cfo.com

Print this article | Return to Article | Return to CFO.com

Thoughts on SAS 70

Readers debate the merits, and marketing, of SAS 70 audits, and comment on a range of other topics.
CFO Readers, CFO Magazine
October 1, 2010

CFO welcomes your letters. Send them to: The Editor, CFO, 51 Sleeper St., Boston, MA 02210

E-mail us at ScottLeibs@cfo.com, or contact a specific author by clicking on his or her byline. You can also post a comment directly on CFO.com by clicking on the appropriate link at the end of any article.

Please include your full name, title, company name, address, and telephone number. Letters are subject to editing for clarity and length.

 


 

Regarding "The Truth About SAS 70" (September), a SAS 70 Type 1 report is basically useless for evaluating an individual company's internal controls, and a Type 2 report must be read in its entirety. There are time constraints and other issues that may affect a particular company's internal controls using third-party administrators. A TPA can [receive] a positive SAS 70 Type 2 report subject to noted deficiencies. These deficiencies must be reviewed by the company to determine if they affect internal control for that particular company. If they do, that company is required to implement additional controls to be able to rely on that information.

That said, when evaluating TPAs, one of the first criteria often used is to determine whether or not the TPA is SAS 70 compliant. Most individuals who evaluate TPAs are cognizant of the overall value of a SAS 70 and ignore the overall hyperbole included in marketing verbiage.

William Tennison
Via E-mail

 

A better title for the article would have been "The Truth about SAS 70 Marketing." Although it provides a fair description of the SAS 70 audit standard, the article fails to quote even a single CFO that felt misled by claims of SAS 70 "certification." I would assert that informed users of SAS 70 audit reports generally understand that service organizations' marketing claims are not a substitute for review of the actual report.

I also take issue with the comment by one of the quoted sources that, "the auditors are complicit to an extent. They understand the business model of cloud providers, but their own [business model] is to have a narrow scope. There's plenty of blame to go around." You would be hard-pressed to find a single significant provider of SAS 70 audit services that encourages its clients to market the audit as a "certification" or make exaggerated claims about the nature of the audit.

Many companies require assessment on topics outside the purview of a SAS 70 audit (for example, information security, regulatory compliance, and so on). Plenty of prescriptive standards exist for these purposes; however, none of these assessments result in a report suitable for use by user organizations and user auditors in the context of a financial-statement audit. Understanding that the SAS 70 audit is not, and never claimed to be, a universal solution tends to cure a lot of the issues described in this article.

Chris Schellman
President
SAS 70 Solutions Inc.
Tampa

 

The author replies:
The comment cited in reference to the narrow scope of auditors' work suggests an opinion that some auditors could more proactively discourage service firms from engaging in such marketing. Informed users of SAS 70 audit reports do certainly understand that service organizations' marketing claims are not a substitute for review of the actual report, but are all users informed?

As the article suggests, companies, especially smaller ones, may fail to exercise a proper degree of due diligence [regarding] vendors. The truth about SAS 70 is that some companies may perceive it as something it is not. As these letters correctly point out, understanding that a SAS 70 audit is not a universal solution to all assessment needs tends to cure a lot of the issues.

 


 

The Importance — and Complexity — of Capex

Your September cover story, "Captains of Capex," was an excellent article with very productive examples of strong, purposeful reinvestment strategies. It is true that companies need to be very efficient in how they deploy capital but at the same time they must be eager to deploy capital, often large quantities of capital, in ways that build and reshape the business for the longer term.

Far too many companies have squeezed out extra cash flow by downsizing capex budgets to deal with the current economic tightness, or, worse, as the result of an excessive ongoing focus on period-by-period free cash flow. These companies' management must learn that capex, and other investments in the future such as cash acquisitions, R&D, advertising, and training, can be critical to delivering long-term value creation. Cut these budgets too far and risk limiting the value-creation potential of the enterprise.

Our research shows a positive relationship between the reinvestment rate and total shareholder return. We studied five-year periods using the largest 1,000 nonfinancial U.S. companies and found that the greater the proportion of cash flow that is plowed back into the business, the higher the total shareholder return in terms of dividends plus capital gains. Sure, there are companies that overinvest and destroy value, but, on average, high reinvestment helps share prices more than it hurts. (For more, see "Are Buybacks the Best We Can Do?" at http://www.fortuna-advisors.com/buybacks.html)


Gregory V. Milano
Co-Founder, Managing Partner, and CEO
Fortuna Advisors LLC
New York

 


 

Flextime and Your Career

As a former chief financial officer, I remember many days when I spent almost all of my time on the telephone or using e-mail and the computer ("The Perils of Flextime," July/August). On those days it didn't matter where I was; I could have done the work anywhere — in the office, in my home, or at the beach.

At the beginning of your career, it is probably more important to be physically at the office, but as you progress in your career, it should become more possible to work remotely. And especially when you reach the position of CFO, you should have the flexibility to do your work in various locations, and not necessarily the office.

In the normal course of business, a CFO should be able to work remotely at least two or three days a week. Meetings can be scheduled on the days that you're in the office. I think that Karen Seminara of Bravo Network has the right idea, and I would hope that other companies would begin to follow the lead of NBC, Prudential, and Plantronics, as highlighted in your article.

But in order for the CFO to have this kind of flexibility, it is critical that the right finance team be put in place. And, of course, if there is a crisis or some other critical situation that needs immediate attention, the CFO and other finance staffers will need to do whatever is necessary to get the job done.

Edward Safran
Managing Partner
Omega Options Trading Group
Chelmsford, Massachusetts




CFO Publishing Corporation 2009. All rights reserved.