effectively. As an example assume that a service organization administers application security access for your organization. The service organization may include the following control activity as a user control consideration The user organization will review logical security access no less than semi-annually and notify the service organization of any additions, deletions, and / or changes to security access that need to be made. This user control consideration is stating that it is your responsibility to ensure that you conduct the semi-annual review as stated. It is your responsibility to obtain from the service organization the necessary information to conduct the stated review. Ideally, you would also have a mechanism (control) in place to ensure that the requested changes resulting from such reviews were in fact executed by the service organization. Information in Section II is provided by management, not the service auditor. Management s description of controls may include control activities that are out of scope and not tested by the service auditor. Control Objectives and related controls are defined by the service organization and not the service auditor. Generally, only exceptions that result in the failure to achieve a control objective are disclosed in the opinion section of the report. III. Information Provided by the Service Auditor (Control Objectives, Control Activities, and Tests Performed) Typically, control objectives (specified by the service organization not the auditor), descriptions of control activities (specified by the service organization not the auditor), descriptions of test procedures (performed by the auditor), and results of tests (performed by the auditor) are presented in a tabular format. Before you even begin to read this section, formulate your own list of control objectives and control activities that you think are critical to your control environment. Then you can map the control objectives and related controls specified in the report to your list of control objectives / control activities and perform a gap analysis. Perhaps the controls are in place but the service organization chose to exclude them from the SAS 70 review. Control objectives and related control activities may be excluded by the service organization for many reasons including: may not be in operation. Control activities may not be operating effectively. may be specific to only one (or a few) of the service organization s clients (customers) and the service organization wants the SAS 70 to apply to the majority of its clients (customers). may not be operating at the service organization because the related activities are outsourced to a subservice organization. may be totally dependent upon the user organization (your organization). may be too costly to include. 4

5 The key point here is that the scope of the SAS 70 (identification of control objectives and control activities) is defined by the service organization not the independent auditor. The service organization may exclude control objectives and related controls at their discretion without reason or explanation. You want to be sure that the control objectives and control activities that address risks that are important to your organization are adequately addressed by the SAS 70. If not, you should consider visiting the service organization to conduct your own evaluation of the gaps in the control environment that you identified in the aforementioned initiative. An alternative to performing the work yourself would be to engage a public accounting firm to conduct what is commonly referred to as agreed upon procedures at the service organization in an attempt to close the gaps. Once you have performed the above gap analysis, read and evaluate this section of the report. Just as you may have identified some missing control objectives and or control activities in the report you may identify some controls that do not apply to your organization. Key points related to user control considerations However, we would suggest that you do not ignore those items as the controls and test results could give you some insight into the overall control environment of the service organization. Read the control objectives and control activities with some degree of skepticism. Just because a control objective was achieved and no exceptions were noted by the independent auditor does not mean that you should be satisfied with the related control environment. You need to be sure that the control objective and control activities are clearly articulated to satisfy your expectations. Control objectives and related controls may be written so narrowly that your expected control is not really addressed in the SAS 70 report. For example: You may be looking for controls to provide reasonable assurance that access to applications and databases are appropriately secured. A related control activity may state Logical access granted to employees of the service organization is approved by the Supervisor of Computer Operations. The independent auditor tested the control and reported no exceptions. However, note that the control activity, as stated, only addresses access granted to employees of the service organization. What about controls related to access granted to nonemployees (i.e., contractors, sub-service organizations, temporary staff, employees of the clients/ customers, etc.)? Also, are you satisfied that the individual (i.e., Supervisor of Computer Operations) authorized to approve logical access to your environment is appropriate? When reading the description of Tests Performed by the Service Auditor, be sure that you are comfortable with the testing that was performed. Typical methodologies applied to testing are Inquiry Inspection Observation and / or Re-performance Be sure that the applied testing methodology is appropriate for the stated control. Pay special attention to tests where inquiry was the only test procedure performed. Typically, inquiry should not be the only method applied to testing controls. Ideally, controls tested via inquiry should also be tested via at least one other method (e.g. inspection, observation, and/or re-performance). The user organization (you) is responsible for ensuring these controls are in place and operating effectively at your organization. The service auditor does not opine on the operating effectiveness of these controls. You need to be sure that the service organization provides you the necessary information under their custody that is required for you to execute the stated controls. Key points related to information provided by the service auditor No tests of controls are conducted during a Type I review to ascertain whether or not the controls were operating over a specified period of time. The controls are only tested to obtain reasonable assurance that they controls were in place as of the specified date. Control Objectives and Control Activities are specified by the service organization, not the service auditor. You should determine what control objectives and related control activities you expect to see in the SAS 70 report. Identify gaps between your expectations vs. the actual SAS 70 report. Evaluate and discuss gaps with the service organization and take appropriate action to gain comfort that the control environment at the service organization is adequate. 5

6 When reading the test results, you should not just read the sections where the control objective(s) were not achieved. An organization (service organization) can fulfill the requirements for and receive an unqualified opinion (all control objectives were achieved) even though the service auditor identified exceptions during the test of controls. So read and evaluate each control objective and the related controls and make your own assessment of the control environment by applying your own judgment. Perhaps an exception was identified by the service auditor and the service auditor s judgment was that the control objective was still achieved. However, in your specific environment, you may consider the control activity to be critical to your control environment (e.g., your organization s risk appetite may not be aligned with the service auditor s risk appetite) and you may want to discuss the exception(s) with the service organization and or consider the effectiveness of any mitigating controls that may or may not be a part of the SAS 70 report. Management is requested to respond to each exception noted in the SAS 70. You should read management s comment and decide if you are satisfied with their response. Ideally, management s response will include a remediation plan. IV. Supplemental Information Provided by the Service Organization This section may include additional information that the service organization wants to disclose. Items such as a Disaster Recovery, Business Continuity Plan and Strategic Plan may be included. The reader should note that the service auditor renders no opinion on these topics. Conclusion The author, David Thoreau, points out, It takes two to speak the truth one to speak and the other to hear. By taking the time to read and understand the information provided in a SAS 70, you will have the ability to make sound decisions and develop incredible insight into your service organization s business. Use this guide to reading a SAS 70 to empower yourself to finding the answers needed to actively participate in protecting your company when dealing with outsourced service providers. Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton client service partner. Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd