Many of our readers have requested that they would like to be provided with more information regarding the Statement on Auditing Standards No. 70 (SAS 70). And, with what appears to be some growing levels of confusion regarding SAS 70 and controls over aspects of data security, processing integrity, privacy, confidentiality, and system availability that do not affect the accuracy of service users’ financial statements, we agree that this topic should be re-visited.
Fortunately, one of our staff writers, Sally Smoczynski, noticed an interesting and relevant article that we think fulfills our purpose. This article regarding SAS 70, was written by David McCann, and recently posted on the CFO.com website. We think that this article provides the information about SAS 70 requested by some of our readership and at the same time, clarifies the reality of SAS 70 regarding other popular topics often addressed by this website, such as — information security, business continuity, network security compliance and organizational risk management.
In the article entitled, “The Truth About SAS 70”, a lot of basic information is provided to give our readers a better understanding of what a SAS 70 audit is about, what it represents and where the future use and direction of SAS 70 audits are going.
When reading this article — we believe the best reality check about SAS 70 is summed up in the following text quoted from that article:
“A SAS 70 audit is a check on a service firm’s controls over processes and systems that could have an impact on the accuracy of entries in its customers’ general ledgers. Audit firms and the American Institute of Certified Public Accountants (AICPA) are concerned that as more service providers trumpet their receipt of a clean SAS 70 audit, misunderstandings about what the reports truly address will result in the finger of blame (and the lawsuits that may follow) being pointed at auditors for failures that lie outside the scope of SAS 70.
“The way SAS 70 reports are being marketed, service organizations are implying a level of assurance and trust that simply doesn’t exist,” says Dan Schroeder, a partner with accounting firm Habif, Arogeti & Wynne and chairman of the AICPA’s Information Technology Executive Committee. “It is grossly over the top.”
There are two types of SAS 70 audits. Type 1 merely describes the services provided and the financial controls in place with regard to them. Type 2, which is where the controversy mainly resides, additionally offers an opinion as to whether there was reasonable assurance that the controls were operating effectively during a defined time period. Any broader claims about what a SAS 70 audit means are likely to be invalid.”
Another valuable aspect of the article is that it addresses the fact that SAS 70 is set to be replaced next June with Statement on Standards for Attestation Engagements No. 16 (SSAE 16).
It goes on to also state, however, that SSAE 16 will differ in some respects from SAS 70, but it will have the same narrow focus on controls over systems and processes that influence the accuracy of journal entries for service firms’ customers.
Click here, to read the entire article.
If applicable, please pass this information along to the CFO, organizational risk management, or enterprise risk management leadership in your organization.