FEATURE STORYChristopher C. BoutinAT A GLANCE>TheAICPA'sSfaíemen(on Auditing StandardsNo. 70, Service Org-anizations addressesCPA audits of serviceproviders conducted toverify that a providerhas adequate controlsover its operations.> Hospitals shouldrequest a SAS-70, thereport produced bysuch an audit, from allof their third-partyservice providers.> SAS-70s can be issuedfor a specific date or fora six-month period, andthey typically consist ofthree sections: a CPAopinion, a descriptionof controls, and infor-mation about thedesign of the controls.want independent validation and assurance?ask for a SAS-70If your organization is preparing to enlist (or currently uses) a third-party service provider to initiate a process or record transactions on itsbehalf, you should request a SAS-70 audit report.The terraSAS-Yo is a shorthand reference to two types of service audit reportsdescnbed in Statement on Auditing Standards No. 70, Service Organizations, anauditing standard developed and issued hy the American Institute ofCertified Public Accountants (AICPA), originally for use hy CPAs. Inhasicterms, a SAS-70 is produced as a result of an audit performed hy a CPA toreport on the processing of transactions hy a service organization.Traditionally, these reports were intended for use hy CPAs only. But followingthe enactment of the Sarhanes-OxleyAct of ?oo?, their use shifted, and SAS-70s are now commonly shared hetween service providers and their clients.Today, hospitals and health systems most frequently request SAS-70S fromcomputer service providers. Often, computer service providers will presentthese reports to hospitals with which they desire to do husiness as an indica-tion that their controls have heen audited, usually in the area of informationservices. The focus is most often on information services simply hecausehospitals are most likely to purchase these types of services from these typesof providers.The practice of having CPAs audit computer service providers for potentialhospital clients did not hegin with SAS-70S. In the past, a computer serviceprovider might, on its ovm volition, hire a CPAfirm to review its operationsand verify for a hospital client that it had adequate controls over its dataprocesses. More recently, however, the requirements of Section 4,04 of theSarhanes-OxleyAct led to interest in the hroader use of SAS-70S for thispurpose.When Should You Request a SAS-70?Hospitals tend not to use third-party service providers to process routinetransactions. However, like companies suhject to regulation hy theSecurities and Exchange Commission, hospitals today use third-party serv-ice providers for many other purposes—as pension record keepers, payrollproviders, transfer agents, claims administrators, and custodial hanks, for76 AUGUST 2008 healthcare financial managementexample. Specific third-party service providersfrom which a hospital should request a SAS-70include henefit administrators, market researchfirms, Internet service providers, group purchas-ing associations, investment advisers, applicationservice providers, data centers, and investmentfund administrators.In short, determining whether to request a SAS-70 starts with a simple question: "Where are wesending data (either manual or electronic)?"SAS-70 BenefitsGiven aU of the regulatory and compliance chal-lenges that hospitals face, it is critical for them tohe aware of the internal controls in place at theirthird-party service providers. With such aware-ness, a hospital can he sure the service providermeets the hospital's needs and does not expose thehospital to needless risks. The primary henefit of aSAS-70 to a hospital is that it eliminates the needfor the hospital to perform its own audit of each ofits third-party serviceprovider's internalcontrols—a potentiallycumbersome process,in which the hospital'sCPA might need tomake numerous visitsto and pursue multipleinquiries with eachservice provider.significance to the hospital, the hospital's CFOshould assess the situation to determine whetherto proceed with the relationship. Under SOX, thelack of a SAS-70 could he a reportable significantdeficiency in internal control. For this reason,the hospital should negotiate a SAS-70 as part ofa contract with a third-party service provider. Awork-around solution should not he an option.Report TypesThere are two types of SAS-70S, hoth of whichconsist of at least three sections: a CPA opinion, adescription of controls, and information relatedto the design of the controls.Atype I report is issued for a specific date.Specifically, the CPAfirm examines a third-partyservice provider's controls on a given day, andreports on the processing of transactions andthese controls for that day. This report is limitedto an inquiry into and ohservation of the controls.In short, determining whether to request aSAS-70 starts with a simple question: "Where arewe sending data (either manual or electronic)?"With a SAS-70 from a third-party serviceprovider, a hospital's CFO has a reliahle CPA'svalidation of the third-party service provider'sinternal controls, and the SAS-70 in manyinstances gives the financial leader moreinformation than the hospital could ohtainif it performed an audit itself.Meanwhile, a SAS-70 allows the third-partyservice provider to have one audit and sharethe results with all of its hospital clients.But what if the third-party service provider isunwillingto provide a SAS-70? If the provider'sservices are potentially of great financialAtype II report is issued for at least a six-monthtest period and is focused on the operating effec-tiveness of controls. Unlike a type I report, a typeII report includes the results of the CPA firm'stesting of the controls over the test period. TheSAS-70 descrihes the method that the third-partyservice provider uses to handle security, hard-ware, software, employees, data, procedures, andpolicies. There is no standard format for a type IIreport; the format and the control ohjectives canvary with each report.On receiving a SAS-70, regardless of which type,the hospital's CFO should thoroughly read theentire report, and not just peruse the summary, ifone is provided. Having a full understanding ofMm AUGUST 2008 77FEATURE STORYABOUT THE AICPASTATEMENTStatement on AuditingStandards No. 70(SAS-70), ServiceOrganizations, is anauditing standard devel-oped and issued by theAmerican Institute ofCertified Public Accoun-tants (AICPA) for use byCPAs. Assisting theAICPA in developing thecontent for a