Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, SAS 70, Security
So you have this report from the company you’ve outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care?
First, determine that the company performing the report is a certified public accounting firm. This is the only legal entity permitted to perform a SAS 70 type audit, regardless of whether it is a Type 1 or a Type 2. Other firms can perform SAS 70 “readiness assessments,” but not the SAS 70 exam itself.
The first page can tell you whether it is a Type 1 or Type 2 audit. The subtitle:
Report on Controls Placed in Operation
and Tests of Operating Effectiveness
Prepared in Accordance with
Statement on Auditing Standards No. 70
indicates a Type 2 by virtue of the statement “Tests of Operating Effectiveness.” If you’ve read a previous column, you know that a Type 2 looks at controls and tests those controls. That’s a Good Thing.
The next thing you should see on the first page is an indicator of when the controls were tested. The date range is commonly a year, but it can also cover a six or nine-month period.
This means the auditors have tested controls over that time period to see if they were actually in place and effective.
Consider how long ago that date range was. Some organizations will attempt to use a SAS 70 report that is two or three years old. Regretably, some auditors will take 4-6 months to issue a report – which can mean that what you’re looking at has limited value. The longer the period from the actual test of controls, the less value the report has, because it cannot report on the current state of controls.