Companies outsourcing activities to a third party need to think about suitable mechanisms to understand the control environment of the service providers. A popular, expensive and often misused tool to achieve this insight is by a Statement on Auditing Standards number 70 (SAS 70) report.
SAS 70 is based on SAS 55 (Consideration of Internal Control in a Financial Statement Audit) and on the Committee of Sponsoring Organisations of the Treadway Commission (COSO) framework. SAS 70 reports come in two formats: Type I and Type II. Type I is a description of control activities while Type II includes the testing of controls over a period of time (typically six months).
The SAS 70 is actually a hybrid audit that includes many of the audit objectives performed during operational audits with a close secondary focus on the information technology that supports the business process and may even include elements of financial audits.
A SAS 70 can be useful, but only when it is applied with care. Some of the issues are:
- If the service provider defines the scope itself, it is likely to include those controls with which it feels comfortable. So in my opinion is it the client (=company which outsourced to the third party) which has to define the scope of controls/assets/processes etc that have to be audited. To my amazement did a senior KPMG partner tell me recently that their practise is to let the supplier define the control scope. As risks (type of event, likelyhood and impact) differ among organisations, how can the control environment be generic for all clients of the external service provider?
- If there are no issues reported in the SAS 70 report it is likely that the service provider selected the scope very carefully and did not include complex process activities as they are more likely to show issues over time (in case of a Type II SAS 70 report).
- Some service providers may market themselves as being SAS 70 compliant but there is no such thing as a SAS 70 compliant organisation. SAS 70 does not pre-define standard controls that should be included in the report, this is up to the service provider and the client. This in contrast to for example ISO27001 but part of the disadvantages of SAS 70 are also applicable to ISO27001.
- The SAS 70 review is a standard guideline, not a standard audit program. The Big 5 do not use rigid review programs with a fixed audit scope. This is why one SAS 70 review may appear different from others.
- SAS70 is typically provided once a year which makes it a very reactive control.
- My biggest concern is however that is that SAS70 was created to provide reasonable assurance over the IT controls related to applications and infrastructure directly related to financial statements. In other words, reducing the risk of 'material' deficiencies between financial reports and the actual financial situation (post-Enron/SOX Act). But I see it used now to gain assurance over BPO deals which have hardly or nothing to do with financial statements. In other words, the controls might or might not mitigate the actual risks the client is facing.
There is still value in SAS70 statements and other types of third party assurance like ISA 402 and ISEA 3402. But take at least the following into consideration before using them:
-Ensure you are closely involved in the scoping of processes, controls, assets, countries et cetera unless you are sure that the standard control environment of SAS70 covers your risk universe. If there is a mismatch: require either an adjusted scope of the SAS70 statement or implement additional controls mechanisms (other than third party assurance, e.g. reports)
- Do not rely on the standard report provided by the supplier for high risk area’s (typically type 1 report is for free) and ensure your scope is included in their standard report.
-SAS70 type II is a very expensive gadget and use it thus only for high risk area's. Activities with low inherent risk may not require as much attention/money. Define the scope of the SAS70 accordingly.
In short: SAS70 is one of your assurance mechanisms (and an expensive one at that), so use it sensibly. Please let me know you you would like to read more on this subject in future posts.