control objectives

SAS 70 and Business Continuity Planning (BCM) | What you Need to Know

As a SAS 70 auditor, i’m often asked if Business Continuity and Disaster Recovery (or any of the other similar terms and phrases used) is part of the actual SAS 70 audit. In fairness, it is even though “technically” it does not fall into a scope of a SAS 70 Type I or SAS 70 Type II audit. How’s that, you ask? Simple, according to the AICPA publication on Statement on Auditing Standard No. 70, “plans” such as BCDRP, BCM, etc. are not “controls” thus they are not considered to be part of the audit. Now, that’s the technical understanding. To be blunt, in today’s post 9/11 world we live in, Business Continuity is very much part of any service organization’s critical infrastructure, and as such, many CPA firms actually “test” to ensure an organization has a Business Continuity plan and supporting documentation in place. And no, they don’t test the plan to see if it works, they simply validate that a documented BCM plan is in place.

In short, don’t be surprised if you find information in a SAS 70 Type I or Type II audit relating to BCM. It may be in the form of a control objective that was tested or it may simply be “additional information” provided by the service organization that is actually going through the audit.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Control Objectives for Investment Advisers | Custodial Operations

The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09), calling for more oversight and controls over investment advisers or related persons who have custody of client funds or securities along with performing custodial duties and operations.

In short, the proposed changes will possibly require a “surprise examination” and an “internal control report” on these very entities that have custody of client funds or securities along with performing custodial duties and operations.

The proposed control objectives are as follows:

• Physical securities are safeguarded from loss or misappropriation;
• Cash and security positions are reconciled accurately and on a timely basis between the custodian and depositories, and between the custodian and accounting systems;
• Client-initiated trades are properly authorized and recorded completely and accurately in the client account;
• Securities income and corporate action transactions are processed to client accounts in an accurate and timely manner;
• Net settlement procedures for delivery and receive transactions are performed accurately;
• Documentation for the opening of accounts is received and authenticated, and established completely and accurately on the applicable system; and
• Market values of securities obtained from various outside pricing sources have been recorded accurately in client accounts.

If you want to learn more about these proposed changes and would like to receive a sample SAS 70 Type II report, then visit the official SAS 70 Resource Guide at sas70.us.com.