|
SAS 70 Defined
Statement on Auditing Standards No. 70: Service Organizations (SAS 70) is an auditing standard issued by the American Institute of Certified Public Accountants (AICPA). It defines the standards necessary for an independent auditor to conduct an examination of internal controls at a service organization in order to issue a service auditor’s report (SAS 70 report).
SAS 70 reports are growing in popularity and are being used by customers, prospective customers, and financiers to gain an understanding of the control environment of outsourcing companies. Traditionally, the SAS 70 report was required by auditors of a company in order to assess those portions of the business that were outsourced to a third party. Recently, the SAS 70 report has also been used as a sales and marketing tool as many companies now require that a SAS 70 report be available prior to doing business with a service provider. The Sarbanes-Oxley act propelled the use of SAS 70 reporting as it required that public companies provide evidence of sound internal controls for outsourced portions of their business.
The Cadence Value
Proposition
The Cadence Group Value Proposition begins by employing experienced and knowledgeable professionals that have practical business and information technology experience. Our extensive experience allows us to fluently participate with numerous business groups and collaborate to develop effective and creative solutions. Our professionals also maintain structured guidance, and tactical strategies to meet and even exceed your needs. The Cadence Group has proprietary and innovative techniques to provide the customized required level of assistance that will effectively help you implement the necessary change to prepare for or issue a SAS 70 report as well as secure and optimize your business. In addition, we have proven experience developing and assessing very complex aspects of business and information technology. We can bring a unique perspective to assisting you because of our hands-on experience from an external perspective.
Cadence works with organizations seeking to capitalize on this opportunity to truly affect change within their organization's culture and support mechanisms. Change requires real acceptance of responsibility by business units for continued, proactive assessment of risk and controls. To deliver true change, we not only equip you and your business with leading methodologies, but also focus on crucial elements of change management and continuous knowledge transfer from our team members to you throughout the project.
We further believe the keys to any such innovation is management’s ownership and flexibility. Ownership will help create long-term success for the project and allow for understanding and accountability within the organization. Our flexibility allows you to depend on us at any time during the project for any needed assistance and to obtain the benefits you require.
To provide flexibility, we can support any resource with the related tasks necessary to complete each phase of the project. We can coach and train you and your staff in completing the work. We can also work with you to understand your requirements, timing restrictions, budgetary constraints and desired results to develop a solution that is right for you.
 top
SAS 70 Report Types
If you are an organization providing outsourcing services to a company, a SAS 70 report is the de facto standard in providing assurance of reliable internal controls. There are two types of SAS 70 reports that can be issued:
1.
Type I SAS 70 Report - A Type I SAS 70 report provides independent third party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified control objectives, and expresses an opinion by the CPA firm as to the design of the controls at a point in time. A Type I report does not give assurance over a period of time, and is typically utilized for first-time issuers, as a pre-cursor to Type II report.
2.
Type II SAS 70 Report - A Type II SAS 70 report provides independent third party verification by a licensed CPA firm as to whether internal controls described by a service organization are suitably designed to meet specified control objectives, and expresses an opinion by the CPA firm as to the design and operating effectiveness of the controls over a period of time, typically six to twelve months in duration. A Type II report is what is expected by a service organization, and it’s auditors as the procedures are sufficient to replace the work they would otherwise have had to perform.
top
Cadence Service Offerings – SAS 70
A SAS70 audit allows a service organization to minimize the need for multiple auditors to assess a common set of processes. Using the SAS70, we can assist service organizations by providing a Type I or Type II report to help satisfy their customers. SAS 70 is now the standard for reporting on controls at a service organization, and many customers of service organizations now require a SAS 70 report. Whether you are new to a SAS70 or have been through the process, we can provide the following services:
1.
Readiness Assessment - For service organizations looking to issue a SAS70 or modify an existing report, our readiness assessment will guide you through the stages to becoming SAS70 compliant. The approach focuses on identifying, designing and documenting key processes, identifying control objectives and activities to satisfy customer requirements, and developing the template of the SAS70 report. We will customize our effort for particular facets of your service. This approach will prepare your business to pass the testing standards used by external auditors for SAS70 compliance.
2.
Attestation Audit - As a service provider with defined processes and controls, we can provide you with a SAS70 audit. Based on your needs, we can provide a Type I report on the design effectiveness of your controls or a Type II report on the operating effectiveness of your controls. At the conclusion of the engagement, we will work with you to finalize the report. This report will include an opinion from our CPA-licensed entity
top
Steps for a SAS 70 Attestation
1.
Initial Consultation / Define Expectations
- Gain an understanding of the business
- Define roles and responsibilities, project plan, and timeline
2.
Control & Process Advisory
- Gain understanding of key processes and systems
- Draft control objectives and document individual controls
3.
Review Framework
- Assist with management’s descriptions of controls
- Evaluate the suitability of control design
- Prepare Client Assistance Guide (CAG)
4.
Control Walkthroughs
- Perform and document control walkthroughs
- Provide guidance on areas of potential deficiency and remediation
5.
On-site Testing fieldwork
- Perform final control design evaluation as of a point in time (Type I)
- Perform control testing of the sample over the period of review (Type II)
6.
Reporting
- Provide final opinion on control design (Type I) or operating effectiveness (Type II)
- Issue final report
top
| 
