sample sas 70 type II report

SAS 70 | Surprise Examination | Internal Control Report for Investment Advisers

The SAS 70 auditing standard is sure to become a necessary element of the proposed changes for the Investment Advisers Act of 1940. The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09). In short, this comprehensive document is proposing the use of “surprise examinations” and a “internal control report” on entities that have custody of client funds or securities or instead serves as a qualified custodian for client funds or securities.

Currently the “surprise examination” is discussed as a “written report from an independent public accountant” while the “internal control report” is being described as that of a SAS 70. At this point, what distinctions will be made, if any, between the auditing framework for the “surprise examination” and “internal control report” are not completely clear. More than likely, the SAS 70 auditing standard will be utilized for both the “surprise examination” and the “internal control report”.

You can obtain a sample SAS 70 Type II Report and list of sample custodial control objectives by visiting the SAS 70 Resource Guide.

SAS 70 Control Objectives for Investment Advisers | Custodial Operations

The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09), calling for more oversight and controls over investment advisers or related persons who have custody of client funds or securities along with performing custodial duties and operations.

In short, the proposed changes will possibly require a “surprise examination” and an “internal control report” on these very entities that have custody of client funds or securities along with performing custodial duties and operations.

The proposed control objectives are as follows:

• Physical securities are safeguarded from loss or misappropriation;
• Cash and security positions are reconciled accurately and on a timely basis between the custodian and depositories, and between the custodian and accounting systems;
• Client-initiated trades are properly authorized and recorded completely and accurately in the client account;
• Securities income and corporate action transactions are processed to client accounts in an accurate and timely manner;
• Net settlement procedures for delivery and receive transactions are performed accurately;
• Documentation for the opening of accounts is received and authenticated, and established completely and accurately on the applicable system; and
• Market values of securities obtained from various outside pricing sources have been recorded accurately in client accounts.

If you want to learn more about these proposed changes and would like to receive a sample SAS 70 Type II report, then visit the official SAS 70 Resource Guide at sas70.us.com.

SAS 70 Certification | Expert Advice on Type I and Type II SAS 70 Audits

SAS 70 Certification is everywhere these days, or so it seems. From small start-up organizations to large multi-national corporations, many people have been hit by the SAS 70 bug. What’s also interesting to note are the vast differences you can see when comparing two SAS 70 reports. In short, no two reports look the same. Is this a good thing or something wrong with the auditing industry? It’s actually a little bit of both, to be honest. The good thing is that it allows auditors to customize the reports as they see fit for the client. The bad thing is that many times a SAS 70 audit does not conform to an acceptable scope or standards of testing for control objectives.

Either way, what you need to know about SAS 70 Type I and Type II audits is that the SAS 70 certification process (and by the way, use the word “certification” is technically incorrect, as a SAS 70 audit does not certify anything, rather you have complied with the auditing standard, thus it should be called “SAS 70 compliant”) is highly flexible, this based in part on the rather “flexible” auditing standards that are in place. So, you need to properly identify the scope of the audit, and by doing so, you ensure that your organization ends up receiving a quality SAS 70 Service Auditor’s Report.

As for scope, you need to identify a number of parameters, such as:
1. Is my organization doing a Type I or a Type II?
2. If a Type II, what is the test period?
3. Are there any business processes or functions to be tested in the audit, or is it just a general controls SAS 70
4. Where are the physical locations that are included in the scope of the audit?
5. What third party outsourcing entities that my organization is using are to be considered part of the scope of the audit?
6. Has my organization developed control objectives that are considered acceptable for testing by the auditors?

To learn more about SAS 70 audits or to receive a free sample SAS 70 Type II audit in pdf format, visit the official SAS 70 Resource Guide.