SAS 70 reports continue to grow in demand and utility for Sarbanes-Oxley
compliance
By Mark Stephenson
KnowledgeLeader Contributing Writer
Since 2002 when U.S. public corporations entered a new and worrisome compliance environment – the era of Sarbanes-Oxley (SOX)—it has meant a far more intense focus on accuracy and transparency of financial information and on evaluating the design and operation of internal controls.
As initial compliance efforts mapped out a company’s accounting information system, it became apparent to those with outsourced business processes, that external service providers had become a significant component of the company’s financial reporting pipeline.
With that in mind, internal auditors and compliance personnel sought an effective, efficient, and economic strategy to obtain information about internal controls existing at the service providers. Fortunately, a tool existed – the AICPA’s Statement of Auditing Standards No. 70, or "SAS 70."
SAS 70 reports immediately proved to be valuable. For companies outsourcing financial, IT and other business functions to service providers, the SAS 70 delivered vital evidence for compliance. For vendors generating SAS 70 reports, the tool abrogated the need to endure time-consuming and costly redundant audits, required by customers anxious to ensure compliance with 404. All in all, the SAS 70 standard was the very definition of a classic "win-win" scenario, by sharing the time commitments and costs associated with one audit among the service provider and its customers.
Fast-forward to the present. If anything, outsourcing has accelerated during the two short years since 404 clicked into place. Are companies still finding SAS 70 to be as valuable of a tool as they did then? According to people in the know, Corporate America’s affinity for the SAS 70 will remain strong as long as outsourcing is as ubiquitous as the air breathed by executives, board members and shareholders.
Outsourcing trend driving SAS 70 interest
In the view of John Harrison, a managing director in Protiviti’s Houston office, the growing interest in SAS 70 reports is directly related to the steady procession of corporations outsourcing important, but non-core, functions to external service providers.
"There is no doubt that segments of Corporate America are continuing the push toward more outsourcing so they can focus on core strategies and competencies," Harrison says. "Outsourcing can be cyclical. Companies will migrate to an outsourced structure until they experience a negative event and then the trend will reverse to bring processes back under control in-house. However, in the era of Sarbanes-Oxley, getting burned by an outsourcing vendor on a compliance issue is not a risk that most CEOs or CFOs want to accept."
Once seen only as a straightforward auditor-to-auditor communication, the SAS 70 is gaining fans among management at a steady pace.
"A few years back, when Sarbanes-Oxley was just getting underway, a client of mine used to receive a SAS 70 report from a vendor to whom they outsourced payroll processing. They never even looked at the report," Harrison says. "In fact, they did not even break the seal on the envelope before passing it along to their external auditors, because they did not feel it had any utility for management.
"Today, that client anxiously waits for the report and is constantly harping on the service provider to get it done in a timely fashion," he says. "The client not only wants to see the overall opinion, but also the individual factors the vendor is testing, and recognizes issues in that report can have an impact on their 404 compliance program.”
"In today’s environment, management understands that obtaining and reviewing the SAS 70 reports is not a check-the-box item,” Harrison says. "It is a critical part of the overall opinion."
One company’s experience
The report’s importance is amplified with each outsourcing vendor a corporation may engage, a fact Service Corporation International (SCI) knows quite well. The Houston-based company is the largest provider of funeral, cemetery and cremation services in North America, employing many service providers in the course of the firm’s various business activities. The company does business in 48 states, Canada and Puerto Rico and is publicly traded on the New York Stock Exchange. They will collect over 44 SAS 70 reports this year.
"SCI has embraced outsourcing on a large scale, resulting in more SAS 70 touch points than any company I have seen so far," Harrison says. "Their situation is well ahead of the outsourcing trend many companies are experiencing."
Two factors drive SCI’s extensive outsourcing strategy – the company’s business model lends itself to outsourcing and management has a strong appetite to focus on core competencies, handing off functions that can be distributed to trusted providers.
"Management seeks to achieve a level of quality and economy of resources through outsourcing," says Mark Winburn, IT Internal Audit Manager for SCI. “When we evaluated our SOX compliance needs and considered the extent of outsourcing in the environment, it was clear there was a need for a consistent and persistent process to request, receive, and review SAS 70 reports.”
Some of SCI’s outsourced functions are the more typical candidates for outsourcing, such as payroll and accounting tasks, and others specifically tailored to its operations, such as the management of trust accounts held for future funeral and cremation services.
"Due to the nature of our business, we have assets held in trust at various banks, all of which feed financial data to SCI through a data aggregator," adds Zoe Nagle, Senior Internal Auditor, SCI. "Many of those banks have sub-providers to which they outsource their own data processing environments and information systems. Sub-provider reports are additional pieces in the outsourcing puzzle."
SAS 70 Type II reports are required
Nagle notes that SAS 70 Type II audit reports are the only ones they can rely upon for SOX purposes. A Type I report describes the service organization's internal controls at a specific point in time. A Type II report includes the narrative description of the controls, and also details the service provider auditor’s testing of the controls over a minimum six-month period.
"When a SAS 70 report comes to us, we focus not only on what is in the report, but also on identifying any significant gaps that may exist in the content that might require further action on our part," Nagle says. "In 2004, we identified a vendor without any consideration of change control. As a result, we sent an internal audit team to test controls at the provider. This was a case in which a red flag was not something a report said, but rather something it did not say."
In the end, SCI’s careful interpretation of the vendor’s SAS 70 report ended on a positive note for both customer and provider. “We learned during the visit that they had a change control process, but the documentation was not yet mature enough to pass SOX-level scrutiny. However, as we had a good working relationship with this provider, they corrected the documentation problem and came back the next year with a more comprehensive report,” says Winburn.
"The standard aligns with COSO and reports generally consider all three primary objectives: accuracy of financial reporting, effective and efficient operations, and compliance with laws and regulations. We do see some variability in content, control language, and test procedures performed by the service provider auditors. It is important to remember that service provider management defines which controls will be included in the report and what will receive testing by the service provider auditor.”
The company’s view: Trust but verify, be proactive and vigilant
SCI built a report collection and evaluation methodology to demonstrate a diligent review that was designed to avoid some “what-could-go-wrong” situations. It all begins with an internal survey of known providers, which is delivered to company management during mid-year. This is designed to identify plans for adding or discontinuing providers, and/or other changes.
Winburn describes that, “Externally, we seek advance notice regarding the service provider plans, specifically asking about the type (I or II) and timing of the reports (when will the report be available). We seek a remediation status update on outstanding reported test exceptions. This occurs mid-year to identify situations where the end-of-year report might not be optimal (for example, not received timely, lacking content, significant issues possibly recurring) and give us some time to respond.”
Many of SCI’s providers turned to SOX requirements early and made important adjustments, like moving up their testing window to distribute the reports at a time optimal for their customer. Winburn observes, “Surprisingly, we still encounter some report timing issues – as our filing dates are moving up. Receiving a SAS 70 report after the requested deadline, has about the same utility to the company as receiving no report at all. We got the CFO involved and sent out some correspondence in the first year to lagging providers, to receive reports faster where needed.”
If SCI finds that significant gaps exist in the report content (such as items tested), they will dialog with the provider to request additional information and/or testing. Nagle says, “The first year, we shared our detailed analysis with the providers and many made enhancements. Although you may be only one among many customers, you may also be one among many with exactly the same need.”
There are other situations where changes during the year can create issues. Some examples include: new ownership takes over at a service provider and then questions arise as to whether a report will still be available; or a service provider discontinues a sub-service provider that results in control documentation being unavailable.
Zoe keeps the business process owners involved in the report collection effort. Nagle suggests, “We feel it is important the service providers have a clear point-of-contact with the business. At year-end, they assist business management in performing analysis of any deficiencies identified in the report. A report going past its expected due date may indicate the provider is working through some bigger issues and thus delaying the report. In that case, SCI will contact the provider and try to obtain information about the type of report they expect to be receiving.”
“We also recommend customer-side controls that evidence a level of management monitoring around the business process,” Winburn adds. “This approach can help mitigate the potential impact of receiving a qualified SAS 70 report, something we cannot control, with process monitoring the company can perform.”
Nagle explains, “We review the company’s testing coverage of customer-side controls (user controls) listed in the SAS 70 report. Language in the report states that such user controls need to be in place for the report opinion on the controls to remain valid.”
Winburn concludes, “The collected reports and analysis are provided to the external auditor at points during the year. It facilitates their procedures to receive consistent documentation.”
SAS 70 quality and timeliness as a service differentiator
Harrison says that the ability to provide solid, reliable, and timely SAS 70 reports is increasingly an important part of customer satisfaction and marketing for many service providers.
"Many of these service providers perform similar services, with similar pricing and techniques," he says. "Timely delivery of a robust and reliable SAS 70 report can become a true differentiator in many situations.
"It has come to a point where our management is requiring any new contract to include a clause requiring the vendor to provide a SAS 70 report in a timely manner," Nagle says. "In our case, our business process owners have come on board and stress that we need to include this in any negotiations with providers."
Winburn adds, “We ask the business to obtain a prior year’s SAS 70 report during the negotiation process, so we can get an early look at the new provider’s reporting capabilities.”
Summing up, Harrison reiterates that the role of SAS 70 audits in the ongoing SOX compliance environment will remain strong and is likely to evolve into a position of greater alignment and importance.
"Outsourcing will likely remain strong for the foreseeable future," Harrison says. "As a result, awareness of the SAS 70 report and how it can be utilized should grow as companies look for ways to increase compliance efficiency and effectiveness, and as service providers become more aware of this potent customer service need."
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |
