Internal Control
Reviews
THF can provide a review of the
internal operating controls of various types of
organizations. The two types of reports are a SAS 70
Audit services to third-party service organizations; and
a corporate internal controls report over transaction
cycles, the finance and financial reporting functions.
A
SAS 70 audit is one very important way to demonstrate a
service providers commitment to providing reliable
quality service to their customers in a controlled
environment. In addition, a current Service Auditor’s
Report saves service provider’s from entertaining
multiple audit requests with varying agendas from
customers and their auditors. Multiple visits and
open-ended inquiries from user auditors can place
unnecessary strain on a service provider’s
organizational resources and customer relationships. A
Service Auditor’s Report ensures that all user
organizations and their auditors have access to the same
information and in nearly all cases, satisfy user
auditor’s requirements.
We offer two types of AICPA-accepted SAS 70 reports:
•
Reports on controls placed in operation (Type I)
A
service auditor’s report on a service organization’s
description of the controls that may be relevant to a
user organization’s internal controls, whether such
controls were suitably designed to achieve specified
control objectives, and whether such controls had been
placed in operation as of a specific date. Such reports
may be useful in providing a user auditor with an
understanding of the controls necessary to plan the
audit and design effective tests of controls and
substantive tests at the user organization. The report
is not intended to provide the user auditor with a basis
for reducing his or her assessments of control risk
below the maximum.
•
Reports on controls placed in operation/tests of
operating effectiveness (Type II)
A
service auditor’s report on a service organization’s
description of the controls that may be relevant to a
user organization’s internal controls, whether such
controls were suitably designed to achieve specified
control objectives, and whether such controls had been
placed in operation as of a specific date. The report
also describes tests of controls and the results of the
tests. The control testing results are in the form of an
opinion as to whether the controls operated with
sufficient effectiveness to provide reasonable, but not
absolute, assurance that the related control objectives
were achieved during the period specified. Such reports
are useful in providing the user auditor with an
understanding of the controls necessary to plan the
audit and may provide user auditors with a basis for
reducing their assessments of control risk below the
maximum.
The objectives of an internal control review report is
to document existing internal controls and processes,
test compliance with established procedures, evaluate
the effectiveness of existing controls, review the
accuracy of report outputs, and provide recommendations
for improvements that strengthen internal controls and
provide operating efficiencies. Most importantly we
develop a detailed narrative providing management with
alternatives for modification of existing policy and/or
where necessary suggestions and recommendations for
overall changes. The recommendations will be designed
and structured with an emphasis on enhancement in
design, efficiency and effectiveness.
