Note:  Effective June 15, 2011, all reports on controls at service organizations must be performed in accordance with SSAE 16 and/or ISAE 3402, at which point, the current SAS 70 audit reporting standard will no longer be utilized. 

Overview

Officially known as a “Report on Controls Placed in Operation and Tests of Operating Effectiveness” or a “Type 2 Service Auditor’s Report”, Type 2 SAS 70 audits provide independent third party verification by a licensed CPA firm as to whether control activities described by a service organization were suitably designed to meet specified control objectives and were in place and operating effectively over a period of time that is typically at least a six-month period.

Type 2 reports are generally required by service organizations’ user organizations and their user auditors. The major reason that Type 2 reports are preferred is because they are the de facto standard for using the work of a third party (e.g., SAS 70 Solutions) as a substitute for performing first hand testing in conjunction with financial statement audits or Sarbanes-Oxley compliance.  A Type 1 audit report may not be used for these purposes.

During a Type 2 audit, our auditors perform inquiry, observation, inspection and re-performance testing of the service organization’s description of controls so that an auditor’s opinion can be issued regarding:

• Whether the description of the controls prepared by the service organization presents fairly, in all material respects, the relevant aspects of the service organization’s controls that had been placed in operation as of the specified review date;
• Whether the controls were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if those controls were complied with satisfactorily; and,
• Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the specified review period.

Following fieldwork, an audit report is issued that includes the following components:

• Independent Service Auditor’s Report (a.k.a. The Auditor’s Opinion Letter)
• The service organization’s description of controls, including a description of the service organization and its services. This section also includes a description of the control environment, risk assessment process, general and application controls, monitoring procedures and information and communication systems overview. User control considerations are also inserted into the description of controls in order that user organizations are aware of controls for which they are responsible for as a user of the service.
• Detailed matrices containing a listing of the service organization’s control objectives, related control activities, tests of the control activities and testing results.
• Other information provided by management of the service organization, such as management’s response to testing exceptions. This unaudited section of the report is optional and does not appear in all reports.

Scope

The SAS 70 standard does not prescribe a specific set of controls that must be examined in conjunction with a SAS 70 audit. Rather, each audit is customized to the needs of the service organization undergoing the audit. This normally results in a need to examine controls that are specific to the service organization’s services, as well as the general IT controls that support those services.

In order to define the scope of an audit, the service organization must define the control objectives, and at a later point, the supporting control activities that allow the service organization to meet the objectives. SAS 70 Solutions provides extensive assistance in this process. However, the service organization ultimately accepts control objectives and the description of the control activities as its own.

Defining Control Objectives

The fundamental determination of the scope of an audit is the nature and extent of the control objectives defined by the service organization. These control objectives are the service organization’s way of asserting that it provides a certain level of control to its clients. For example, a service organization that desires to communicate the strength of its physical security controls might define a physical security control objective similar to the following:

“Control activities provide reasonable assurance that business premises and information systems are protected from unauthorized access, damage and interference.”

Control objectives are often formulated from reviews of contracts and service level agreements. These documents contain the commitments and descriptions of services for which the user organizations have a need to understand the underlying controls. Other control objectives are formulated based on inherent controls that should normally be found within the service being provided or on risk assessments performed by management. Other control objectives that may be considered for inclusion should generally be applicable to all user organizations that subscribe to the service. Areas for which service organizations have no obligation to provide controls may be excluded from the scope of the audit at the service organization’s discretion.

Defining Control Activities

If control objectives are associated with the service organization’s assertion that a certain level of control is being achieved, the control activities are the evidence that are used to support that claim. Continuing with the example above, the service organization may identify many control activities that it has implemented for the purposes of achieving, for example, its physical security control objective. Such controls might include the use of a secured data center, security personnel, physical access controls and monitoring systems.

The combination of control objectives and control activities comprise the most critical information contained within any SAS 70 audit report.

Deliverables

The primary deliverables of a Type 2 SAS 70 audit include:

• Detailed project plan for the audit
• Comprehensive information request list allowing service organization personnel to gather documentation in advance of fieldwork
• The audit report delivered in hardcopy format
• The audit report delivered in secured PDF format
• An internal-use-only report containing detailed management recommendations resulting from the audit
• Draft press release language customized to the service organization’s audit

Who Should Consider a Type 2 SAS 70 Audit?

The following are characteristics of the typical Type 2 SAS 70 audit candidate:

• The service organization provides a service that has a direct and/or significant impact on the financial reporting controls of its customers.
• The service organization is contractually obligated to provide a Type 2 report to its customers.
• The service organization does not have an internal audit department and desires to use the SAS 70 audit, in part, as a quasi-internal audit of its operational and IT controls.
• The service organization provides significant services to publicly traded companies that fall within the purview of these customers’ Sarbanes-Oxley (SOX) compliance efforts.

Please visit our FAQs page to learn more about SAS 70 audit topics.