DOC PREVIEW
UNCW MSA 516 - SAS 70 Audits

This preview shows page 1-2-3-4 out of 12 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 12 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

BENEFITS LAW JOURNAL 58 VOL. 20, NO. 1, SPRING 2007An Introduction to SAS 70 AuditsChristopher G. Nickell and Charles DenyerStatement on Auditing Standard No. 70 (SAS 70) is an internationally recog-nized auditing standard developed by the American Institute of Certified Public Accountants (AICPA) in 1992. This article offers an overview of the SAS 70 audit used to report on the “processing of transactions by service organizations,” which can be done by completing either a SAS 70 Type I or Type II audit. A SAS 70 Type I is known as “reporting on controls placed in operation,” while a SAS 70 Type II is known as “reporting on controls placed in operation” and “tests of operating effectiveness”.SAS 70 COMPLIANCE GROWINGThere are a number of reasons why more and more organizations (i.e., service organizations) are being asked to become SAS 70 compliant. Primarily, it stems from the growing surge of legislation, such as the passing of the following recent laws; the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999, but most notably, the Sarbanes-Oxley Act of 2002, Sections 404 and 302. Collectively, these three rulings advocate pro-tection of privacy, corporate accountability and establishment of inter-nal controls throughout organizations. Thus, a need was created in many industries for a due diligence process that can aggregate many of the principles found within these three acts and provide companies with a high level of assurance and confidence when using service organizations for outsourcing critical business functions. Additionally, the overall growth in technology and its permeation into all layers of business has facilitated the growth of SAS 70 audits. IT facilities such as Internet Service Providers (ISPs), data warehous-es, along with insurance and other health-related claims processing companies have grown exponentially in recent years. Therefore, an audit process to ensure data integrity and all related transactions was needed. There is also a huge movement within the business culture of our nation, and globally, that data and all related IT transactions must be safe and secure at all times. Because such a heavy reliance is placed on computer systems, organizations are compelled now more than ever to Christopher G. Nickell and Charles Denyer are senior managers with CPA firm DuPont & Morgan LLC. Christopher G. Nickell also serves as a part-time instructor of Accounting at Georgia State University.An Introduction to SAS 70 AuditsBENEFITS LAW JOURNAL 59 VOL. 20, NO. 1, SPRING 2007ensure that data and all related processes and procedures are safe, secure, and IT controls are operating as designed, in an effective manner.As a result, SAS 70 audits are widely becoming known as the “de facto due diligence document” throughout the country and the world regarding the reporting on an organization’s internal controls that have the ability to impact financial reporting.What Types of Industries and Organizations Have to Become SAS 70 Compliant?Since the scope of SAS 70 audits has grown tremendously within the last few years, service organizations within almost every conceiv-able industry can be viewed as potential candidates for this type of audit. Here is just a partial listing of what we and many industry experts consider prime candidates for SAS 70 audits:• Claims processing centers;• Trust/benefit plan administrators;• Data centers and co-locations;• Application service providers;• Payroll processors; and• Internet service providers.What Are the Advantages of Becoming SAS 70 Certified?There are numerous advantages for both service organizations becoming SAS 70 certified and the users of SAS 70 reports. Benefits to Service OrganizationsAn unqualified (i.e., clean) opinion from a SAS 70 service auditor’s report demonstrates that your organization has effective controls that are in place. A Type I SAS 70 report would issue an unqualified opinion for a stated point in time (i.e., as of June 1, 2005), while a Type II report would also issue an unqualified opinion over a stated time period (i.e., for the period June 1, 2005, to November 30, 2005). An additional benefit to service organizations is the ability to lever-age SAS 70 certification into a market differentiator against existing competitors who are vying for outsourcing contracts from user orga-nizations. Becoming SAS 70 compliant also greatly decreases busi-ness interruption incidents by effectively removing the possibility of sporadic audits throughout the year for the sole purpose of satisfying requirements set forth by user organizations.An Introduction to SAS 70 AuditsBENEFITS LAW JOURNAL 60 VOL. 20, NO. 1, SPRING 2007Benefits to User OrganizationsUltimately, user organizations are able to gain a greater under-standing and assurance of the internal controls in place at service organizations. SAS 70 certification signifies that service organizations have taken proactive steps in developing and implementing numer-ous controls throughout the identified platform being used to process transactions for user organizations. Furthermore, SAS 70 Type I and Type II reports assist external auditors for user organizations by cut-ting down on the time and costs of having to inquire on controls at service organizations.WHY SAS 70 AUDITS ARE UNIQUEBecause of the unique nature of what is allowed to be included in a SAS 70 report, auditors have implemented an exhaustive list of policies, procedures, and related controls that must be examined for this type of engagement. Therefore, what makes this type of audit superior to any other type of internal control review is quite simply the scope of the engagement and the voluminous amount of information included in the final service auditor’s report. While IT security consultants focus primarily on general and application controls when conducting their assessments, SAS 70 auditors emphasize these features, and many more, such as operational and Human Resource issues, along with physical security guidelines and business continuity plans in the unlikely event of a business interruption disaster. In essence, the greater the scope, the more meaningful and useful the document is. And this is what makes SAS 70 superior to any other internal control review procedure.Only a certified public accountant (CPA) or accounting firm can sign off and issue a SAS 70 Type I or Type II service auditor’s report. While


View Full Document

UNCW MSA 516 - SAS 70 Audits

Documents in this Course
Load more
Download SAS 70 Audits
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view SAS 70 Audits and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view SAS 70 Audits 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?