type ii audit

COSO | SAS 55 | SAS 70 | SAS 78 | Understanding the Relationship

COSO is a widely used and accepted internal control framework in today’s growing corporate governance initiatives. It’s also heavily found in Statement on Auditing Standards No. 70 (SAS 70) audits.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework essentially defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

1. Internal control is a process. It is a means to an end, not an end in itself.
2. Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
3. Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
4. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

What’s notable about the relationship with COSO and SAS 70 are COSO’s framework for internal control, which consists of the following five (5) broad based themes:

1. Control Environment
2. Control Activities
3. Risk Assessment
4. Information and Communication
5. Monitoring

Many SAS 70 Type I and Type II audit reports will discuss, in narrative form, these above five areas and how they relate to the organization undergoing the SAS 70 audit and what specific controls they have in place in relation to these five areas.

And let’s not forget the Statement on Auditing Standards (SAS pronouncements) that help bring these five internal control themes to light.

In 1988, the American Institute of Certified Public Accountants (AICPA) issued SAS 55, which describes internal control in terms of its three major components: control environment, accounting system, and control procedures. Shortly thereafter, the Committee of Sponsoring Organizations (COSO) released the following: Internal Control: Integrated Framework, in which internal control was characterized as five components: control environment, control activities, risk assessment, information and communication, and monitoring.

Thus, in 1995, the AICPA adopted COSO’s definition and it’s five components of internal control, issuing SAS No. 78 to supplement SAS No. 55.

So, you should be able to now clearly see the relationship with SAS 70 and COSO and the relationship with SAS 70 and other SAS pronouncements, specifically, SAS 55 and SAS 78.

If you want to learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Compliance | A Step by Step Processes for SAS 70 Type I and Type II Audits

SAS 70 compliance is a multi-phased, process based methodology that is undertaken by organizations seeking to become SAS 70 Type I or Type II compliant. As a SAS 70 auditor, I’m often asked what the SAS 70 audit process is, how long it takes, what are the “bumps” in the road that can occur. Thus, listed below are the major activities that must be enacted for ensuring your organization is on the right path to SAS 70 compliance.

1. Choose a CPA firm that provides SAS 70 services on a fixed fee, not an hourly basis.
2. Identify the SAS 70 audit that must be undertaken; either a Type I or a Type II audit.
3. If a Type II audit is your goal, identify the “test period” for the audit.
4. Discuss the scope of the audit, that is, what “business processes” are being covered and what physical locations will have to be a part of the testing process.
5. Begin a SAS 70 Readiness Assessment phase. This helps further identify the scope of the audit along with highlighting any weaknesses in your control environment.
6. If necessary, conduct remediation activities that were identified during the SAS 70 Readiness Assessment.
7. Once the above phases are complete, start to discuss fieldwork testing and the collection of documents for auditor that will be needed to help facilitate the audit.
8. Ask auditor for list of items that will need to be collected prior to the audit fieldwork.
9. Plan and prepare accordingly with the auditors for fieldwork.
10. Once fieldwork is complete, findings should be reported to you from the auditing firm, allowing you to give answers to any exceptions found during testing.
11. Drafting of report and final closing meeting to discuss report and finding ensues.

Visit the official SAS 70 Resource guide to learn more about SAS 70 compliance.

SAS 70 Audit Reports | Learn About SAS 70 by Obtaining a Sample Report

Many service organizations who have to undergo a SAS 70 Type I or Type II audit have never had the ability to see or read what a final report looks like after the audit has been completed. With this now available, service organizations can gain a greater understanding of the auditing standard, while also having an expectation of what the final report should look and “feel” like.

It’s one of the elements that was missing in the compliance industry, so we thought it was necessary and helpful to put forth an excellent example of a SAS 70 Type II service auditor’s report. And remember, because of the looseness within the auditing standard, no two reports are going to look exactly alike. Sure, there are slightly different variations of SAS 70 reports, but they should encompass and include most of the elements contained within our sample sas 70 available to all who wish to read on and learn more about statement on auditing standards no. 70.

Please take time to educate yourself on this highly used auditing standard by visiting a number of other areas on the website, such as the white papers section, industry news section, along with the what is sas 70 section.