SAS 70: Proven Approaches for Mid-Sized Organizations       [ PDF ]
By Philip Cronin, CISSP, Eugene Tyrrell, CISSP, and Bruce Eissner

SAS 70 examinations are challenging tasks for mid-sized organizations; but a SAS 70 exercise can also produce significant opportunities, provided that it is approached with the proper perspective and methodology. This paper explores both the benefits and the challenges that SAS 70 certification can bring to mid-sized organizations.

Among the benefits of a successful SAS 70 examination are: distinguishing a company from its competitors, assuring clients that the organization is operating with adequate controls, formalizing processes, mitigating risks and vulnerabilities, and reducing potential liability. These are important outcomes for growing mid-sized organizations.

As a company grows, the informal structures, ad hoc processes, and system of relying on individuals – factors that may have fueled its early development -- must also mature. At the same time, the growth-propelling environment and culture of the business needs to be sustained. All of these can present challenges when the formal, structured, and transparent controls requirements for SAS 70 certification need to be satisfied.

Background

Accountability is an increasingly prominent issue for companies operating in the U.S. Regulatory changes, such as Sarbanes Oxley Act of 2002 (SOX), now require organizations of all sizes to review, verify and document their internal controls. In addition, companies that outsource business functions are faced with the challenge of validating the accuracy and integrity of third parties operations. Third party certification is measured through the Statement on Auditing Standards No.70 (SAS 70). Initially developed in 1992 by the American Institute of Certified Public Accountants (AICPA) to report on the processing of transactions of service organizations, there has been an upsurge in SAS 70 demand by public companies of their third party vendors, both as a result of SOX and related regulations that they face as well as of their increased uses of dedicated, expert outsourced services.

In order to meet those demands, SAS 70 examinations must be comprehensive, but they do not need to be formidable. Performed within a proven, robust framework, and conducted under proper guidance from practitioners with operational experience, a SAS 70 becomes an achievable standard, demonstrating vividly an organization’s leadership and its commitment to compliance and accountability.

SAS 70

A SAS 70 is an audit engagement that reviews and tests the effectiveness of a provider’s internal controls based on the AICPA Statement of Accounting Standards No. 70. There are two types of SAS 70 reports. A Type I report includes the service organization’s description of its controls and objectives, and an auditor’s opinion on the suitable design of the controls for meeting the specified objectives. The Type I report reflects an opinion that is rendered at a specified point in time.
A Type II report, in addition to the Type I components, includes an actual test and an evaluation of the effectiveness of the internal controls. The Type II attests, with reasonable assurance, to the effectiveness of the controls in meeting the specified objectives over a period of time, typically six months.

Upside

While a SAS 70 requires attestation from a CPA auditor, and it is much like a traditional financial audit in that it may expose deficiencies, the SAS 70 process can be the catalyst for significant, long- lasting business benefits. The business advantages of achieving SAS 70 certification fall into two categories:

• What it demonstrates to the marketplace
• Improved operational efficiencies

A SAS 70 certification is a high standard. It represents the company to clients, prospects and competitors. It demonstrates that the service provider is committed to proactively managing accountability and controls. The marketplace can be confident that the third party will render services with an acceptable level of completeness, timeliness and accuracy. It demonstrates that the service provider has established effective control objectives and control activities and is committed to meeting client needs. In addition, a SAS 70 can help reduce customer risk, facilitate the customer’s own compliance activities, and reduce the amount of resources that a customer must allocate to auditing its third party’s controls. Overall, an unqualified SAS 70 opinion differentiates a service provider from its competitors, while it promotes peace of mind and provides reasonable assurance that the provider is trustworthy and reliable.

An in depth review of controls also provides significant benefits for the internal operation of a mid-sized organization. Within the company, achieving and maintaining SAS 70 certification is a vivid demonstration that the enterprise has established and maintained effective control objectives and control operations. The process may require significant introspection and self-assessment, but the results are likely to provide high-impact long-lasting benefits and efficiencies within an organization. Mid-sized entities are typically less formal, rely more on the competency of personnel and have less mature processes than larger organizations. The SAS 70 helps those organizations become more process- oriented. It is an avenue for establishing and embedding more formal processes and internal controls and better documentation. Ultimately this leads to a more mature organization – one that is moving from an ad-hoc, reactive operation to a proactive organization that uses tried, tested, repeatable processes. Moreover, within the organization, clearly articulated policies and procedures lead to greater awareness of responsibilities, accountability, and overall improved operational efficiencies.

In summary, client confidence, market differentiation, and operational efficiencies make achieving a SAS 70 certification a worthwhile endeavor.

Proven Approaches

Policy Discovery: Policies are an important part of an organization’s IT control structure, and SAS 70 certification requires that an organization’s policies are both appropriate and complete. As companies mature, they need to transform informal policies that are not fully documented into formal ones. A mid-sized organization attempting to achieve its first SAS 70 certification may to need invest some time in documenting policies that have been informal but poorly codified, or they may need to revise/expand existing policies. It should be understood, however, that the fact that policy remediation has to be accomplished does not imply that the organization is ‘out-of-control’. In fact, the organization’s IT controls may indeed have evolved based on legitimate business needs and processes, so that it is critical not to disrupt those controls. What is necessary is to ensure that those controls and policies are not only adequate, but also that they are embedded in the company’s control practices.

“Policy Discovery” is an effective method to address this challenge. Simply put, the method uncovers the existing processes and procedures that the organization utilizes. Coupled with any existing documented policies, the uncovered processes and procedures are captured and then translated into appropriate and complete policies. When applied properly, Policy Discovery is a proven, cost effective method that helps to ensure minimal disruption to existing business operations.

Policy Harmonization: Many organizations need to meet multiple regulatory requirements. Publicly traded companies must comply with Sarbanes-Oxley Act (SOX) Section 404 for IT controls over financial reporting. Many financial firms must comply with Gramm-Leach-Bliley (GLBA) IT controls requirements regarding the protection of customer information known as Non Public Information (NPI). Firms in the health care industry must meet Health Insurance Portability and Accountability Act HIPAA – for the protection of patient records known as Protected Health Information (PHI). Add to this the IT control measures for SAS 70 certification as well as numerous industry-specific regulations or standards.

Managed properly, what appears to be an overwhelming and perhaps conflicting regulatory burden can in fact yield efficient IT processes and transparent business operations. What is required, however, is a single, unified set of policies and IT controls appropriate for the business and the set of regulations that it has to satisfy. The SAS 70 project, utilized by management in a proactive manner, can form the basis of unified set of policies and controls. The SAS 70 audit requires an opinion on the appropriateness of the controls, a test of their effectiveness, and ongoing evaluation of their sustainability. Crafting appropriate SAS 70 controls establishes a base for a comprehensive, auditable, effective framework that supports all of the company’s regulatory requirements.

This is important. A unified approach helps to prevent control independence, where one set of controls is set up to meet a specific regulation, and other controls are established to meet different standards. Control independence leads to control conflict, which leads to control deterioration. With proper guidance, coordinating policies with control activities will strongly support an organization in achieving policy harmonization and regulatory compliance in a comprehensive, unified manner.

Organizational Maturity: As a company matures, it needs to move from relying on individuals for its control policies to assuming corporate responsibility for those policies. A mid-sized, growing organization may still have controls that rely on the experience and knowledge of a few, key employees. Unfortunately, when those key employees are not available, the control processes are not always effective. Informal controls based on the knowledge and efforts of individuals, however well-meaning, can not provide an adequate level of assurance that those controls are repeatable, sustainable, and effective for the long-term.

A SAS 70 requires that the controls are built on business processes and not on the efforts of individuals. From a process perspective, utilizing the terms of the highly regarded - Capability Maturity Model (CMM) from Carnegie Mellon’s Software Engineering Institute (see www.sei.cmu.edu for more details), an informal process would be considered as ‘Stage 1 – Initial and Ad Hoc’. The effectiveness and repeatability of processes at this stage is very low. The SAS 70, which requires that control process be documented, ideally would be closer to ‘Stage 3 – Defined Processes’. At Stage 3, the processes are defined and proven, and people are trained in the process activities. The effectiveness and repeatability of the process at Stage 3 are substantially higher.

Again, the SAS 70 project, when utilized by management in a proactive manner, can assist the organization’s advancing in the CMM. At minimum, the activity of defining and documenting the controls will move the organization up the CMM ladder. Moreover, significant incremental value can be obtained training within the organization, not only in the processes themselves, but in getting buy-in from employees, thereby relieving the burden on the few key people. The result will be a control environment that is substantially more process-driven, effective, and sustainable. Performed within an established framework, the SAS 70 audit will move companies towards such a process orientation and promote a sustainable controls environment.

Segregation of Duties: In many mid-sized organizations, overlapping responsibilities may not only be an economic necessity, but may also reflect the dynamic relationships that characterized the company’s origins. However, as the company grows, improperly segregated duties can jeopardize the integrity of key business processes, thereby creating the potential for fraud and malicious acts. SAS 70 examinations require that a company’s policies, procedures and organizational structure promote an environment of control, independence and accountability of important functions and processes. While this can be a challenging requirement for mid-sized organizations with limited resources, it is possible to establish appropriate compensating controls that mitigate the risk. Moreover, these controls can often be initiated with the company’s existing resources. Frequently, using proven approaches, proper internal controls can be implemented in order to ensure the independence and integrity of critical functions and processes, even in the most resource-constrained organization.

The same is true for a company that wants to become leaner and more efficient. Whatever the size of a company, a result of right-sizing and resource optimization often leads to employees take on increasing roles and multiple responsibilities. From an audit perspective, if inadequate segregation of duties is a result, that can impinge on the integrity of key business processes. SAS 70 examinations expect that segregation of duties exists as means to discourage and prevent fraud and malicious acts. This must be a consideration when employee responsibilities are reassigned or bundled. Appropriate approval procedures and management review need to be maintained so that risks will continue to be mitigated, and so that there are sufficient internal controls to ensure the independence and integrity of critical functions and processes.

Summary

Regulatory compliance that requires effective internal controls is a reality in the business world. For mid-size organizations, meeting regulations and standards can be a daunting task. We have established that when approached properly, there is significant upside for businesses that achieve SAS 70 certification. Properly conducted, the certification process will yield other benefits, including increased recognition in the marketplace and enduring efficiencies within the business.

To learn more about Polar Cove and SAS 70 preparation, please write to either of the authors, etyrrell@polarcove.com, beissner@polarcove.com, or to info@polarcove.com.

© Copyright Orbidex Inc./Polar Cove, 2006.