Companies which outsource or sub-contract services need to be sure the firms they are using meet with auditing standards, especially if they themselves have to be Sarbanes-Oxley (SOX) compliant. One way is to ensure that service providers have the SAS 70 accreditation. What is SAS 70 and what are its benefits for both service providers and the companies using those services?
Statement on Auditing Standards No. 70 (SAS 70) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to measure a service organisation’s financial and information security controls. A service organisation is a company which provides outsourcing services, such as accounting, credit processing and insurance claim processing.
While SAS 70 was introduced in 1992, ten years before the Sarbanes-Oxley Act (SOX), SOX has provided significant incentive for service organisations to become SAS 70 accredited. This is because SOX requires publicly traded companies in the US not only to comply with SOX themselves, but also to ensure that any service organisations they use has adequate controls in place.
SAS 70 accreditation demonstrates that a service organisation has undertaken an in-depth audit of its controls and systems. For firms required to comply with SOX, SAS 70 is a means of confirming that a service organisation’s security and data protection controls have been suitably audited without the need for the company using the outsourcer to undertake an audit itself.
In particular, the US Securities and Exchange Commission has identified the Type II SAS 70 report as a means for the company’s management to fulfil these requirements. However, while SAS 70 is of particular significance for companies that are required to be SOX-compliant, there are also benefits for other service organisations and their clients as SAS 70 accreditation can reassure clients that a service organisation has adequate systems and controls in place.
SAS 70 audit reports
An SAS 70 audit report shows an outsourcer’s prospective clients that it has been thoroughly checked and has satisfactory controls and safeguards in place for processing and handling information, such as payroll data. It is a third-party certification of its controls and systems.
There are two types of SAS 70 report:
Type I assesses the processes and controls, looking at whether they are correctly described and have been adequately designed to meet their objectives. This includes a report written by the auditor on the organisation’s description of controls on a specific date.
The more rigorous Type II report requires additional proof that the documented processes and controls are being implemented. The report includes the service organisation’s description of controls plus detailed testing of the controls over a six-month period.
No two SAS 70 audits are the same as the report only looks at control objectives as outlined by the individual organisation.
Benefits for service providers
From the point of view of the service provider, SAS 70 offers a number of benefits:
Being SAS 70-compliant creates value for the service organisation by building trust with present and future customers.
Without an SAS 70 report, the provider may have to subject itself to numerous visits from different clients’ auditors, impacting on time and resources. SAS 70 means the provider does not have to answer questions from a number of different audit firms representing a number of different clients – it just submits the SAS 70 report to each one and the client knows the systems can be relied upon.
The report ensures that all customers have access to the same information.
An SAS 70 report conducted by an independent accounting and auditing expert can also suggest areas in which the service provider can improve its procedures.
BRAL, a UK-based provider of outsourced accounting services, became SAS 70 Type II accredited in 2006. Director Jim Brown says the company went for the accreditation because it has a lot of US listed clients who are required to work with suppliers that are SAS 70 accredited or otherwise audited.
“As an accounting provider we obviously hold some key data for firms,” explains Brown. “That could include payroll records and information about profit and loss accounts for their UK operations – these figures can be quite material and significant for the business. The management of a US business has to be satisfied that we have controls in place; otherwise they should not be using us. If we were not SAS 70 accredited, theoretically their auditors in the US would not only have to audit the client – they would have to come and audit us as well.”
There are also perceived benefits for clients outside of the US as the report confirms that a certain level of controls is in place.
Achieving SAS 70 accreditation
Becoming accredited can be time-consuming, but once this has been achieved, subsequent renewals are a lot simpler. In BRAL’s case, there was a two-week preparation period followed by an auditor going through six months’ worth of data, checking that processes had been followed and documented correctly. “There was a two-week audit focused on questioning staff, which takes two weeks of man-time, and probably another two weeks preparing for it and making sure everything is in place and documented,” says Brown.
Benefits to service users
Finally, companies using the service organisation can also benefit from that organisation’s SAS 70 accreditation in several ways:
The auditor’s report provides the user company with valuable information about the service provider’s controls and, if a Type II report is available, the effectiveness of these controls. This report can go to the user company’s auditors for examination together with its own financial statement.
The company using the service provider avoids costs which would be incurred in sending its own auditors to the service provider if SAS 70 accreditation had not been achieved.
Reduced number of SOX-related queries from auditors (for service users that are required to be SOX-compliant).