A SAS 70 is an audit which reports on the
"processing of transactions by Service Organizations". SAS70
stands for Statement of Auditing Standard # 70 from the American
Institute of Certified Public Accountants (AICPA).
The purpose of a SAS70 report is to
represent an independent, objective, and consistent assessment
of a service provider’s internal controls as the controls
pertain to services provided to one or more customers (user
organizations). In general, the report is applicable when a
service provider’s services represent audit risk that is
material to one or more user organizations.
An important benefit of SAS70 reporting is
the reduction or elimination of over-auditing. For example, a
service provider’s internal controls could be relevant to the
financial statements of several companies (users). The user
auditors are required, under professional standards, to
understand their client’s information system and the internal
controls relevant to that system. So, when a company uses a
third party for processing transactions which could be relevant
to their financial statements, the user auditors need to take
steps to understand the controls associated with the information
system provided by the third party. Thus, the purpose of the
SAS70 report is to enable the user auditor to understand the
nature of controls at the third party. And, when appropriate,
the user auditor can lower their assessment of control risk for
the third party, which in turn could lower their need to test
controls at the third party. Note that a SAS70 can limit
operational risk as well as financial reporting risk.
More service providers are now attempting
to use their SAS70 as a marketing tool, differentiating
themselves from the competition. However, more and more service
providers are obtaining a SAS70 because it’s becoming a market
necessity, especially in regulated industries. So the value of
the SAS70 as a marketing tool is diminishing.
Many service providers approach obtaining a
SAS70 with the idea of “doing the minimum needed to comply”.
Doing the minimum, may decrease your initial cost in achieving a
SAS70, but it doesn’t necessarily decrease your overall cost of
ownership. This is because it can extend the sales cycle as
potential customers are not able to translate the control
objectives covered by your SAS70 to their requirements. This can
also lead them to request to perform their own audit at your
site, even though the SAS70 was designed to eliminate that
requirement. However, by understanding what the customer needs,
the SAS70 can be better positioned as a marketing tool and
differentiator in the marketplace. The customers don’t always
need a vendor to have a SAS70, even though that’s what they ask
for. They need to know if their regulatory and fiduciary
responsibilities are addressed by their service provider.
As indicated earlier in this paper, SAS70’s
are typically written by auditors to be reviewed by auditors and
not necessarily the decision makers during the purchasing
process. This usually extends the sales cycle and increases the
cost of sales since the prospects now ask the vendor a number of
additional questions trying to ensure particular regulations are
addressed.
Since the AICPA developed the SAS70 to be
used by auditors, there is little likelihood that the format
will be altered, especially since they never intended it to be
used as a marketing tool. Another alternative is to have your
control objectives specifically identify certain regulations
that are covered. However, some CPA firms may hesitate to
comment on controls addressing a particular or multiple
regulations. If they are willing, they will definitely increase
the amount of testing they perform which will ultimately
increase their fees. However, there are some techniques that can
be used to make it easier to decide if the SAS70 is compatible
with a particular regulation without necessarily adding a
significant cost or burden on the external auditor:
-
Perform an audit of the controls in your SAS70 and the
regulations that your customers and prospects ask most
about.
-
Identify which regulation(s) are addressed by each control
activity.
-
Develop the ability to produce a report by regulation.
-
Give the report along with your SAS70 to your prospects.
This technique does not necessarily produce
any additional liability for the CPA providing the SAS70 since
they are still commenting on the strength of the controls
meeting certain objectives. It will also make it easier for your
prospect to line up your controls against their requirements
thus reducing the decision making process and their need for
additional information.
Contact Visage Solutions for this and other
cost effective approaches addressing regulatory and audit
problems at
info@visagesolutions.com.
About Visage Solutions –
www.VisageSolutions.com
Visage Solutions is a consulting company operating in the areas
of regulatory compliance, risk assessment, information security,
risk management and compliance processes. Utilizing our
proprietary SingleVue™ and OpsAudit™ methodologies, the company
focuses on assisting business entities in mitigating operational
risk. Visage has provided solutions to a client base ranging
from private, entrepreneurial companies to large multinationals.
Our team is comprised of experienced executives, managers and
consultants who can assist clients with the development,
implementation and execution of their risk management and
compliance strategy.
