Praxity - global alliance of independent firms

News

2012

2011

2010

2009

2008

2007

23/03/2010 - Participant News: Kaufman, Rossin & Co., P.A. - Why SAS 70?

The author explains the benefits of the auditing report that assesses a service organization’s internal controls.

There has been a lot of attention given to SAS 70 reports recently. The SAS 70 report is a report based on an auditing standard officially titled “Reports on the Processing of Transactions by Service Organizations.”¹These reports assess the internal controls of a service organization. Companies outsourcing critical processes use SAS 70 reports to select and assess their outsource providers. Among other benefits, this assessment tool can help users identify risks related to financial fraud and data security.

The concept is not new
Internal controls have become increasing important in the auditing process over the past two decades. The evolution of this emphasis helps to demonstrate the growing reliance on SAS 70 reporting.

In 1988, an auditing standard was issued which began requiring that financial statement auditors assess the internal controls related to any process that might have an impact on their clients’ financial reporting. This standard, SAS 55 (“Consideration of the Internal Control Structure in a Financial Statement Audit”) meant that an outsourcing company providing payroll services to hundreds of businesses, for example, would have to be examined by the auditors for each of their customers.

These outsourcing companies found their resources stretched to comply with the requests from all of their customers’ auditors. In 1992, SAS 70 was issued in response. Now outsource providers could have one internal control review performed, addressing all the areas their clients’ auditors would need to review, and share that report with each requestor.

In 2001, an amendment to SAS 55 put more focus on the effect of information technology on internal controls. This amendment, known as SAS 94, required auditors to look more careful at technology’s role in the control environment. This meant that SAS 70 reports became more technology focused, and professionals providing them needed more background in information technology.

The passage of the Sarbanes Oxley Act of 2002 heightened the focus on internal controls over financial reporting. SOX Section 404 essentially said, if you’re going to outsource a significant process to somebody, you’re required to make sure they’re doing what they’re supposed to. It said that the best way is to do this is to review their SAS 70. And if they don’t have one, you’ll have to do your own assessment.

This means that, if you’re a data storage company and you do not have a SAS 70, all of your clients need to send their IT people to your facility to make sure their data is protected. If you are a hedge fund administrator, all your clients (fund managers) and maybe even their clients (institutional investors) would be sending their own auditors to review your procedures and test your controls. This swarm of investigators constantly checking up on you would certainly be inconvenient, at best. A SAS 70 report frees you from those requests.

Aren't financial statement auditors responsible for this?
When auditing the financial statements of a private company, an auditor’s responsibility is to understand the client’s internal controls over financial reporting, and plan the audit accordingly. For example, if they have an ineffective internal control environment, the auditor is probably going to test more accounts and balances instead of controls. If they have a stronger control environment auditors will do less testing.

When auditing the financial statements of larger public companies, however, the auditor is required to give an opinion on the design and effectiveness of the company’s internal controls — actually auditing the controls. The client does its own assessment of internal controls over financial reporting, and the auditor audits those controls.

But those responsibilities are only related to controls over financial reporting — controls like segregation of duties, procedures for booking transactions and reconciling accounts. A SAS 70 report goes beyond controls over financial reporting, assessing the many other controls that, if they are not operating, can indirectly affect the accuracy of the financial reporting. For example, computer operational controls, if insufficient or not operating properly, could allow hackers to tap into a company’s financial reporting system and commit financial fraud. A SAS 70 is a tool that allows company management and external users to see that there are adequate internal controls over the service provider’s operations.

What is the SAS 70?
There are two types of SAS 70 reports, commonly referred to as a Type I or Type II. The process for either one begins with the outsource provider’s control objectives. These objectives might include things like Physical Security, Environmental Security or Computer operations. A control objective for Computer Operations, for example, might be “Control activities provide reasonable assurance of timely system backups of critical files, off-site backup storage, and regular off-site rotation of backup files.”

A consultant preparing a SAS 70 Type I, the Report of Controls Placed in Operation, will take that control objective, review the controls in place to see if they are suitably designed to meet that objective, and determine whether they are in place on a specific date. It’s a snapshot of the control environment. This report may be sufficient for an auditor to fulfill his or her responsibility, which is to know that their client has the proper design of controls for financial reporting with respect to their understanding of controls at their service provider.

For a Type II report, the Report of Controls Placed in Operation and Tests of Operating Effectiveness, the process goes deeper. To prepare a Type II report, the professional will test all of the service provider’s controls over a period of time, typically six months to a year, to see if they are operating as designed to meet the objectives. In some cases, rather than repeating all the testing every year, update letters are provided attesting that the controls are still operating. The amount of testing performed for each control will be statistically determined, based on how frequently the control would actually be used. Examples of a control frequency might be controls that occur daily, weekly, monthly and quarterly. These tests will be documented in testing matrices.

While a Type I report may be sufficient to meet the an auditor’s obligations, the more detailed Type II report can provide more value for the service organization’s clients. If you think of controls like a circus performer’s net, a Type I report demonstrates that the net is in place and would be sufficient to catch the performer if she fell. A Type II report actually tests what happens when a body hits the net, not just once but repeatedly, over a period of months.

In addition to the testing, which is the core of the data provided by the report, it will include:

Independent Service Auditor’s Report, the letter the auditor includes at the front of the report to summarize the process and their findings
Description of Controls Placed in Operation, which will include an overview of the operation and the services provided, details about the control environment, the technology used, and complementary controls that users are expected to have in place
Other information provided by management, which might include information about business continuity procedures, and compliance with other relevant regulations.

When does a company need a SAS 70?

If you are a service provider, you may want to engage an auditor to prepare a SAS 70 report for several reasons.

First, as discussed above, you’ll replace the disruption to your business by visiting auditors or clients to assess your internal controls with a single visit from a service auditor, typically once or twice per year. This could save you money and time, since each of those visits requires management’s attention.

Second, you will have the benefit of that service auditor’s experience reviewing controls like yours. That experience, which comes from performing similar engagements for other companies in your industry, could provide you with insight into best practices or issues you might not have perceived on your own. Having an unrelated party reviewing your processes and controls and critiquing them can improve your business; ideally, they will provide constructive criticism rather than simply agreeing with your procedures.

What kind of companies need SAS 70 reports?

Application Hosting Providers

Application Service Providers

Benefits Administrators

Clearinghouses

Collection Agencies

Data Centers

E-Commerce Providers

Health Care Claims Processors

Health Care Practice Management

Insurance and Financial Services

Internet Service Providers

Managed Services

Mortgage Services

Payroll Service

Pension Administrators

Print/Mail Fulfillment Houses

Service Bureaus

Software as a Service Provider

Software Vendors

Third Party Administrators

Web Hosting Providers

And third, a SAS 70 report can serve as a marketing tool. When potential clients interview service providers and perform their own due diligence, a provider with a SAS 70 can have an edge over competitors. The fact that control objectives are identified and controls are documented in a Type I report provides a level of confidence; the testing completed for a Type II report adds even more value. A SAS 70 sets you apart from competitors, and it may even be required to get bigger business or retain certain clients as they grow.

When considering a service organisation, should a SAS 70 be required?
More and more companies are using the SAS 70 as a requirement for placing contracts with service organizations. Let’s face it, the tremendous amount of personal and financial information that is created, stored and communicated electronically means every business process at any size company requires more well-designed and properly operating internal controls than ever, because the risk is much greater. But whether you should require one — and which Type — still depends a great deal on your business dynamics and the services being performed.

Consider a hedge fund. The fund auditor’s responsibility is to know that they have the proper design of controls for financial reporting. To do that, auditors look at the fund’s systems and processes to see that they are sufficient. But many funds outsource their financial reporting and administration. Should the fund manager require their fund administrator to have a SAS 70? And which type?

In this case, the requirement seems wise. The fund manager executes the fund’s strategy by buying and selling securities. The fund administrator is tasked with the responsibility of accounting for these transactions and valuing the investments; the fund manager provides that information to his investors, who rely on it. If controls are not designed correctly or not operating properly, the risks of incorrect net asset value reporting, misrepresenting that value to investors and even financial fraud are tremendous. Poorly designed or malfunctioning controls relating to information security can pose additional risks. If personally identifying client data is compromised, the fund is required to inform each customer and maybe even publicly disclose the data breach, leading to a loss of trust from current and prospective clients. One 2008 study documented the cost of security breaches at an average of $202 per compromised record — and a total cost of $6.65 million.²In this case, although a Type I report’s snapshot of controls might meet the fund’s auditor’s obligations, to minimize these risks and demonstrate this to potential investors may require a Type II report.

In other circumstances the answer is less clear. When outsourcing payroll, for example, you may want to review a SAS 70 report to make sure the confidential information about your employees is kept secure — or you may believe that your internal controls over the data you provide to the payroll company and the reporting you receive are sufficient. If you’re a small ecommerce company using an outside fulfillment house to store and ship your product, you may find more value in personally visiting their operation and reviewing their inventory procedures and controls over your customers’ order information — or you may want an outside auditor’s expertise to document the safety of your products and data.

In any case, just determining that a potential vendor has a SAS 70 report is not sufficient. Make sure to review the report carefully, not just to make sure that all controls have been deemed sufficient, but also to confirm that the services you’ll be using are covered by the controls the auditor has tested.

Who should perform tha SAS 70 audit?

There seem to be an unlimited number of professional firms offering SAS 70 audit reports. The international CPA firms provide them, and so do many of the regional and local firms. Consulting firms have been established whose sole practice is SAS 70 auditing.

In selecting the proper resource, consider factors similar to those you use to choose your financial statement auditors.

SAS 70 Experience. Make sure the firm you select has significant experience performing SAS 70 auditing, and that the team assigned to your engagement has experience as well. This will limit wasted time on your part, and provide a better quality product.

Industry Experience. As discussed above, one of the benefits of a third party assessment of your internal controls in a SAS 70 engagement is what you’ll learn about what others are doing. The most valuable recommendations you’ll get here are from auditors with substantial experience with clients in your industry, preferably experience related to controls.
Reputation. This is a tricky factor, because it’s based on how you intend to use the report. If your desire for a SAS 70 report is simply for management’s use, to determine whether you have the proper controls, then an international, national or regional reputation isn’t required; choose a firm with a reputation for quality and industry expertise. If you’re planning to use the SAS 70 as a competitive tool, to attract investors, or as part of a strategy to merge or sell your company, reputation is more important. Some audiences will be turned off by a provider who doesn’t perform any other audit services; a CPA firm listed in the top 100³may be appropriate for some audiences; others may require a national or international brand name.

Although SAS 70 has been in place for nearly 20 years, and reviewing internal controls has been an auditor’s responsibility even longer, the increasing demand for SAS 70 reporting shows no signs of abating any time soon. The dominance of electronic information and increasing industry specific regulation related to its security is one of many factors that will make SAS reports more common; as more companies use them as competitive differentiators it may be nearly impossible to operate in some service industries without one.

NOTES

¹SAS No. 70, Service Organizations, http://www.aicpa.org/download/
members/div/auditstd/au-00324.pdF.
²Dr. Larry Ponemon, Ponemon Institute, Fourth Annual US Cost of a Data
Breach, January 2009 http://www.ponemon.org.
³Inside Public Accounting, 2009 Top 100 Accounting Firms, August 2009
http://insidepublicaccounting.com/pdF/top100_2009.pdf.

Nick P. Tootle is an audit principal at the Southeast CPA firm Kaufman, Rossin & Co. He can be reached at ntootle@kaufmanrossin.com.

Praxity, AISBL, is a global alliance of independent firms. Organised as an international not-for-profit entity under Belgium law, Praxity has its administrative office in London. As an alliance, Praxity does not practice the profession of public accountancy or provide audit, tax, consulting or other professional services of any type to third parties. The alliance does not constitute a joint venture, partnership or network between participating firms. Because the alliance firms are independent, Praxity does not guarantee the services or the quality of services provided by participating firms.