SAS 70 Overview and Planning Guide        [ PDF ]
by Philip M. Cronin, CISSP, and Bruce Eissner

More companies need to provide SAS 70’s: Recently, there has been a substantial increase in the need for SAS 70 reports. Much of this need is driven by requirements of the Sarbanes-Oxley Act of 2002. The Sarbanes-Oxley Act (SOX) now requires publicly traded companies (SEC registrants) to certify the design and operational effectiveness of their internal controls environment. Under SOX Sec.302 and 404, a public company’s external auditor must now provide annual opinions about the reliability of the control representations, including IT controls, made by a company’s CEO and CFO. Those public companies that use outsourced service providers (formally called Third Party Administrators or TPA’s) are not relieved of their requirements for control assurance. The Public Company Accounting Oversight Board (PCAOB) has been very clear on this topic, issuing a statement on March 9 clarifying the fact that the use of service providers doesn't reduce the responsibility of corporate executives for maintaining effective internal controls. Thus, the service provider’s internal controls must meet a similar level of assurance as the public companies they serve. These developments are increasingly causing public companies to require of their TPAs independent verification that their controls environments meets SOX requirements. A SAS 70 report is the most commonly used vehicle for an attestation by a CPA firm that the internal controls as asserted by the TPA are designed and operating effectively. External auditors of public companies are very likely to require a SAS 70 from each of the company’s TPAs. Similarly, TPA’s that serve multiple public companies are likely to have to meet SAS 70 requests from each of their clients. It should be noted that in the absence of a SAS 70, a public company’s external auditor may need to conduct direct verification of the TPA’s controls.

As more and more companies fall either directly or indirectly under its influence, SOX Section 404 is becoming a de facto standard for IT internal control assurance within businesses and throughout business relationships. Moreover, as they become standards, SAS 70s are increasingly valuable for private firms planning on going public or preparing to be acquired by a public firm. Quite simply, a SAS 70 bespeaks management’s thoughtfulness and can contribute to speedy due diligence when that becomes necessary.

Because they have become standards, SAS 70s are also used by service providers and ASPs as market differentiators that demonstrate a company’s commitment to IT-Security. “Building a trusted online environment should be a significant part of an ASP's business plan,” says Jeff Sopshin, a CPA and Partner with Ernst & Young. “An SAS 70 certification can help build this trust.'' Clients need to be continuously reassured that the service is operated in a safe and secure manner. The SAS 70 can provide such comfort. There are other benefits, too. According to Sopshin, many organizations that undergo a SAS 70 audit are able to discover opportunities to strengthen their internal control processes and to find meaningful efficiencies.

What’s involved in a SAS 70: A SAS 70 audit or service auditor's examination includes:

• Service Auditor’s Reports
• Description of Controls and Operations
• Control Objectives, Control Activities, and Service Auditor’s Tests of Operating Effectiveness
• Optional Information

There are two different types of SAS 70 Service Auditor’s Reports:

A ‘Type I’ report includes the service organization's description of controls and the auditor’s opinion about whether the control design is suitable for achieving those objectives.

Choosing SAS-70 Types
Attibutes	Type I	Types II
Service organization's description of controls Auditor's opinion on suitability of control design to achieve objectives
Auditor's evaluation by testing of a service organiztion's control frame work	Optional
Time Frame	Specific Point in Time	> 6 Month Period

A ‘Type II’ report includes the Type I information but goes substantially beyond by including a control test plan and an evaluation of the whether the controls that were tested operated with sufficient effectiveness to provide reasonable assurance about meeting that the control objectives.

Both Type I and Type II imply a timeframe: Type I is a snapshot a specified time, whereas Type II attests that control objectives were achieved during a specified period, usually greater that 6 months. Both Type I and Type II could result in a “Qualified Opinion” from the auditor if the description of controls and/or tests of operating effectiveness do not fairly present sufficient evidence to support the stated control objectives.

SAS 70s do not follow a required format nor utilize a specific technical standard. Rather, service organizations are permitted to disclose their control objectives and activities in a variety of fashions and using a variety of technical standards. However, for a SAS 70 to be of benefit to the user organizations (i.e. client) and their auditors, the service organization should disclose their controls in a manner that satisfies the user auditor's requirements. To do this, the service organization's description of controls should address five key components of internal control as defined in SAS No. 55 (See Box).

Two technical standards are most commonly used in SAS 70 reports: ISO-17799 and, more recently, CobiT.

ISO-17799 is "a comprehensive set of controls comprising best practices in information security". It is essentially an internationally recognized generic information security standard. ISO-17799 is often used wherever IT control assurance is needed in an international setting.

With the advent of SOX Section 404 in the United States, CobiT (Control Objectives for Information and related Technology-CobiT®) is becoming a more common standard for US firms or service providers to US firms. CobiT is issued by the IT Governance Institute (ITGI®) in association with the Information Systems Audit and Control Association® (ISACA®). CobiT has been developed as a generally applicable and accepted standard for information technology security and control practices that provides a detailed reference framework for management, users, and IS audit, control and security practitioners. This detailed IT?oriented control model is consistent with the more general and enterprise?oriented Committee of Sponsoring Organizations (COSO) model and maps readily to PCAOB and SOX requirements. See the illustration.

Scope: In considering the scope of a SAS 70 report it is important to recognize that the SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. Most often the audit report is provided to the service organization's customers ("user organizations") and their respective auditors ("user auditors"). To be effective, the SAS 70 must address the control objectives, the control activities, and the supporting IT systems that impact the user organizations in the view of the user organizations’ auditors. In the case of SOX, the areas that most often need to be addressed are the controls and supporting IT systems that could impact the user organizations’ financial reporting.

A SAS 70 must be carefully planned and ideally should be scoped through a process of communications with the user organizations and opinions from the user organizations’ auditors. A complicating factor for service organizations is that SAS 70s are often required by multiple customers. Moreover, they may not be limited exclusively to addressing SOX regulations. In these cases -- multiple customers or where other regulatory requirements need to be met -- a careful analysis of the scope of work is an essential first step for ensuring that the appropriate sets of controls and IT systems that impact on the regulated or sensitive information are fully addressed.

Certifications: A SAS 70 audit can only performed by a certified public accountant or CPA firm. CPA firms that perform SAS 70 audits must be certified and adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA®). Often the CPA firm employs non-CPA professionals that have highly specialized information technology and security skills to participate in a SAS 70 engagement. It is prudent to require of IT-Security professionals both experience and certifications, such as the CISSP® (Certified Information System Security Professional – www.isc2.org) or the CISA® (Certified Information Systems Auditors see www.isaca.org).

The SAS 70 Roadmap: Preparing for SAS 70 requires a structured, measured, step-by-step approach; otherwise an organization will find itself doing either “too much” or “too little”. Thoughtful planning is essential. When clients and vendors are involved, planning will require communication, consultation, and coordination. Service organizations may find that they are required to work under accelerated timeframes because of the regulatory requirements that their clients need to meet. All of these variables must be anticipated in the planning phase, Step 1 in the illustration, which also outlines the general steps involved in both Type I and Type II SAS 70’s. (Fig.2)

Proven Remediation Methods: During the “Identification of Deficiencies” phase, often “Gaps” are identified. Whenever that Gap is significant and will require remediation, there are a number of practical and cost-effect approaches to remediation:

1. Maintain adequate communications. Just as in the scoping and planning phases, communications need to be continued during remediation. When user organizations are involved, communications with those clients and their external auditors are essential. They need to be adequately informed.
2. If new or expanded control structures (policies, procedures, etc) are required, avoid the temptation to blindly adopt another organization’s control structures. This short cut, although appearing to give initial rapid progress, often results in a dead-end. Moreover, control structures cannot be achieved by ‘filling in the blanks’ of generic templates. Workable controls structures must meet each specific organization’s specific needs.
3. The most time and cost effective method for an organization to ‘close the gaps’ is to understand the organizations own business needs and IT processes. Organizations can have processes that are operationally quite effective but that are undocumented. Perhaps the controls for these processes are immature or not well formed in addition to being poorly documented. A proven, cost-effective method is to use the “Process Discovery” approach. In this method, underlying processes are examined, documented and then evaluated for controls. Working from this base, proper controls can be inserted into the process, or compensating controls can be designed. This approach has the advantage of not requiring the organization to redesign its current operations when they are already effective, or to retrain the current personnel.
4. Don’t reinvent the wheel. Don’t use unaccepted standards for evaluation or for guidance in designing IT control structures. Use existing best-in-class methods built on existing standards.

© Copyright Orbidex Inc./Polar Cove, 2004

© 2006     Polar Cove