Type I audits include an examination of controls that have been placed in operation and how these very controls achieve the specified control objective for a stated period of time. Generally speaking, costs and completion time for a SAS 70 Type I audit are less than that of a Type II audit. Service organizations that generally have a Type I audit performed include those that have never had a SAS 70 performed compliance quickly, without having to undergo a longer audit process, such as that for a Type II.
A Type I report is only issued for a particular date. For example, a certified public accounting firm would examine a company’s controls and report on the "controls placed in operation" for a specified point in time, such as June 1, 2008. A fair amount of criticism of SAS 70 Type I audits has centered around it’s limited testing period, which many feel is inadequate to gain a sufficient understanding of a service organization’s control environment. As such, Type II audits are considered the viable choice, and they too have fallen under criticism for various reasons. Type I audits are beneficial in many ways, such as laying the framework and foundation for subsequent Type II audits in future periods, along with giving the service organization an understanding of expectations and time commitments for regulatory compliance auditing. Please note that completing consecutive Type I audits are typically rare, does not suffice for Section 404 of the Sarbanes-Oxley Act of 2002, and ultimately does not provide user organizations with the assurances they are seeking.
Performing a SAS 70 Type I audit is a structured, multi-step process, which includes a number of predefined processes and procedures that must take place to ensure its successful and timely completion. Generally, successfully completing a SAS 70 Type I and then moving towards Type II compliance for subsequent years is the most common path many service organizations choose to undertake when considering a SAS 70 roadmap for compliance that has long-term value.
SAS 70 Type II Testing Period Considerations
Type II audits include an examination of controls that have been placed in operation and testing of operating effectiveness. Testing of controls is required for Type II audits, with a minimum testing period of at least six months. Testing is conducted throughout various predetermined timeframes throughout the six-month period, and in a manner that significantly mitigates any type of business interruption. However, other factors, circumstances can lead to a smaller testing period, such as four (4) months, or a longer testing period, such as ten (10) months. Many times, the test period is driven by external auditor requirements, user organization demands, along with service organization financial and operational concerns for undertaking the audit itself. For example, many times a user organization is notified by its external auditors (user auditors) that one of their outsourced providers (service organization) conducts transaction processing activities that affect the user organization's "information system". When this happens, a dialogue amongst all parties will ensue, with the testing period being a paramount topic. It's just one of many scenarios that can decide the testing period of the Type II audit.
A Type II report is issued after a generally accepted period has been completed. For example, an accounting firm would examine a company's controls from June 1, 2007 to November 30, 2007 and report on the "controls placed in operations and tests of operating effectiveness" for the six-month test period of the audit.
Type II compliance can be attained by following the most common approach, whereby service organizations undergo a Type I audit, then move towards Type II compliance for subsequent years. However, due to factors stated earlier, such as varying financial statement reporting time periods for publicly traded corporations and a host of other issues, working immediately towards Type II compliance becomes the only option at times.
No comments:
Post a Comment