Third party assurance (e.g. SAS 70)

If your organisation provides other companies with services that have an effect on their financial statements or if their control environment is dependent on yours, then you may be asked to provide a report on your internal controls. Your customers may want it as assurance or their financial auditors may require it, but it can also be a strong marketing argument for you. A SAS 70 report or its international ISA 3402 equivalent is likely to be your solution, although there are various other options as well. SAS 70 is a US (AICPA) auditing standard to produce a formal report on the design, implementation and operating effectiveness of controls within a service organisation.

Conversely, if your company outsources some or all of its business operations to a service organisation and these operations have an effect on your financial statements, then a SAS 70 audit report may provide you and your independent auditors with information and assurance on the service organisation’s control environment. We can help you determine the most appropriate assurance solution, whether a type I or II SAS 70, or another report or attestation (e.g. against another auditing standard such as SSAE 10, WebTrust or SysTrust, but PwC can also do ISO certifications, e.g. against ISO 27001)

A SAS 70 report:

• Is a formal report on the design, implementation and effectiveness of controls within a service organisation, usually covering a period of not less than six months.
• Is primarily used to support the financial audit process of entities that use outside service organisations.
• Contains an independent accountant’s opinion on the design, implementation and effectiveness of controls within a service organisation for the audit period.
• Contains a description of the service organisation’s control environment, its control objectives and the key controls that are in place to achieve those control objectives.
• Contains tests of operating effectiveness performed by the independent accountant, and the results of those tests (type II).
• Contains control considerations that should be employed at entities that use the service organisation.
• Is intended for use by the service organisation, its customers and the independent accountants of its customers.

Our unique approach is highly flexible and in combination with our unrivalled experience, we help our customers avoid the traditional pitfalls, provide the assurance that is most suited and at the same time, often improve their control environment significantly.

PwC can assist in producing the actual SAS 70 report describing the internal controls in place as well as perform the actual review in order to provide the SAS 70 attestation. Extensive experience is available within PwC in several domains, including: financial services, logistics, pension fund administration, group insurance, IT service providers, etc.