SAS 70: new life for an old audit standard; Following Sarbanes-Oxley legislation, the standard governing internal controls for third-party providers is getting serious attention--a dozen years after it was issued.

• Author: Gazzaway, Trent
• Position: Internal Controls

For the past decade, a growing host of companies have sought to streamline their operations by outsourcing functions that, while necessary, do not draw on their core competencies. Increasingly, companies have sought to engage experienced third parties to perform such routine tasks as administering payroll, managing information technology, procuring goods and collecting cash, just to name a few.

A recent survey by Accenture found that nearly half of the respondents plan to outsource some portion of their procurement functions in the next three to four years. Yet, while this outsourcing trend can be a win-win for the company, the service provider and investors, it also adds a layer of internal control risk that must be considered in this Sarbanes-Oxley world.

To be sure, this internal control risk is not new. In fact, the American Institute of Certified Public Accountants (AICPA) went so far as to issue an audit standard designed to address this risk back in 1992. Statement on Auditing Standard (SAS) No. 70, titled simply, Service Organizations, was and is the definitive standard by which user organizations (companies that use outsourced service providers) and their auditors can gain comfort that controls at the third-party service providers are adequate to prevent or detect a related material error that could impact the user organization's financial statements.

However, for a variety of reasons, the SAS 70 standard has often been misused, misapplied or ignored in the dozen or so years since its adoption.

SAS 70 -- A Tale of Two Types

SAS 70 allows for the auditor of a third-party service provider ("service auditor") to issue one of two different internal control reports, commonly called "Type I" and "Type II" reports. These two reports have very powerful, yet very limited purposes. Type I reports only describe controls in place at a service provider, and assess the effective design of those controls.

Type II reports go one step further. The service auditor actually tests the controls in place and reaches a conclusion about whether they are operating effectively. This distinction is important, because the standard requires independent auditors of the service provider's customers (the "user auditors") to use these two reports in different manners.

User auditors can use a Type I report only to understand the third-party service provider's controls that impact their clients and to plan the audit work of their client's financial statements. Since...