NCP Solutions Successfully Completes SAS 70, Type II Examination
In December 2004, Ernst and Young LLP completed a Type II SAS 70 examination of NCP Solutions'
internal controls that govern its order processing and print production capabilities. NCP
subsequently announced in a March 16, 2005 press release that it had received an unqualified
opinion from Ernst and Young upon completion of this six month examination.
NCP renews this examination annually.
About SAS 70, Generally
Statements on Auditing Standards, Generally
SAS Number 70
Types of SAS 70 Examinations
Scope and Timing of SAS 70 Examinations
Why SAS 70 Matters to NCP's Clients and Potential Clients
Outsourcing developments
Regulatory developments
Details About NCP's SAS 70 Examination
About SAS 70, Generally
Statements on Auditing Standards, Generally
SAS 70 is a widely recognized professional audit standard.
"SAS" stands for Statement on Auditing Standards.
Statements on Auditing Standards are developed by the American Institute
of Certified Public Accountants (AICPA) and represent professional standards
that Certified Public Accountants (CPAs) must follow when conducting audits.
The AICPA is the national professional organization for CPAs that, among
other things, develops and administers the CPA exam.
Back to top
SAS Number 70
SAS 70 (each SAS is numbered) is a particular Statement on Auditing Standards
entitled "Service Organizations."
SAS 70 codifies standards for audits of a service organization that may be relevant
to the internal controls
of the service organization's clients.
A client company's auditors may need assurances about the service provider's
controls to fulfill their professional audit obligations.
SAS 70, as the professional standard for auditing such service providers,
affords a means to deliver such assurances.
Back to top
Types of SAS 70
Type I - Also referred to as a "Report on Controls Placed in Operation," includes:
» A description of detailed controls
» Whether the specified controls are suitably designed to achieve broader
control objectives
» Whether the specified controls had been placed in operation as of a specific
date
» An auditor's opinion attesting to the information in the report, but
containing a specific disclaimer of opinion on the operating effectiveness
of the controls
Type II - Also referred to as a "Report on Controls Placed in Operation and Tests of Operating Effectiveness,"
includes the first three items in the Type I report, plus:
» A description of specific tests applied to controls and the results of
those tests
» Whether the specified controls that were tested were operating with sufficient
effectiveness to provide reasonable, but not absolute, assurance that the
related control objectives were achieved during the period specified
»An auditor's opinion attesting to the information in the report, that
excludes the Type I disclaimer noted above
The Type II form is the most stringent, and includes rigorous tests of specified controls in order to provide
a measure of assurance that related control objectives were achieved.
»The report details the specific tests and their results for users' consideration.
»Client auditors are allowed to rely more extensively on a Type II report
than a Type I report, potentially resulting in lower audit costs for the
client.
Back to top
Scope and Timing of SAS 70 Examinations
Scope of SAS 70 Examinations
SAS 70 examinations can flexibly address a wide variety of control objectives,
since the SAS 70 audit standard itself does not specify any particular control
objectives.
Control objectives to be examined are typically specified by the service
providers themselves, in consideration of client or regulatory needs.
Timing of SAS 70 Examinations
SAS 70 examinations cover particular periods of time, and reports are
dated to specify the time covered.
Since reports become outdated over time, it is customary to renew examinations
periodically.
Back to top
Why SAS 70 Matters to NCP's Clients and Potential Clients
Outsourcing developments
Companies increasingly outsource highly sensitive aspects of their businesses.
In such cases, assurances from service providers that outsourcing services
are carefully controlled become more important, not just to client auditors,
but to client management and Boards of Directors.
Since the scope of SAS 70 examinations is flexible, SAS 70 examinations
are broadly applicable and can satisfy the need for these assurances.
Back to top
Regulatory developments
Recent regulatory developments require increased vigilance over internal
controls, customer privacy and data security. Critical outsourcing relationships
can fall within the scope of these regulations.
| Regulation |
Requirement |
Implication for Outsourcers |
Sarbanes-Oxley Act Rule 404 |
Certain companies must maintain effective internal control systems,
and both management and auditors must attest that the companies
have done so. |
If a company's internal control systems depend on the controls
of service providers, then the service providers' controls are relevant
to meeting the requirement. |
Gramm-Leach-Bliley Act |
Financial institutions must maintain a comprehensive program
to protect the security and confidentiality of nonpublic personal
information of their customers. |
Such comprehensive programs extend in some ways to service providers. |
Back to top
Details About NCP's SAS 70
Examination
Auditor: Ernst and Young LLP.
Facilities Addressed: Birmingham, Alabama and Jacksonville, Florida.
Type of Examination: Type II.
Time Periods Covered: Six-month periods have been examined annually since 2004.
Scope: NCP's control objectives were defined by NCP and Ernst and Young
to include matters clients consider most valuable.
Back to top
