• Accounting and Auditing
• Employee Benefit Plans
• Private Companies
• Public Companies
• Sarbanes-Oxley
• SAS 70 Examinations
• Senior Corporate Executives
• Business Investigation Services
• Tax Services
• Consulting Services
• Governance, Risk, and Compliance
• Private Equity Services

The AICPA’s Statement on Auditing Standards No. 70 (SAS 70) applies to organizations that provide services or use a service organization to process certain transactions. SAS 70 reports provide information on factors an independent auditor should consider when auditing the financial statements of entities that use service providers to process transactions.

J.H. Cohn’s dedicated IT Audit Department has completed many SAS 70 examinations for companies in a wide range of industries including educational services, bank trust departments, telecommunications, healthcare, insurance, and professional examination services. The team of professionals devotes 100 percent of their time to the following:

• SAS 70
• SAS 94 (The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit)
• WebTrust privacy audits
• Internal control assessments
• Attestations
• Other non-attestation IT control work related to financial audits

At J.H. Cohn, our clients not only value our deep technical expertise, but our focus on integrity, commitment to quality, and genuine concern for their businesses. When you seek our assistance with SAS 70, you’ll receive the resources of a larger firm and gain partner-/manager-level attention at the same time.

A Proactive Approach Strongly Recommended

On the surface, certain outsourced services may not appear to have an impact on financial statements, but SAS 70 has a broad reach. The reports are especially relevant for organizations that provide services in support of electronic commerce, such as web hosting, and other entities such as insurance companies, businesses that outsource information technology and other services, healthcare billing companies, trust departments, and mortgage providers.

An organization should assess whether it may be requested by its customer to provide a SAS 70. Accordingly, it may be a good idea to take a proactive approach to SAS 70 and have the examination conducted in advance of a request. Not only will it be readily available when you need it, organizations that have them conducted in advance have the opportunity to make improvements, if necessary, to internal controls.

Our Process

Based on our experience preparing many SAS 70 examinations, we have developed an approach that is customized for each client’s needs. J.H. Cohn begins a SAS 70 examination by gaining an understanding of the service organization’s high-level COSO components, general controls, and application controls. We do this by reviewing management’s description of controls, consulting with management, observing operations, and performing walkthroughs of representative transactions in a SAS 70 Type I and Type II. The resulting SAS 70 report will include the service auditor’s opinion letter as well as the service organization’s description of controls and related control objectives. A SAS 70 Type II also includes a report on the service auditor’s tests of operating effectiveness.

The five phases of our process are:

• Phase I: Gaining an Understanding of Internal Control
• Phase II: Testing (for Type II)
• Phase III: Wrap-up
• Phase IV: Review
• Phase V: Reporting

Our experience indicates that certain organizations benefit from a readiness review, which includes the same phases of our process as described above with the exception of reporting. J.H. Cohn can also assist service organizations undergoing a first-time SAS 70 by conducting a readiness review for a Type II examination, which helps an organization prepare for a SAS 70 examination.

We’re dedicated to understanding your business and assisting in your success. A detailed document providing the steps involved in J.H. Cohn’s SAS 70 examinations is available. For more information, click here