White Papers provided by the SAS 70 Resource Guide

SAS 70 Audits: Why No Two Look the Same

One of the biggest complaints about SAS 70 reports is that one report can look completely different from another, thus confusing the end user of the report in what they should be looking for. A notable end user of this audit noted that his company "does outsource many functions, such as payroll, employee benefit administration, and workers compensation claims...", thus relying heavily on SAS 70 reports, only to have the audit reports look and feel so different in so many ways, causing great concern. Having SAS 70 reports showing up anyone's desk with a great degree of variation is likely to continue, based on the auditing standard itself. The SAS 70 standard allows auditors a large degree of flexibility in how they test, structure, compose and ultimately prepare the report. What user organizations can do to better prepare in analyzing these reports is create a checklist of the essential components that they feel should be included in every report. Therefore, what should be consistent is a discussion and possible testing (if a SAS 70 Type II audit is being conducted) of a service provider's internal controls on the following areas:

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring

These five items are commonly known as the five elements of internal control, which helps form the cornerstone of the SAS 70 audit. They serve as the framework for examining, testing, and helping understand a service organization's control environment for purposes of the audit. Additionally, each of these respective areas should contain a descriptive narrative, detailing the policies, procedures, and all other related activities that comprise each section. Some auditors do an excellent job of presenting this information, while simply use boiler plate bullet points that sound vague and generalized, ultimately giving rise to one of many points concerning criticism of SAS 70 audits.

Users Needing a Specific SAS 70 Audit

Another criticism of SAS 70 audits is that some are only general control reports, while others have detailed, specific information concerning the service organization's business process and transaction processing environment. This leaves many to assume that some material has been left out or omitted in a report. While not entirely true, user organizations must ask for certain requirements from service organization's of what's to be included in a SAS 70 audit that's outside of the scope of a general control report. Here's how it works; an integral component of any quality SAS 70 report should be an analysis of a service organization's business process and transaction processing activities. For example, if you are a Third Party Administrator (TPA), what are the core process driven activities undertaken, from beginning to end, from the time a claim is called in to the time a claim is paid with an EOB sent out? Moreover, what are the systems, including hardware and software, and all interrelating information technology components that constitute the processing environment for transactions. How about payroll, 401k administration, asset investment, medical records administration? The same technique applies to all these fundamental business activities and the respective service organizations. Download a sample SAS 70 report to gain a greater understanding of the contents of a report.