Internal Control Reports: Facts, Myths and Best Practices

PwC

Internal Control Reports: Facts, Myths and Best Practices

FIRMA National Risk Management Training Conference – San Francisco, CAWednesday March 31, 2010

Suzanne Faulkner, PartnerPricewaterhouseCoopers LLP

PricewaterhouseCoopers

• Background Information and Overview

• Common SAS 70 Terminology

• SAS 70 Report Overview

• Evaluating a SAS 70 Report

Agenda

2

PwC

Background Information and Overview


• Increasingly, U.S. Companies (User Organization) outsource parts of their operations such as Payroll, Custodial Services, Claims Processing, and Data Center Operations to other companies (Service Providers).

• Although a process has been outsourced, the User Organization is responsible for the accuracy and integrity of the financial data associated with the outsourced process.

• The User Organization must understand the design and operating effectiveness of internal controls at the Service Provider and how those controls interact with their own.

• A SAS 70 report can be used to help reduce management’s need to perform independent evaluation procedures of Service Provider’s internal controls.

Significant Outsourced Operations

4


• Statement on Auditing Standards (SAS) No. 70, Service Organizations, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

− SAS 70 defines the professional standards used by a Service Auditor to assess the internal controls of a Service Provider and issue a report.

• A SAS 70 is a report prepared by an independent auditor on the internal controls at a Service Provider, for use by the customers of the Service Provider.

Statement on Auditing Standards (SAS) No. 70

5


• A SAS 70 report answers one or both questions:

− Are internal controls designed effectively

− Are internal controls operating effectively for a specified period?

• A SAS 70 report is tied to internal controls over financial reporting and is not designed to provide assurance over other areas such as business continuity, privacy, or compliance with laws and regulations.

Statement on Auditing Standards (SAS) No. 70

6


• SAS 70 reports have become common because they enable a Service Provider's customers to efficiently gain an understanding of the Service Provider’s internal control environment.

• As part of its assessment of controls for Sarbanes-Oxley 404, management can obtain and evaluate a Service Provider’s SAS 70 report and significantly reduce the need to test the controls in place at the Service Provider (and reduce costs associated with independently testing controls).

• In addition, the User Organization’s external auditors (User Auditors) can use the report to gain an understanding of, and potentially place reliance on, testing of the internal controls at the Service Provider.

• Management should consider requesting a SAS 70 from third party Service Providers that provide substantial services directly impacting internal controls over financial reporting.

Benefits to User Organizations

7


• A Service Auditor's Report with an unqualified opinion that is issued by an Independent Accounting Firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities.

• A Service Auditor's Report also helps a service organization build trust with its user organizations (i.e. customers).

• A Service Auditor's Report ensures that all user organizations and their auditors have access to the same information and in many cases this will satisfy the user auditor's requirements.

• A SAS 70 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party.

Benefits to Service Organizations

8

PwC

Common SAS 70 Terminology


• Service Organization/Service Provider: The entity (or segment of an entity) that provides services to the user organization.

• User Organization: The entity that has engaged a Service Provider and whose financial statements are being audited.

• Service Auditor: The independent auditor firm performing the SAS 70 audit services.

• User Auditor: The auditor who reports on the financial statements of the user organization.

• Service Auditor's Report: The report issued by the service auditor expressing an opinion on whether the Service Provider’s internal controls are designed and operating effectively as of a specific date.


10


• User Control Considerations (UCC): Controls the Service Provider expects User Organizations to be performing. It is the responsibility of the User Organization to design and implement these controls.

• Coverage Period: Applies to a Type II SAS 70 and refers to the period of time that the control objectives and related control activities were in place and tested for operational effectiveness (i.e., 10/1/05 to 9/30/06). Tests of controls are performed on a sample selected from the coverage period.

• Gap Period: The difference in the "as of" or "period end" date in the SAS 70 Report and the year end date of the User Organization financial statements. For example, if a SAS 70 Report's "as of" or "period end" date were 9/30, based on the User Organization’s fiscal year end date of 12/31, the Gap Period, or period not covered by the SAS 70 Report is three months.


11


Control Activities: The policies, procedures and practices that are put into place to ensure that business objectives are achieved and risk mitigation strategies are carried out. Control activities are developed to specifically address each control objective to mitigate the risks identified


12

PwC

SAS 70 Report Overview


Type I SAS 70 Report

Purpose is to answer the following question:

• Are the internal controls designed effectively to meet stated control objectives and were the controls in place as of specified date?

− Controls documented

− No testing involved

SAS 70 Reports – Type I

14


Type II SAS 70 Report

Purpose is to answer the following question:

• Are controls designed AND operating effectively over a six month minimum period?

− Controls documented

− Controls tested to determine if operating as designed

− Testing period must be at least 6 months

SAS 70 Reports – Type II

15


Type I SAS 70 Report:• For informational uses only since no testing performed.

• User Auditor cannot rely on the report during audit fieldwork.

• User Auditor required to conduct their own tests of controls to gain assurance (i.e., visit Service Organization).

Impact of Each Report

16


Type II SAS 70 Report:• Provides evidence of effectiveness of controls.

• User Auditor can place reliance of the report during planning and fieldwork phases of the audit.

• Additional testing by the User Auditor not necessarily required.

Impact of Each Report

17


• Report of Independent Service Auditors – Contains the Service Auditor’s opinion letter and states whether the opinion is qualified or unqualified (also referred to as a “clean” opinion).

• Service Provider's Description of Controls – Prepared by the Service Provider and provides a narrative description of the processes and controls covered by the scope of the report.

• Information provided by the Service Auditor – Contains the Service Auditor’s procedures and results (auditor's control tests and results).

• Other Information provided by the Service Organization – Contains additional information not covered by the Service Auditor’s opinion, often disaster recovery/ business continuity planning information.

SAS 70 Report Format and Content

18


• Written solely by independent Service Auditor (“letter” format addressed to Service Organization)

• Contains standard language for:

− Specifying the scope of the SAS 70 review performed by the independent Service Auditor, including whether subservice organizations are included in the examination (“inclusive method”) or excluded (“carve-out method”);

− Indicating if internal control examination procedures extended to assessing design only (Type I) or included tests of operating effectiveness (Type II); and

− Concluding on the description, design and operating effectiveness of internal controls

• Qualified Opinion: One or more control objectives were not achieved.

• Unqualified Opinion: “Clean Report. All control objectives were achieved.

Report of Independent Service Auditors

19


• Written by the Service Provider (with input from Service Auditor)

• “Free Format” (not standardized)

• Typically includes wording to define purpose and scope of report

• Bulk of the section is for management to describe control environment and to define control objectives (may include process flows and control narratives)

• User Control Considerations (UCCs) are typically defined within this section and define control activities that the Service Organization would expect its User Organizations to have in place in addition to the Service Organization’s controls defined within the report

Service Organization’s Description of Controls

20


• “Meat and Potatoes” of report

• Typically in a matrix format and identifies the following for each specified control objective:

− Control Activities: All in-scope control activities that, together, achieve the control objective (if designed and operating effectively);

− Test Procedures: Validation procedures performed by the Service Auditor to determine if the control activities had operated effectively throughout the SAS 70 audit period;

− Test Results: Results of testing (usually either “No Exceptions Noted” or “Exceptions Noted”); and

− Management Responses: May include management’s responses to test exceptions

Information Provided by the Service Auditor

21


• No requirements

• May contain any additional information that the Service Organization would like to disclose to its User Organizations

• Other information may include:

− The Service Organization’s Disaster Recovery Plan

− Other Certifications (PCI, HIPAA, etc.)

Other Information Provided by the Service Auditor

22


SAS 70 Report Types - Summary

23

Report Characteristics Type I SAS 70 Type II SAS 70

1. Independent Service Auditors Opinion: Included Included

o Whether the Service Provider’s description of controls presents fairly, in all material respects, the relevant aspects of the Service Provider's controls that had been placed in operation as of a specific date.

Included Included

o Whether the controls were suitably designed to achieve specified control objectives.

Included Included

o Whether the controls that were tested were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives were achieved during the period specified.

Not Included Included

2. Service Organization's Description of Controls Included Included

3. Information provided by the Service Auditor (Service Auditors Testing, Results of Testing) Optional Included

4. Other Information provided by the Service Organization (Section 4) Optional Optional

5. Tests of operating effectiveness for a period of time (usual minimum is 6 months) Not Included Included


• Service Organization typically sponsors and pays for the audit.

• Service Organization typically identifies

− Type of report (I or II) to be issued

− The scope of the report

− The control objectives and control activities to be documented and/or tested

− Reporting period (6 months, 1 year)

Report Responsibilities

24


• Service Auditors must agree on the control objectives and control activities.

• User Organizations can request SAS 70

• Service Organizations can initiate report and use as marketing device to attract new customers (User Organizations).

Report Responsibilities

25

PwC

Evaluating a SAS 70 Report

PricewaterhouseCoopers 27

1. Assess Scope of Report

2. Evaluate Opinion and Exceptions

3. Map User Control Considerations

4. Address Gap Period

5. Document Management’s Assessment

Key Components to Evaluating SAS 70 Reports


• Management should outline all of the significant operations that the Service Provider performs to help evaluate sufficiency of the SAS 70 scope.

• Management should evaluate the report to ensure all significant areas are examined.

• If significant operations performed by the Service Provider are not included in the scope of the SAS 70 report, management must assess the impact to and determine whether additional procedures are required.

• Additional procedures may include engaging Corporate Audit or another risk management function to gain an understanding of and test key controls over significant operations not covered by the SAS 70 report.

Assess Scope of Report

28


• If the SAS 70 opinion is qualified on one or more control objectives, management should evaluate the impact of the qualification and assess whether mitigating controls exist within the user organization’s internal control environment to reduce the likelihood that a material error at the Service Provider would not be detected.

• Although the Service Auditor may issue an unqualified opinion, exceptions in testing may still exist and have an impact on the user organization. It is the responsibility of management to consider the nature and extent of any exceptions in the SAS 70 report.

− Evaluate the implications of the exceptions and determine whether the exceptions relate to a key control for User Organization; and

− Consider the effect of any complementary controls at the User Organization that might mitigate the effect of the exception.

Evaluate Opinion and Exceptions

29


• Typically included in section II of the SAS 70 Report, UCCs are controls that the Service Provider expects the User Organization to have in place.

• Management should assess its actual controls against the UCCs identified by the Service Provider and identify any gaps.

• Management should evaluate and map the UCCs to key controls documented and tested to ensure the UCCs are adequately addressed by internal controls at the Company.

Map User Control Considerations

30

Example User Control Consideration Example Key Control Mapping Controls to provide reasonable assurance that

application and script changes submitted to ABC Service Provider are authorized and approved.

Application and script change requests must be formally documented and approved by BU management before submission to ABC Service Provider. See control refer ISO.ABC.2.


• Subsequent period of “as of” date for a Type I and “period end” date for a Type II and fiscal year end for user organization is considered “Gap Period”.

• Generally, Gap period should be less than six months.

• Management should determine if additional procedures are required based on Gap period.

• Management may consider obtaining a memo from the service provider to address the gap period.

Address Gap Period

31


• Management’s assessment of the significance of the operations outsourced to Service Providers and its evaluation and reliance on a SAS 70 report from a Service Provider should be formally documented.

• Key data to include in the assessment of the significance of outsourced operations should include an inventory of the Service Provider relationships, the scope of services provided and the availability and scope of a SAS 70.

• Key considerations for evaluating a specific SAS 70 include scope assessment, understanding and mapping any UCC’s to key controls within the Company, and evaluation of any exceptions in the SAS 70 report related to key controls management relies upon, whether the exceptions resulted in a qualified opinion or not.

Document Management’s Assessment

32

PwC

Questions

Internal Control Reports: Facts, Myths and Best Practices

Documents

service providers sas

service organizations

companies service providers

service providers customers

party service providers

assessment of controls

auditing standards sas

overviewcommon sas