1 / 15

Understanding and Interpreting SAS 70 Reports

Understanding and Interpreting SAS 70 Reports. Jon Ingram Audit Manager Information Technology Audits Florida Auditor General. Options When Service Organization Controls are Significant. Obtaining a SAS 70 report, if available.

rafer
Download Presentation

Understanding and Interpreting SAS 70 Reports

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding and Interpreting SAS 70 Reports Jon Ingram Audit Manager Information Technology Audits Florida Auditor General

  2. Options When Service Organization Controls are Significant • Obtaining a SAS 70 report, if available. • Requesting that a service auditor be engaged to perform procedures. • Contacting the service organization (through the user organization) to obtain information. • Visiting the service organization and performing own procedures.

  3. Using a SAS 70 Report - Benefits • Might be more cost effective and efficient. • Depending on contract terms & geographic location of service center, may be difficult or costly to get your own audit access to a service organization’s records and facilities. • SAS 70 audit may already be available (for other customers of service organization). • Use of available SAS 70 report may prevent or minimize duplication of audit effort.

  4. Using a SAS 70 Report - Considerations • Does the scope of control testing adequately address your audit objectives? • If scope of SAS 70 audit covers multiple service provider operations, is it possible to determine the level of testing applicable to your auditee? • Does the timing of control testing facilitate the results being available soon enough for evaluation? • If SAS 70 report is not already available, can the user organization negotiate the provision of service organization audit without significant additional costs? • Have significant service organization controls been outsourced to subcontractors?

  5. Example SAS 70 Reports ofFlorida Service Organizations • Blue Cross and Blue Shield (BCBS) – State of Florida Employees Group Self Insurance Plan. • Various investment custodians under contract with Florida SBA. • Hewlett-Packard (HP) – Florida Medicaid Management Information System (FMMIS). • NorthgateArinso (NGA) – People First.

  6. FMMIS • HP is Florida’s Medicaid fiscal agent. • HP uses FMMIS to enroll providers and adjudicate and process Medicaid claims. • HP manages the development and modification of the application, maintains the operating system and databases, and hosts and operates FMMIS. • Florida’s contract with HP provides for a SAS 70 audit of FMMIS IT controls.

  7. FMMIS • Approximately $15 billion in Medicaid benefits processed in FMMIS during the 2009-10 fiscal year. • FMMIS IT controls relevant to Statewide Federal Awards audit. • SAS 70 audit focuses on relevant IT controls specific to FMMIS. • Type 2 report.

  8. Audit Considerations • HP became the new fiscal agent effective June 26, 2008 – new system, new data warehouse, new set of controls. • Timing issues with first SAS 70 audit of HP’s FMMIS. • More explicit description of control testing would enhance our evaluation of control testing results. • Audit coverage of data warehouse – source of most key reports – would enhance usefulness for our audit purposes.

  9. Audit Response • We performed our own IT audit of FMMIS and the data warehouse (Report No. 2010-025) and another such audit is in progress. • We asked AHCA to request changes in the timing and coverage of the SAS 70 audit – ultimate resolution still pending. • We will continue to perform own IT audit procedures if timing not shifted.

  10. People First • Florida’s HR system. • Maintained and operated by NGA. • Florida is one of many NGA customers. • Florida’s version of the application, heavily customized, is a separate database instance. • Per contract, NGA obtains a SAS 70 report on its service centers and application. • SAS 70 report also given to other NGA customers.

  11. People First • People First IT controls relevant to our audit of the State’s financial statements – e.g., compensated absences liability. • SAS 70 report historically was provided semiannually and covered a six-month period. • SAS 70 report provided to multiple NGA customers vs. just Florida. • Type 2 report.

  12. Audit Considerations • NGA, who recently acquired the former service organization, plans to change from semiannual to annual SAS 70 audits with a January – October audit period and December report issuance. • If planned change occurs, an audit consideration is whether report would be available timely enough for Statewide financial statement audit planning.

  13. Audit Response • We asked DMS to revisit the SAS 70 timing with NGA – resolution is pending. • If timing is not adjusted, we may have to perform IT auditing procedures of the People First application and the NGA service center.

  14. Summary • SAS 70 reports are not “one size fits all.” • User auditor must understand: • The scope and timing of the SAS 70 audit. • The nature of the service organization’s controls and service auditor’s testing of controls. • The significance of the control testing to the user auditor’s objectives.

  15. Questions?

More Related