VideoThe distinctions between vendors and outsourced vendors when it comes to the audit standard can be hard to make, however. On the one hand, for instance, Allianz Global Investors, recently completed its SAS 70 audit to convince existing and potential corporate customers in the United States that its controls are up to snuff. At the same, time, the German asset-management group also requests SAS 70s from groups to which it outsources some of its processes.
Globalization, too, may complicate matters. Gesa Walter, Allianz’s spokesperson, said the company's multi-national clients and partners are operating in an integrated way, and that as international standards are spliced with SAS 70 and new controls for information technology are added, a globally accepted framework will materialize.
Another source of complication may be an ongoing disconnect between finance and technology in the minds of audit firms, outsourcers, and corporations looking at outsourcing as an option, according to Vince Laino, the CFO of Weston Solutions, a West Chester, Pa.- based environmental consultant.
The finance chief believes that misconceptions about the dividing line between the two departments are a continuing source of mix-ups over SAS 70. "You have to know how [finance and information technology] work together in order to make an effective evaluation. And that’s from a corporate standpoint and a vendor standpoint. Everybody has to know what controls apply to what processes and, for that matter, what information is important to their respective business goals," he says.
But techies get turned off when they hear about the stress SAS 70 audits are placing on financial controls, notes Tommie Singleton, a professor of information systems and accounting at the University of Alabama at Birmingham. "I think once people understand the balance between the money and the systems the money flows through with the business processes that serve as the conduit for both, they can interpret SAS 70 a little better," he says.
Nevertheless, lingering drawbacks remain in the audits, and corporations looking at SAS 70 need to be aware of those shortcomings, experts say. First, the outsourcing services auditor only reviews controls deemed relevant by the services provider.
Further, the services auditor makes one overall evaluation rather than expounding on the environment control by control. And finally, the corporation's auditors may not concur with the service auditor's findings—or worse, they might just look for a clean opinion, locate it, and stow the document away without reading further. Thus, compliance experts suggest, the best tip for corporate executives struggling to understand the implications of a SAS 70 audit might be the most obvious one: read the darned thing.
Reader CommentsDisplaying 2 of 2
Torpey White
Mar 5, 2007 3:26 PM ET
Understand What you are Getting
When performing a SAS 70 audit, the service auditor has a responsibility to the service organization to indicate … more
Gail Benson
Nov 28, 2006 9:16 AM ET
SAS 70 Scope is Critical
It is important for a company purchasing a SAS 70 audit to be clear on why they are doing it and to concisely define … more
Post a comment | View all comments