Yes and No. Service organizations are permitted to disclose their control objectives and activities in any manner they see fit. However, for a SAS 70 audit engagement to be of maximum benefit to the user organizations (i.e. customers) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor's requirements. To do this, the service organization's description of controls should address five key components of internal control as defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit:

  • Control Environment sets the tone of an organization, influencing the control consciousness of its people. The control environment is the foundation for all other components of internal control, providing discipline and structure.
  • Risk Assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
  • Control Activities are the policies and procedures that help ensure that management directives are carried out.
  • Information and Communication are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
  • Monitoring is the process that assesses the quality of internal control performance over time.

Since a user organization's auditors are responsible for obtaining an understanding of internal controls to plan the financial statement audit of the user organization, the service organization should attempt to provide its description of controls in a manner that covers the above five elements. Control objectives and control activities should also be organized in a manner that allows the user auditor to identify which controls support the assertions in the user organization's financial statements (e.g. existence, occurence, completeness, valuation, etc.). The service auditor performing the SAS 70 audit engagement is very often an excellent source in assisting with the development of control objectives.

If you need further information, contact us.

Comments are closed