That companies outsource myriad business functions is no surprise these days. What is a surprise, however, is the lengths to which public companies must go to ensure that those vendors’ internal controls don’t become their undoing. That’s because, no matter what service is outsourced—like payroll, for example—responsibility for financial controls stays in place. But the process of ensuring a vendor’s controls are up to par is not always easy, nor is it cheap. Although a public company can conduct its own audit of a vendor’s controls, some ask suppliers for an audit known as a “SAS 70 Type II.”
The American Institute of Certified Public Accountants Statement on Auditing Standards 70 set forth the practice for evaluating the performance of outside service organizations. A Type I audit describes the business’s controls, noting if they are suitably designed and in place. A Type II audit tests those controls and reports if they are working adequately.
