SAS 70: Reports on the Processing of Transactions by Service Organizations

Article excerpt

The "expectation gap" SASs significantly changed auditing standards, but none more so than did SAS 55. It has led to an extensive rewrite of SAS 44 Special-Purpose Reports on Internal Accounting Control at Service Organizations. After three years work, SAS 44 is being replaced by SAS 70 Reports on the Processing of Transactions by Service Organizations.

SAS 70 comes into play when one entity obtains one or both of the following services from another organization:

* Executing transactions and maintaining related accountability; and

* Recording transactions and processing data.

The organizations contemplated include not only EDP service centers but entities such as bank trust departments and mortgage bankers. The guidance may also be relevant where another organization develops, provides and maintains software used by the other entity. The SAS also has several specific exclusions such as banks processing normal demand deposit and checking transactions and joint ventures. SAS 70 gives guidance to the auditor of the organization using the service (user auditor) and the auditor of the organization providing the service (the service auditor).

THE USER ORGANIZATION AUDITOR

The user auditor is required to obtain an understanding of the service organization's internal control structure to the extent necessary to be able to plan the audit and assess control risk. Where the service organization merely records and processes transactions and the user organization maintains accountability, it may be possible for the user auditor to ignore the service organization's internal control structure.

PLANNING THE AUDIT

SAS 55 requires the auditor to gain an understanding of a client's internal control structure, i.e., its control environment, accounting system, and control policies and procedures, sufficient to plan the audit. The portion of the client's internal control structure that is resident at the service center is included in this requirement. In gaining the understanding of the service center's internal control structure, the user auditor should consider factors such as-

* The significance of the financial statement assertions that are affected by policies and procedures at the service organization;

* The inherent risk associated with the assertions affected by policies and procedures at the service organization;

* The nature of the services provided by the service organization and whether they are highly standardized and used extensively by many user organizations or unique and used only by a few (frequently, user organizations have systems custom built by service organizations. If this is the case, it is more appropriate for the user auditor to perform the review than the service auditor.);

* The extent to which the user organization's internal control structure interacts with policies and procedures at the service organization;

* The user organization's internal control structure policies and procedures that are applied to transactions affected by the service organization's activities;

* The terms of the contract between the user organization and the service organization for example, their respective responsibilities, extent of the service organization's discretion to initiate transactions, and other representations of the service organization;

* The service organization's capabilities, including its record of performance, insurance coverage, and financial stability;

* The user auditor's prior experience with the service organization;

* The extent of auditable data in the user organization's possession; and

* The existence of specific regulatory requirements that may dictate application of audit procedures beyond those required to comply with GAAS.

The user auditor should also consider any available information in the user's possession about policies and procedures at the service organization, such as user manuals, system overviews, technical manuals, and third-party reports. …