Audit for Statement of Auditing Standards 70 of AICPA

Introduction :

Wonders India Ltd., a BPO involved in Software Development and Maintenance activities in Pune has been asked by their customer’s statutory auditors to undergo a SAS 70 audit. Basant Kumar (BK), the Chief Audit Executive at Wonders India Ltd., was active in the field of Internal Audit particularly Committee of Sponsoring Organisation of the treadway commission — Internal Control — Integrated — Framework — COSO and Sarbanes Oxley Act — SOX matters. He had spent 15 years in US as ‘head of audit’. BK was familiar with the AICPA guidelines and standards on various matters related to Financial Statements. He also had a very strong network of professionals in CPA firms in the US.

When the request of the customer’s statutory auditors was taken up for discussion during the weekly Management Committee review meet, BK accepted the challenge. He suggested that the entire internal control review as required under SAS 70 could be executed by the in-house Internal Audit team so that the actual time required by an external CPA firm could be kept to the minimum to save cost. Despite skepticism on his idea from several members of the Management Committee, the CEO thought it to be feasible and supported BK in his endeavour.

The External auditors were requested to submit a Type 1 audit report.

Conduct awareness workshops on SAS 70 and its requirements.

Introduce COSO and SOX to Key Management Personnel through awareness workshops.

Establish formats for building up an inventory of Internal Controls and identifying the Key Controls.

Establish audit routines for verification of existence and effectiveness of controls.

Working with the external CPA Firm in terms of maintenance of work papers to establish control existence and its effectiveness.

While COSO preceded SOX by a decade, SOX requirements for attestation on controls is largely based upon COSO. Organisations worldwide have adopted the COSO framework for evaluation of Internal Controls.

AICPA — SAS 55 definition of Internal Control is the same as the definition in COSO :

"A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of (following) objectives :

— effectiveness and efficiency of operations

— reliability of financial reporting

— compliance with applicable laws and regulations"

COSO seeks to look at Internal Control in a mechanistic manner and says that ‘control’ has 5 components :

• Control Environment

• Risk Assessment

• Control Activities

• Information & Communication

• Monitoring

The framework has enabled a faster implementation of control structures on which the CEO, CFO and the External Auditor can rely upon for their attest functions. It has also helped organisations to understand internal control better and implement control systems for the ultimate benefit of organisations.

SOX is applicable to all organisations on the US Stock Exchanges particularly to the control system that has an impact on the reliability of financial statements.

SAS 70 is applicable to service organisa-tions. Outsourcing of major business activities as a cost rationalisation strategy is widely used today in business. The Indian IT Enabled Services (ITES) industry is booming and is seeing significant growth because of ‘outsourcing’.

A number of these outsourcing organisa-tions have an impact on the information systems of their customers’ financial statements. SAS 70 is applicable to service organisations providing services if they affect any of the following :

• The classes of transactions in the entity’s operations that are significant to the financial statements.

• The procedures, both automated and manual, by which the entity’s transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements.

• The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial statements involved in initiating, recording, processing and reporting the entity’s transactions.

• How the entity’s information system captures other events and conditions that are significant to the financial statements.

• The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures.

SAS 70 is not applicable to the following :

• Services provided are limited to executing client organisation transactions that are specifically authorised by the client, such as the processing of checking account transactions by a bank or the execution of securities transactions by a broker.

• Audit of transactions arising from financial interests in partnerships, corporations, and joint ventures, such as working interests in oil and gas ventures, when proprietary interests are accounted for and reported to interest holders.

Considering that the focus of the audit was on Internal Controls vis-à-vis reporting in the financial statements, those controls that have a direct/indirect impact on the financial statements were sought to be identified in each process area.

A comprehensive listing of these controls was done. A review of these controls was then carried out by the Internal Auditor in consultation with the process owners identifying the key controls. The criteria used was primarily its direct effect on mitigating the risk or meeting the desired objective. The Internal Auditor facilitated the discussion and provided his inputs for finalizing the key objectives. Refer Exhibit 3 for an illustrative listing.

Detailed descriptions for each control activity were also captured. These descriptions were vetted by the process owners and also the CAE before offering the same to the auditors.

Detailed audit tests were identified for each process and key control. From each process area all the key controls were verified and their effectiveness tested.

The control review done for SAS 70 audit was greatly appreciated by the auditors and well received by the customer’s Auditors.

The Audit Committee and the Board recorded their appreciation of the effort put in by the Internal Audit function.

Article by Mr. Deepjee Singhal,  a renowed Chartered Accountants specialising in Audit.