Explore BrainMass

This post addresses SAS 70, audit reports, & SAS 99.

Statement of Audit Standard 70 - Service Organization audit is an audit on organizations that provide various service to other businesses which, for different reasons may decided to outsource one or more of their activities.
During annual audit of companies that have outsourced part of their activities, the external auditor needs assurance that the controls in place at the third-party service provider are effective. SAS 70 report will provide such assurance.

Consider Type I and Type II SAS reports. Do both of these reports allow the reduction of substantive testing?

It is important to talk a little bit about SAS 99 - Consideration of Fraud in a Financial Statement Auditing. This standard provides extended description of fraud and requirements auditors need to fulfill for fraud detection and during audit engagement.
I find the topic that deals with Professional Skepticism interesting. Professional Skepticism is different from suspecting the presence of fraudulent activity. It is rather recognition that fraud is possible hence preparing one's attitude accordingly.

Additional thoughts on SAS 99

The importance of IT auditors while engaging in audit of an organization with computerized Accounting Information System.
However, many systems have built-in procedures to produce different reports including supporting documentation, journals, and ledgers. Auditors can us the the print outs of these reports with having to deal with the actual computer system and its controls. This is called Auditing Around the Computer.

Any thoughts on the other two - Auditing Through the computer and Auditing With the Computer?

Solution Preview

Consider Type I and Type II SAS reports. Do both of these reports allow the reduction of substantive testing?

Type I & II are considerably different and any reductions in testing would be respective to the type required. Type I SAS reports analyze the internal controls at a specific point -- the point of analysis by the auditor. Basically, the auditor is reporting on whether or not the controls observed are effective and in-place. In a type II SAS report, the auditor is reporting on a period during which the controls were tested, which is typically a six month period, although there are some variations depending on the circumstances in the audit. One of the main differences will therefore be that with the type II report, we've got a longer period and more instances of testing. The testing would therefore be reduced in the type I report. In the type I report, the details of the testing usually aren't as comprehensive as we see in a type II report, which shows an inherent reduction in substantive testing in a type ...

Solution Summary

This solution discusses auditing through the computer, SAS 70, SAS 99, and audit reports type I and type II. Related issues are also discussed.