Data Security in an Outsourced World: Who Needs a SAS 70?
In today's regulatory environment, all companies are facing tougher scrutiny about their IT security measures, financial records and compliance standards. Companies seeking a third-party provider will often rely on a SAS 70 to determine whether the provider has adequate controls. However, SAS 70 reports come with their own set of questions and uncertainty.
In an effort to beef up internal controls and data security, service organizations have sought out SAS 70 reports to demonstrate their level of compliance. When businesses choose to outsource critical processes, the SAS 70 (Statement of Auditing Standards No. 70) helps them assess and select potential providers. This assessment tool can help users identify risks related to financial fraud and data security.
At one point, having these audits done was thought of as a differentiator; now, acquiring them is almost essential.
The focus on internal controls isn't new. The first standard, SAS 55, ("Consideration of the Internal Control Structure in a Financial Statement Audit") was issued in 1988 and required that financial statement auditors assess the internal controls related to any process that might have an impact on their client's financial reporting.
This created a nightmare for third-party providers. It meant that an outsourcing company providing payroll services to hundreds of businesses, for example, would be examined by the auditors for each customer. SAS 70, issued in 1992, helps them demonstrate the security of their operations while eliminating that swarm of investigators by having one internal control review performed, and sharing that report with each requestor.
In 2001, an amendment put more focus on the effect of information technology on internal controls. This amendment, known as "SAS 94," required auditors to look more carefully at technology's role in the control environment. This meant that SAS 70 reports became more technology-focused, and professionals providing them needed more background in information technology.
If you were a data storage company and you didn't have a SAS 70, all your clients would need to send their IT people to your facility to do their own tests to make sure you were protecting their data. If you were a hedge fund administrator, all your clients (fund managers) and maybe even their clients (institutional investors) would need to send their own auditors to review your procedures and test your controls.
A SAS 70 report frees you from those types of requests.
Will a financial statement audit suffice?
An auditor is required to give an opinion on the design and effectiveness of the company's internal controls. The internal control assessment in a financial statement audit is only related to controls over financial reporting -- controls like segregation of duties, procedures for booking transactions and reconciling accounts.
The SAS 70 report goes beyond controls over financial reporting, assessing the many other controls that -- if they are not operating -- can indirectly affect the accuracy of the financial reporting. For example, computer operational controls, if insufficient or not operating properly, could allow hackers to tap into a company's financial reporting system and commit financial fraud. This in-depth look can have a major impact on mitigating risk.
What's in a SAS 70?
There are two types of SAS 70 reports, referred to as a "Type I" and "Type II." For both of these reports, the first step is to identify what the outsourced provider determines to be its control objectives. These could include increasing physical security, maintaining environmental security, or streamlining computer operations. For example, a control objective for computer operations might be "control activities provide reasonable assurance of timely system backups of critical files, off-site backup storage, and regular off-site rotation of backup files."
- SAS 70 Type I: Report of Controls Placed in Operation is a snapshot of the control environment. A consultant determines whether the suitably designed controls are in place and whether the control objectives are being met, at a specific date. This report helps an auditor determine if the client has the proper design of controls for financial reporting with respect to the controls at its service provider.
- SAS 70 Type II: Report of Controls Placed in Operation and Tests of Operating Effectiveness goes more in depth. The consultant will test all of the service provider's controls over a period of time, typically six months to a year, to see if they are operating as designed to meet the objectives. Rather than repeating all the testing every year, an update letter can be provided attesting that the controls remain in compliance.
The report will also include
- an Independent Service Auditor's Report, which highlights the process and the auditor's findings;
- a Description of Controls Placed in Operation, which includes an overview of the operation and the services provided, details about the control environment, the technology used, and complementary controls that users are expected to have in place; and
- other information provided by management, which might include information about business continuity procedures and compliance with other relevant regulations.
Who Needs a SAS 70?
A SAS 70 enhances the credibility of any service organization, but there are several other reasons why it is useful. First, you'll save money and time by replacing the disruption to your business from visiting auditors or clients with a single visit from a service auditor, typically once or twice per year.
Second, you will gain key insights about best practices and common issues that companies in your industry face from experienced auditors who have previously completed comparable audits. Having an unrelated party reviewing your processes and controls -- and critiquing them -- can improve your business; ideally, the auditors will provide constructive criticism rather than simply agreeing with your procedures.
Third, a SAS 70 report is a great marketing tool. Your business will have an advantage over competitors when potential clients interview and compare potential service providers. The identification and documentation of specific control objectives in a Type I report gives them a level of confidence. The testing completed for a Type II report adds even more value. A SAS 70 will differentiate you from competitors, and it may even be required to get bigger business or retain certain clients as they grow.
Who should you choose to perform your SAS 70 audit?
In selecting the proper resource, consider factors like those you use to choose your financial statement auditors.
- The firm you select should have considerable experience performing SAS 70 auditing.
- It should have significant experience in your industry.
- It should have a reputation for quality.
Determine how you intend to use the report. If it's simply for management's use, to determine whether you have the proper controls, then an international, national or regional reputation isn't required; choose a firm with a reputation for quality and industry expertise. If you're planning to use the SAS 70 as a competitive tool, to attract investors, or as part of a strategy to merge or sell your company, reputation is more important. Some audiences will be turned off by a provider that doesn't perform any other audit services; a CPA firm listed in the top 100 may be appropriate for some audiences; others may require a national or international brand name.
The overwhelming growth in electronic information and the escalating amount of industry-focused security regulation are some of the reasons for the recent surge in demand for SAS 70 reports. Although SAS 70 has been in place for nearly 20 years, and reviewing internal controls has been an auditor's responsibility even longer, the increasing demand for SAS 70 reporting shows no signs of abating any time soon. As more companies use the reports as competitive differentiators, it may soon be nearly impossible to operate in some service industries without one.
Nick P. Tootle is an audit principal at Kaufman, Rossin & Co., a full-service accounting firm serving entrepreneurs, professionals and individuals. He can be reached at firstname.lastname@example.org.