Note:  Effective June 15, 2011, all reports on controls at service organizations must be performed in accordance with SSAE 16 and/or ISAE 3402, at which point, the current SAS 70 audit reporting standard will no longer be utilized. 

Overview

Officially known as a “Report on Controls Placed in Operation” or a “Type 1 Service Auditor’s Report”, Type 1 SAS 70 audits provide independent third party verification by a licensed CPA firm as to whether control activities described by a service organization were suitably designed to meet specified control objectives and whether the controls were in place as of a specified review date.

During a Type 1 audit, our auditors perform specific procedures so that an auditor’s opinion can be issued regarding:

• Whether the description of the controls prepared by the service organization presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of the specified review date; and,
• Whether the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily.

Following fieldwork, an audit report is issued that includes the following components:

• Independent Service Auditor’s Report (a.k.a. The Auditor’s Opinion Letter)
• The service organization’s description of controls, including a description of the service organization and its services. This section also includes a description of the control environment, risk assessment process, general and application controls, monitoring procedures and an information and communication systems overview. User control considerations are also inserted into the description of controls so that user organizations are aware of controls that they are responsible for as a user of the services.
• Other information provided by management of the service organization, such as management’s response to audit opinions or marketing materials. This section of the report is optional and does not appear in all reports.

A Type 1 report is intended to provide user organizations and user auditors with information about the controls in place at a service organization that may be relevant to the user organization’s internal control over financial reporting. A Type 1 report, in conjunction with other information about a user organization’s internal control, may be utilized by the user auditor to obtain a sufficient understanding of the user organization’s internal control to plan their financial statement audit. The user organization may also use information contained in a Type 1 report to assess their compliance with Sarbanes-Oxley (SOX) requirements.

Unlike a Type 2 SAS 70 audit, no testing is performed to determine the operating effectiveness of the controls described in the report. Therefore, a Type 1 report does not provide user organizations or their auditors with a basis for reducing their assessment of control risk below the maximum level. A Type 1 report is not an acceptable replacement for first hand testing in conjunction with financial statement audits or Sarbanes-Oxley (SOX) compliance. For this reason, Type 2 reports are highly preferred by user organizations and their auditors. The Type 1 reports are generally used only for informational purposes and are meaningful because a licensed third party CPA firm verified the information contained in the report.

Scope

The SAS 70 audit standard does not prescribe a specific set of controls that must be examined in conjunction with a SAS 70 audit. Rather, each audit is customized to the needs of the service organization undergoing the audit. This normally results in a need to examine controls that are specific to the service organization’s services, as well as the general IT controls that support those services.

In order to define the scope of an audit, the service organization must define the control objectives, and at a later point, the supporting control activities that allow the service organization to meet the specified control objectives. SAS 70 Solutions provides extensive assistance in this process. However, the service organization is ultimately responsible for the specification of its control objectives and for its description of the controls.

Defining Control Objectives

The fundamental determination of the scope of an audit is the nature and extent of the control objectives defined by the service organization. These control objectives are the service organization’s way of asserting that it provides a certain level of control to its clients. For example, a service organization that desires to communicate the strength of its physical security controls might define a physical security control objective similar to the following:

“Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference.”

Control objectives are often formulated from reviews of contracts and service level agreements. These documents contain the commitments and descriptions of services for which the user organizations have a need to understand the underlying controls. Other control objectives are formulated based on inherent controls that are common to the services being provided or from risk assessments performed by management of the service organization. Control objectives that may be considered for inclusion should generally be applicable to a broad range of user organizations that subscribe to the services. Areas for which service organizations have no obligation to provide controls may be excluded from the scope of the audit at the service organization’s discretion.

Defining Control Activities

If control objectives are associated with the service organization’s assertion that a certain level of control is being achieved, the control activities are the evidence that is used to support the claim. Continuing with the example above, the service organization may identify many control activities that it has implemented for the purposes of achieving, for example, its physical security control objective. Such controls might include the use of a secured data center, security personnel, physical access controls and monitoring systems.

The combination of control objectives and related control activities comprise the most critical information contained within any SAS 70 audit report.

Deliverables

The primary deliverables of a Type 1 SAS 70 audit include:

• Detailed project plan for the audit
• Comprehensive questionnaires and an information request list allowing service organization personnel to gather documentation in advance of fieldwork
• The audit report delivered in hardcopy format
• The audit report delivered in secured PDF format
• An internal-use-only report containing detailed management recommendations resulting from the audit
• Draft press release language customized to the service organization’s audit

Who Should Consider a Type 1 SAS 70 Audit?

The following are characteristics of the typical Type 1 SAS 70 audit candidate:

• The service organization needs a SAS 70 report of any type to be delivered in a relatively short amount of time. Often, the need is related to fulfilling an RFP or contractual requirement.
• The service organization is not contractually required to have an audit performed and is considering the audit purely for marketing purposes.
• The service organization is required to undergo a SAS 70 audit, but the type of audit is not specified, and the service organization believes that its user organizations are likely to accept a Type 1 report.
• The service organization has never undergone a SAS 70 audit and has concerns over its ability to complete a Type 2 audit without exception, therefore, preferring to use the Type 1 audit as preparation for an eventual Type 2 audit.
• The service organization’s services do not have a direct impact on the financial reporting controls of its user organizations.
• Cost is the driving factor in choosing the type of audit to be performed, resulting in the selection of a Type 1 audit because of the decreased audit fees.

Please visit our FAQs page to learn more about SAS 70 audit topics.