In today’s regulatory environment all companies are facing tougher scrutiny about their IT security measures financial records and compliance standards. Companies seeking a third-party provider will often rely on a SAS 70 to determine whether the provider has adequate controls. However SAS 70 reports come with their own set of questions and uncertainty.

In an effort to beef up internal controls and data security service organizations have sought out SAS 70 reports to demonstrate their level of compliance. When businesses choose to outsource critical processes the SAS 70 (Statement of Auditing Standards No. 70) helps them assess and select potential providers. This assessment tool can help users identify risks related to financial fraud and data security.

At one point having these audits done was thought of as a differentiator; now acquiring them is almost essential.

The focus on internal controls isn’t new. The first standard SAS 55 (“”Consideration of the Internal Control Structure in a Financial Statement Audit””) was issued in 1988 and required that financial statement auditors assess the internal controls related to any process that might have an impact on their client’s financial reporting.

This created a nightmare for third-party providers. It meant that an outsourcing company providing payroll services to hundreds of businesses for example would be examined by the auditors for each customer. SAS 70 issued in 1992 helps them demonstrate the security of their operations while eliminating that swarm of investigators by having one internal control review performed and sharing that report with each requestor.

Technology’s Role
In 2001 an amendment put more focus on the effect of information technology on internal controls. This amendment known as “”SAS 94″” required auditors to look more carefully at technology’s role in the control environment. This meant that SAS 70 reports became more technology-focused and professionals providing them needed more background in information technology.

If you were a data storage company and you didn’t have a SAS 70 all your clients would need to send their IT people to your facility to do their own tests to make sure you were protecting their data. If you were a hedge fund administrator all your clients (fund managers) and maybe even their clients (institutional investors) would need to send their own auditors to review your procedures and test your controls.

A SAS 70 report frees you from those types of requests.

Will a financial statement audit suffice?

An auditor is required to give an opinion on the design and effectiveness of the company’s internal controls. The internal control assessment in a financial statement audit is only related to controls over financial reporting — controls like segregation of duties procedures for booking transactions and reconciling accounts.

The SAS 70 report goes beyond controls over financial reporting assessing the many other controls that — if they are not operating — can indirectly affect the accuracy of the financial reporting. For example computer operational controls if insufficient or not operating properly could allow hackers to tap into a company’s financial reporting system and commit financial fraud. This in-depth look can have a major impact on mitigating risk.

What’s in a SAS 70?
There are two types of SAS 70 reports referred to as a “”Type I”” and “”Type II.”” For both of these reports the first step is to identify what the outsourced provider determines to be its control objectives. These could include increasing physical security maintaining environmental security or streamlining computer operations. For example a control objective for computer operations might be “”control activities provide reasonable assurance of timely system backups of critical files off-site backup storage and regular off-site rotation of backup files.””

“