Is there a baseline standard for how a service organization should disclose its controls?
Yes and No. Service organizations are permitted to disclose their control objectives and activities in any manner they see fit. However, for a SAS 70 audit engagement to be of maximum benefit to the user organizations (i.e. customers) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor’s requirements. To do this, the service organization’s description of controls should address five key components of internal control as defined in SAS No. 55, Consideration of Internal Control in a Financial Statement Audit: • Control Environment sets the tone of an organization, influencing the control consciousness of its people. The control environment is the foundation for all other components of internal control, providing discipline and structure. • Risk Assessment is the entity’s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed. • I
