Introduction To Sas 70

Preface

"Type 1 Service Auditor's report" or "Report on controls placed on operation" are another formal terms for Type 1 SAS 70 audit". The motive of audit is to analyze the service organization's controls included in operation and verify whether the controls have achieved standard level in due period of time. Basically Type 1 audit report is summary for stated period of time. Cost factor is also dominant in lengthy Type 2 audits than Type 1 audits.

Outline

With a Type 1 Audit, auditors will conduct an examination of a service firm controls in order to determine:

Material provided by the service organization controls precisely reflect factors of the service organization's controls that are functional during the precise analysis period.

Whether the controls are sufficiently designed to provide assurances that implementations of these controls will comply with the specified control objectives

Audit report is compiled after completion of field work and will include following:

1. Report will must have Auditor's Opinion letter- Self dependent Service Auditor's Report
2. Report will have elaborated version of service organization's controls and services provided by the organization which is crucial factor. Descriptions will include:-

General controls and applications Documentation is must with Information and Communication System Overview for simple understanding
Procedures carried out for method monitoring
The Control Environment
Risk factors involved in methodology- Risk Assessment Process
User participation is considered by involving user control considerations to give access to user organization to be aware of controls accountable for user of the service.

3. Other relevant Information supplied by the management of the service organization such as management's feedback regarding the auditor's opinion

The Type 1 audit report is meant to provide information regarding a service organization's controls that are in place which may be relevant for the organization internal control with regard to financial reporting. Type 1 audit report can be used by service organization to maintain certainty with the Sarbanes-Oxley requirements (SOX)).

With Type 1 audit report, no testing is conducted to establish the operating efficiency of the reported controls. As such, it should be noted that the Type 1 audit report is not regarded as an acceptable substitute for actual practical testing of controls in relation to financial statement auditing or SOX compliance.

Extent of the Type 1 SAS 70 Audit

The SAS 70 auditing standard does not stipulate any specific set of controls that need to be examined when conducting a SAS 70 audit. Audit is custom made according to client service organization under auditing process. Therefore an inspection of the service organization's control that is specific to its services is necessary, as well as the IT controls that sustain these services.

Scope of audit is dependent on control objectives of service organization and even supporting control activities that authorize specific control objectives of client organization under scan.

Initial Deliverable

Main content of Type 1 SAS 70 audit report should include:
To gather all specific papers, information request list of client should be available before field work

Audit report should have 2 hard-copies
Audit report in soft copy in PDF format
A report that has detailed management recommendations as a result of the audit for internal consumption only

Parameters for Type 1 SAS 70 Audit
The following reasons are considerations for a service organization to conduct a Type 1 SAS 70 audit:

Requirement for a SAS 70 audit report to be delivered within a short period of time in order to fulfill a contractual or RFP requirement
The use of the SAS 70 audit report wholly for marketing concerns
Necessity for SAS 70 audit is to also include user organization support for Type 1 SAS 70 audit report
It should be very clear for Type 2 SAS 70 Audit sequel giving all information and creating certain path for next step
Where cost is the main determinant for choosing the type of audit to be conducted
Where the services provided by the service organization does not impact the financial reporting controls of its user organization directly.