What's the fuss over SAS-70?

Pressures from the rising wages and global economic trends have forced many companies to outsource more and more critical processes. These processes involve initiating, recording, processing and reporting a company’s transactions, most of them have a direct impact on the client’s financial statements.

Below is a typical conversation Service Organizations are having with their clients:

Mr. Dela Cruz, a general manager of an aggressive and fast growing Service Organization receives a call from one of their clients: “Mr. Dela Cruz, before we renew your services for the next year, we would be requiring that you get a Type 2 SAS 70 certification.” Mr. Dela Cruz answered : “ But we are CMMI level 4 already and will be undergoing ISO 9001 this year, I reckon SAS 70 won’t be necessary.”

If third parties (i.e. service organization) are performing these critical processes such as payroll, financial reporting, billing etc., then how can management of their client companies (user organizations) have assurance on the internal control over their outsourced processes?

This is where SAS 70 comes in. SAS 70 or the Statement of Auditing Standards No. 70 is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The SAS 70 auditing firm examines the service organization’s internal controls and issues a report on the state of those controls. This report is designed to provide information about the service organization’s controls that may be part of a user organization’s information system as it relates to the user’s financial statements. The report can be shared with the Service Organization’s current customers and their respective auditors.

Without a reliable SAS 70 report, companies which are covered by Sarbanes Oxley 404 and which outsource their critical processes will have to send their auditors to these service organizations to check whether proper controls are implemented for the outsourced processes. Now, imagine if this service organization has more than 10 clients who are also required to comply with Sarbanes Oxley 404 or any financial reporting regulatory requirements. The service organization will undergo audits all throughout the year and may be spending most of their time answering and entertaining the different sets of auditors.

How is SAS 70 different from other certification bodies?

Unlike other certifications such as the ISO 9000 family of standards, SAS 70 does not have a pre-determined set of standards that a Service Organization must meet in order to pass the review. The evaluation criteria for SAS 70 is customized based on the nature of the Service Organization’s processes and risks. It is the Service Organization’s responsibility to describe the controls that will be tested and disclosed in the Service Auditor’s report.

Also, one of the main differences between SAS 70 and the ISO 9000 family of standards is the area being covered in the review. SAS 70 covers the control environment, control activities, risk assessment process, information and communication processes and monitoring processes. On the other hand ISO 9000 basically covers the quality management processes.

While SAS 70 can satisfy the customer’s external financial audit requirements, ISO certifications usually do not.

Aside from SAS 70, there are also other frameworks or certifications related to computer systems. One of the popular ones is SysTrust. SysTrust is an assurance service developed by AICPA and the Canadian Institute of Chartered Accountants (CICA), which focuses on the examination of a company’s systems for overall availability, security, integrity, and maintainability. The main difference is the focus of the examinations. SAS 70 focuses only on control objectives as it relates to financial reporting and thus usually looks into financial systems or systems that may affect the user organizations financial reporting system. SysTrust can cover any system that a client wants to include in the scope.

What’s the difference between a SAS 70 Type 1 and SAS 70 Type 2 report?

There are two types of SAS 70 reports: Type 1 and Type 2. SAS 70 Type 1 reports cover the controls at a certain point in time, such as Dec. 15, 2007. The SAS 70 auditor looks at the design of the controls and checks whether these are effective in mitigating the risks related to the processes included in the scope of review at a certain point in time. Whether these controls are implemented consistently throughout the year or any period of time is not covered in a Type 1 engagement. It may be argued that this type of report may have limited value from a regulatory perspective but is definitely a good step in moving towards Type 2 certification.

SAS 70 Type 2 audits, on the other hand, reviews controls over a stated period of time, usually six to twelve months.   Type 2 reports are very useful especially if your customers are US SEC registered companies which are required to comply with Sarbanes Oxley 404. A Type 2 report is usually acceptable as evidence that a service organization has adequate controls in place and is operating effectively.

Why should I be interested in SAS 70?

Aside from SAS 70 being a requirement of some customers, below are just some of the common benefits of conducting a SAS 70 examination:

• To minimize business disruption by having a Single Auditor – A service organization’s customer may want to exercise their right to perform audit procedures on the organization. If, let’s say, ten of your customers want to exercise this right, then you will be visited by different sets of auditors 10 times in a year, which potentially may disrupt business operations.

• To implement control and process improvements in the most effective and efficient manner – Different auditors may have varying perspectives on risks and controls thus may raise a problem for management as to which control framework to follow and implement.

• Public relation/marketing – The SAS 70 examination demonstrates the service organization’s commitment to internal control to its customers. 

Is SAS 70 applicable to all service organizations?

No, SAS 70 is not applicable to all service organizations. SAS 70 is only applicable to services provided by a service organization that are part of the user organization’s information system, including:

• Transactions significant to the financial statements

• Procedures that affect transactions

• Records and information that affect transactions

• Methods by which information systems capture events that affect the financial statements

• Financial reporting process used to prepare financial statements.

What does it take to complete a SAS 70 certification?

The service organization can start preparing for a SAS 70 audit engagement by documenting the processes they perform for clients and then identify or define control objectives and control activities to mitigate the relevant risks to their processes. Most of the time, service organizations engage a professional service firm who has strong financial and IT auditing experience to help them draft the control objectives and evaluate whether they have adequate controls in place. In other service organizations, their Internal Audit function can perform this activity.

How much does it cost?

Generally, the main cost drivers for SAS 70 engagements are the number and complexity of the processes and controls under review. Consequently, cost largely depends on the amount of time it takes a service auditor to perform the necessary procedures to render an opinion on the controls placed in operation.

When planning for a SAS 70 engagement with your auditor, you should determine the extent of the controls you want tested or included in the SAS 70 report. You may want to consult your customer if they have specific control compliance requirements which need to be included in the scope of work. Aside from the scope, the timing of the engagement has to be factored in the planning process. For a Type 2 engagement, test periods range from six to 12 months. The longer the testing period, the more hours a service auditor will have to charge for their time.

So what’s the fuss over SAS 70? Because of the Sarbanes Oxley legislation, SAS 70 has become a requirement for companies that provide outsourced data services. As more and more complex processes are being outsourced, the risks associated with them will definitely increase and thus SAS 70 can be loosely likened to a warm glass of milk that service organizations can give to their customers and their customer’s auditors to make them sleep well at night knowing that their processes are managed well and controls are operating effectively.

(Anna Magno-Pabellon is a director for Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. This article is for general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due case was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstance. For comments or inquiries, please email [email protected] or [email protected]).