David McCann, CFO Magazine
September 1, 2010
Sorry William, but I have to disagree. A Type I SAS 70 report is not useless when it is evaluated properly and in the intended context. A Type I report renders an opinion on the DESIGN of the controls. The effectiveness of the controls are not tested, but the reader can get a sense of the overall control environment at a given service organization.
Also, what is the criteria you utilize when evaluating a given TPA for whether or not it is "SAS 70 compliant"? Your point about having to actually read the report is well taken, but the existence of a SAS 70 report does not make the service organization "SAS 70 compliant".
If you assume compliance based on a clean opinion or the lack of any exceptions within the report, you still miss the boat. A SAS 70 report should be read within the context of your user organization and the unique controls required for it. Just because there are no exceptions doesn't mean the service organization has effective controls FOR YOUR ORGANIZATION.
Every SAS 70 audit is unique. The lack of any defined standards is why there is so much confusion in the marketplace around SAS 70 reports and why those of us who have a good understanding of what they are need to be very careful of using phrases like "SAS 70 certified" and "SAS 70 compliance".
Posted by David Barton | Sep 27, 2010 11:47 AM ET
Both Dave and Chris bring up excellent points.
A SAS 70 Type 1 report is basically useless for evaluating an individual company's internal controls. A Type 11 report must also be read in its entirety. There are both time constraints, and potential issues that may affect a particular company's internal controls using third party administrators (TPA). A TPA can have a positive SAS 70 type II report subject to noted deficiencies. These deficiencies must be reviewed by the company to determine if these deficiencies impact internal control for that particular company. If they do, that company is required to implement additional controls to be able to rely on that information.
With that being said, when evaluating TPAs one of the first criteria used is often determining whether or not the TPA is SAS 70 compliant. Most individuals who evaluate TPAs are cognizant of the overall value of a SAS 70 and ignore ther overall hyperbole included in marketing verbage.
Posted by William Tennison | Sep 8, 2010 9:58 AM ET
Chris, thank you for your well-stated comments. Let me offer the following observations:
-- With regard to Jim Reavis's comment, I don't think it implies that any auditor actually encourages clients to market their SAS 70 reports in a misleading way. Rather, his reference to the narrow scope of auditors' work suggests an opinion that some auditors could more proactively DIScourage service firms from engaging in such marketing.
-- Informed users of SAS 70 audit reports do certainly, as you say, generally understand that service organizations' marketing claims are not a substitute for review of the actual report. But are all users informed? As the article suggests, companies, especially smaller ones, may fail to exercise a proper degree of due diligence on vendors.
-- Similarly, as to the headline, "The Truth About SAS 70" is that some companies may perceive it as something it is not. As you correctly point out, understanding that a SAS 70 audit is not a universal solution to all assessment needs tends to cure a lot of the issues.
Thanks again for writing, Chris.
David McCann
Senior Editor, Technology, CFO Publishing
Posted by David McCann | Sep 1, 2010 1:46 PM ET
The content of the article doesn't support the title. A better title would have been the "The Truth About SAS 70 Marketing." Although the article provides a fair description of the SAS 70 audit standard, it fails to quote even a single CFO that felt misled by claims of SAS 70 "certification". I would assert that informed users of SAS 70 audit reports generally understand that service organizations' marketing claims are not a substitute for review of the actual report.
The only error I noted is the comment from Jim Reavis that "the auditors are complicit to an extent. They understand the business model of cloud providers, but their own [business model] is to have a narrow scope. There's plenty of blame to go around." You would be hard pressed to find a single significant provider of SAS 70 audit services that encourages their client to market the audit as a "certification" or make exaggerated claims about the nature of the audit. In addition, there is nothing about a CPA firm's "business model" that narrows the scope of a SAS 70 audit (or SSAE 16 assessment). The audit has a defined purpose, which is the point of the article. It seems odd to criticize that fact in an article about overreaching marketing claims and the misapplication of the standard.
Many companies require assessment on topics outside the purview of a SAS 70 audit (e.g., information security, regulatory compliance, etc.). Plenty of prescriptive standards exist for these purposes; however, none of these assessments result in a report suitable for use by user organizations and user auditors in the context of a financial statement audit. Understanding that the SAS 70 audit is not, and never claimed to be, a universal solution tends to cure a lot of the issues described in this article.
Chris Schellman, CPA, CISSP, CISA, CIA
President
SAS 70 Solutions, Inc.
Posted by Chris Schellman | Sep 1, 2010 11:41 AM ET
Copyright 2012 © CFO Acquisitions LLC. All rights reserved Privacy Policy Site Map
