SAS 70 Terms, Phrases and Helpful Definitions

Additional Information Provided by the Service Organization:

Also commonly known as "Other Information Provided by the Service Organization", is a section within a SAS 70 Type I or Type II report that allows service organizations to present other information that is not a part of the description of controls, thus, it is not covered by the service auditor's opinion.

Audit Scope:

The boundaries of the audit, that is, what activities, processes, procedures to include for testing during a SAS 70 Type I or Type II audit.

Audit Templates:

Generally speaking, these are pre-defined templates used by service auditors for general areas within an audit. They can create a level of efficiency for the audit, but their drawback is they may not be customized enough to meet the needs of a particular service organization.

Auditing Standards Board (ASB):

Created in 1978, the ASB is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attest, and quality control pronouncements, standards and overall guidance to certified public accountants for non-public company audits.

(The) American Institute of Certified Public Accountants (AICPA):

The AICPA is the national association of CPA's in the United States. Its overall goal is to help promote the profession of public accounting. Visit www.aicpa.org for more information.

Elements of internal control:

Broadly speaking, these consist of the internal control elements as defined by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and as promulgated by Statement on Auditing Standards No. 55 (SAS 55)

Independent Accountant (or Service Auditor's) Report:

Also commonly known as the opinion letter, is a statement put forth by the service auditor discussing the examination procedures conducted for the audit and whether the controls were suitably designed to achieve the control objectives. Additionally, a clause is noted at the end of the document stating who the intended users of the report are. A variety of opinions can be rendered within the Independent Service Auditor's Report. Following the cover page, this is typically the first document seen in the SAS 70 report.

Information System:

This term is used to describe the user organization's "information system", that is, what services are being performed by the service organization that are considered a part of the user organization's "information system". Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization's "information system".

Internal Controls:

A process, affected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in various categories.

Management's Comments:

Recommendations, concerns, and/or general or specific "comments" given by the service auditor to the service organization subsequent to the completion of the Type I or Type II audit.

On-site fieldwork:

The activities conducted by the service auditor when they are at your physical locations conducting audit activities.

Sampling:

A portion of the population that is examined or tested for purposes of drawing conclusions.

Statement on Auditing Standards No. 44 (SAS 44):

SAS 44 is known as "Special-Purpose Reports on Internal Accounting Control at Service Organizations". SAS 44s were just that, special purpose reports, replaced by Statement on Auditing Standards No. 70 in 1992.

Statement on Auditing Standards No. 55 (SAS 55):

SAS 55 is known as "Consideration of Internal Control in a Financial Statement Audit." SAS 55 provides guidance on the independent auditor's consideration of an entity's internal control in an audit of financial statements.

SAS 70 Service Auditor's Report:

Though the phrase "Service Auditor’s Report" is technically the statement issued by the service auditor concerning the audit itself, it is commonly accepted by many to call the final deliverable for a SAS 70 the "SAS 70 Service Auditor’s Report".

Statement on Auditing Standards No. 70 Type I:

An audit conducted by the service auditor who then reports on controls placed in operation as of a specified date for a SAS 70 Type I.

Statement on Auditing Standards No. 70 Type II:

An audit conducted by the service auditor who then reports on controls placed in operation and tests of operating effectiveness for a SAS 70 Type II.

Statement on Auditing Standards No. 78 (SAS 78):

Statement on Auditing Standards No. 78 is known as "Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS No. 55." SAS 78 furthered the notion of an auditor's consideration of an entity's internal control when auditing financial statements by incorporating "Internal Control-Integrated Framework", published by the Committee of Sponsoring Organizations of the Treadway Commission, simply known as COSO.

Statement on Auditing Standards No. 88 (SAS 88):

Statement on Auditing Standards No. 88 is known as "Service Organizations and Reporting on Consistency." In 1999, the Auditing Standards Board issued Statement on Auditing Standards No. 88, which amended SAS No. 70, ultimately to help auditors determine what additional information they might need when auditing the financial statements of an entity that uses a service organization to process transactions.

Statement on Auditing Standards No. 94 (SAS 94):

Statement on Auditing Standards No. 94 is known as "The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit." SAS 94 provides guidance to auditors concerning the effect of information technology on internal control, and on the auditor's understanding of internal control and assessment of control risk. Organizations are increasingly using IT in ways that affect their internal control environment and the auditor's consideration of internal control in a financial statement audit. As a result, circumstances may arise where auditors may need to perform tests of controls to perform an effective audit.

Service Auditor:

The auditor (i.e. CPA firm) that conducts the SAS 70 audit and reports on the controls of a service organization, which ultimately will be used by the user auditor in helping to plan and prepare for that user organization’s financial statement audit.

Service Organization:

The entity that is providing services to a user organization, with these services being part of the user organization's "Information System".

User Auditor:

The auditor (i.e. CPA firm) that conducts the financial statement audit on the user organization. These auditors rely heavily on SAS 70 audits from service organizations in helping plan and prepare for the user organization's annual financial statement audit.

User Organization:

The entity that has traditionally engaged a service organization to perform various services for them that are considered a part of the user organization's "Information System". User organizations are commonly publicly traded companies who have Sarbanes-Oxley requirements under the provisions of Section 404 of The Sarbanes-Oxley Act of 2002.