Print this issue
Send us your comments

In the past year or more, there has been a significant increase in the demand for reports on the internal control at service organizations from companies that receive services from such providers. Typically, the service organizations are asked to provide a service auditor's report as defined in Statement on Auditing Standards (SAS) No. 70 Service Organizations, which provides guidance to CPAs on (1) reporting on aspects of a service organization's internal control that are relevant to users of the service organization, and on (2) using a service auditor's report. (SAS no. 70 report). Much of the increase in demand for such reports is associated with section 404 of the Sarbanes-Oxley Act and increased awareness of how dependent companies are on their service organizations.

From our interaction with many information technology service organizations over the past two years, we have observed that service organizations often are not fully aware of the purpose and objectives of SAS no. 70 reports, and other reporting options that may better serve their organizations, customers and prospects.

Therefore, the purpose of this article is to:

• Describe the circumstances in which it is appropriate for a service organization to engage a service auditor to perform a SAS no. 70 engagement.
• Discuss factors the service provider should consider when deciding whether to engage a service auditor to perform a SAS no. 70 engagement.
• Summarize an alternative engagement and related report that may fulfill customers' report requests.

SAS 70: Key Terms and Objectives
The following terms are important to help CPAs understand the purpose and objectives of a SAS no. 70 report:

• Controls. Paragraph 6 of SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, defines "internal control" as a process effected by an entity's board of directors, management, and other personnel -- designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring.
• Restricted-use report: A SAS no. 70 report is a "restricted-use" report intended for use by the service organization, user organizations and user auditors. SAS no. 70 reports are not appropriate for use by prospective customers.
• Service organization. The entity (or segment of an entity) that provides services to a user organization that are part of the user's information system.
• Service auditor. The auditor who reports on controls of a service organization that may be relevant to a user organization's internal control as it relates to a financial statement audit.
• Service organization controls. Controls at a service organization that may be a part of a user organization's information system in the context of an audit of the user's financial statements. They do not include service organization controls that are not relevant to a user organization's information system.
• Type I report (A report on controls placed in operation.) A service auditor's report on (1) a service organization's description of controls that may be relevant to user organizations' internal control as it relates to an audit of financial statements, (2) on whether such controls were suitably designed to achieve specified control objectives, and (3) on whether the controls had been placed in operation as of a specific date
• Type II report. (A report on controls placed in operation and tests of operating effectiveness. The service auditor's report addresses:
  • The same conclusions addressed in a Type I report and
  • Whether the tested controls were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified period.
• User organization. The entity that has engaged a service organization and whose financial statements are being audited.
• User auditor. The auditor who reports on the user organization's financial statements.

Objectives of a SAS 70 Report
The SAS no.70 report was designed to enable user auditors to obtain an understanding of controls over activities, processes and functions performed at a service organization that are part of a user organization's information system. AICPA generally accepted auditing standards require auditors to obtain an understanding of an entity's internal control sufficient to plan the audit. This understanding should encompass controls placed in operation by the entity and by service organizations whose services are part of the entity's information system. If the user auditor determines that the service organization's controls are significant to the user's internal control, the user auditor should gain a sufficient understanding of these controls to plan the audit (as required by SAS no. 55, Consideration of Internal Control in a Financial Statement Audit, as amended.) (Note: SAS No. 55 will be superseded by a new standard in early 2006.) The user auditor can gain this understanding by performing specified procedures at the service organization, or if a service auditor's report is available, by reading the service auditor's report, the description of controls, and the results of the service auditor's procedures. The user auditor should link controls at the service organization to assertions in the user organization's financial statements. The user auditor should read the service auditor's report to make sure it addresses the controls that are relevant to the specific service provided to the user organization.

Applicability Criteria
Exhibit 1 provides the AICPA criteria CPAs should use to determine when a service organization's services are part of an entity's information system. It also includes examples of service organizations to which the criteria may apply.

Impact of Sarbanes-Oxley on SAS no. 70. Section 404 compliance requirements focus on the control environment associated with financial reporting. Given that SAS no. 70 applicability standards pertain only to controls over financial reporting, Sarbanes-Oxley should have had only minimal impact on the number of SAS no. 70 requests made to service organizations. Realistically, what has often happened is the management of user organizations have often requested SAS no. 70 reports when the service provider does not provide financially relevant services (the outsourced activities, processes and functions are not significant to the user organizations internal control over financial reporting). (We know service providers that provide no direct or indirect financially related services, and yet have received requests –presumably related to Sarbanes-Oxley--from half a dozen or more users for a SAS no. 70 report.)

Factors in Responding to a SAS no. 70 Request
Since a SAS No. 70 is not always appropriate the service organization should carefully consider several factors to determine how to respond to requests to provide such a report. Factors the service organization should consider include:

• Why is the report being requested?
• Is the report being requested on behalf of the user auditor?
• Do the services provided by the service provider affect the user organization's financial statements?
• If the services do affect the user organizations' financial statements:
• How many user organizations receive these services?
• What would the impact be of not providing a SAS no. 70 report? Is there a potential to harm the business relationship? If not, would the user auditors be prepared to perform procedures at the service organization in lieu of using a SAS no. 70 report?
• How many service auditors would need to conduct procedures at the service organization and is it feasible for the service organization to host these visits?

In summary, there is not a one-size-fits-all approach to responding to SAS no. 70 requests; each situation is different depending on responses to the above issues. At a minimum, before agreeing to provide a SAS no. 70 report, a service organization should confirm that such a report is appropriate based on the guidance in SAS No. 70. As outlined below, an attestation report may be more useful to the service organization and its clients.

Exhibit 2: SAS 70 mini case study: The JK Group
The JK Group is a provider of administrative outsourcing services for employee-assisted giving programs. The JK Group provides clients an environment of well-established fiduciary procedures and controls for all programs administered on their behalf. The group's services provide fiduciary controls for over $500 million associated with 400 philanthropic programs for 185 of the most prominent companies in the United States.

During the past several years, the JK Group has grown at approximately 20% per year. In the last few years, many of its clients requested SAS no. 70 reports or periodic audits of operational procedures to confirm controls were deployed consistent with contractual agreements.

In 2004, JK had a SAS no. 70 Type I report prepared. Since then they have distributed this report to over 65 clients. The group believes having the SAS no. 70 report has significantly reduced the requests for onsite operational audits, as well as improved their clients' perception that the group's controls are effective.

Service Organizations that Don't Meet SAS 70 Applicability Criteria Many service organizations provide services their clients depend on for normal operations, yet those services have no effect on the user organizations' financial statements Examples might include:

• A provider of a communications gateway that bridge clients' back-office applications and remote wireless applications.
• Providers of data management, storage, and retrieval services.
• A provider of data intelligence and analytical reporting (insurance claims monitoring.)

Exhibit 3, summarizes the AICPA Trust Services (SysTrust and WebTrust) principles and criteria: The Trust Services program provides CPAs with detailed evaluation criteria to assess the design and operating effectiveness of controls across the five categories of control principles outlined in Exhibit 3. The following summarizes the evaluation criteria for all Trust Services principles with the exception of Privacy, which follows a separate framework:

• Policies. The entity defines and documents its policies associated with the particular principle.
• Communications. The entity communicates the defined policies for the particular principle to personnel responsible for administration of those policies.
• Procedures. The entity uses procedures to achieve its documented objectives for the particular principle in accordance with policies for that principle.
• Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies for the particular principle. Exhibit 5 compares the SAS no. 70 and SysTrust reports.

Attestation reports can create real business value. For many service organizations, SOX has created a governance environment in which a SAS No. 70 report is no longer an option. Service organizations are finding that selecting the right approach to assurance reporting can strengthen not only their financial and operational controls, but their business relationships as well. In our experience, service organizations can create real business value when they use assurance reports as a vehicle to drive excellence into their financial or operational controls. The actual assurance report is simply a by-product of their excellent controls environment, not the end goal.

The following are steps the service organization can take to ensure the assurance reporting initiative is successful and creates business value:

1. Accept the fact this is simply a cost of doing business today. Just like companies faced with section 404 compliance, the service organization needs to accept the fact that this may be expensive and not have an immediate tangible payback. Instead they should approach this as something of strategic importance.
2. Understand any real or perceived control dependencies customers (or prospects) may have on services provided (financial, operational, security and the like.)
3. Identify constituents that are dependent on controls at the service organization (e.g., user auditors, user organization's operational management) and the controls relevant to them.
4. Understand the most appropriate assurance reporting option (SAS no. 70 or Trust Services) for the targeted audience and for the relevant controls.
5. Understand how the methodology for the chosen assurance report can be leveraged to most effectively design an overarching controls framework. Using the SAS no. 70 methodology, the service organization constructs a controls framework, whereas the Trust Services methodology prescribes a specific controls framework that can be tailored to the service organization.
6. Use a sustainable, proven approach to institutionalize excellence into the financial and/or operational controls framework defined in stepThe service organization should consider approaches commonly used for section 404 compliance that focus on entity- and activity-level controls, emphasizing both design and operational effectiveness.
7. Engage a service auditor (experienced with the chosen assurance reporting option), to execute the reporting (assuming the relevant controls environment is properly defined and operationally effective.)

Reference sources:
AICPA Audit Guide "Service organizations: Applying SAS No. 70 as amended." Trust Services: A better way to Evaluate IT Controls", Journal of Accountancy, March 2005 AICPA Guide "Understanding and Implementing Trust Services", 2004

Exhibit 4: SysTrust mini case study: Antenna Software

Antenna Software extends "run-the-business data", processes and applications in real-time to any mobile device over any network, worldwide. Combining hosted services, software and an integrated development environment, its mobility solutions are straightforward to implement and simple to manage and use. Because Antenna's solutions are delivered on demand, the highest levels of security, availability, transaction integrity and data confidentiality are critical to overall system architecture. Antenna had received several requests from its clients and prospects to provide a SAS no. 70 report. After detailed consideration of both SAS no. 70 and SysTrust attestation reporting options, Antenna's management determined the SysTrust report aligned more closely to its customers' control requirements and would in fact, be more relevant. Antenna also concluded the Trust Services principles and criteria could be leveraged to strengthen and streamline their control environment as well. "We process sensitive message transactions for many of the world's most demanding customers in industries such as financial services, medical devices and security and detection systems. But we had a dilemma," said CFO Bill Korn. "Our existing customers knew the rigor with which we safeguarded their information, but we needed a way to prove this to prospective customers as well." Korn added, "We concluded a SAS no. 70 report wouldn't provide the same objective benchmark as a SysTrust attestation. It would tell an auditor we were following our own procedures, but it wouldn't say we were following best practices as determined by an objective outside party. A SysTrust attestation provides both an objective benchmark, and is designed for a wider audience. We feel security, online privacy, availability, confidentiality and processing integrity are competitive advantages, and welcomed the chance to get independent feedback."