SAS 70 Weak on Data Security: Experts

"If you’re depending on SAS 70 for assurances around information security, you’re depending on the wrong thing," says one vendor.
Jabulani LeffallNovember 27, 2006

Mention the term SAS 70 in a roomful of accountants and business executives, and the conversation is likely to escalate into a chorus of disparate voices, all rendering different takes on the auditing standard.

Indeed, the contentiousness surrounding the auditing standard has deep roots. Underlying the disagreements is an ongoing argument about what the Statement on Auditing Standards No. 70, Reports on the Processing of Transactions by Service Organizations, really covers.

To be sure, it’s clear that SAS 70 calls for a comprehensive report detailing the design, assessment, and effectiveness of a vendor’s internal controls and how they affect financial reporting for clients of the outsourcing services vendor.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

But the standard’s origins in the area of technology assessements may have led to misperceptions about the extent a SAS 70 audit can help prevent tech-security glitches. Adding to the confusion is the increased globalization of rulemaking and a blurring of the lines between finance and technology department roles, experts say.

What’s more, all of these issues are occurring in the context of the fast-changing world of U.S. regulation. In December, for instance, the Public Company Accounting Oversight Board will update AS2, the standard governing auditor internal controls assessment, and the Securities and Exchange Commission will issue clarifications of section 404 of the Sarbanes-Oxley Act, covering corporate assessments of their own controls. Observers wonder whether such developments will lead to a wider SAS 70 audit scope and a better understanding of why the standard may or may not be needed.

Says Judith Sherinsky, technical manager for audit and attestment standards for American Institute for Certified Public Accountants: “I envision SAS 70 evolving with AS2 and with new methods of risk assessments that will be outlined by our auditing standards board,” she said. PCAOB, under pressure from the SEC, has been looking at ways for auditors to be more selective in their attestation of client internal-controls risks.

Set up by AICPA in 1992, SAS 70 is the spawn of SAS 44, Special Purpose Reports on Internal Accounting Control at Service Organizations . At the time of SAS 70’s inception, electronic data processing was increasingly becoming the function of outsourced vendors who didn’t want auditors from different clients making continual trips to their locations. Thus, guidelines governing mere “special purpose reports”—covering occasional specified outsourcing—evolved into a broader standard.

Amendments to the standard in 2001 solidified the connection between internal controls and financial reporting, adding an IT element to the pronouncement. From 2001 on, a SAS 70 evaluation could reasonably accommodate an audit of a service organization that provided IT hosting, data processing, and other technology services for clients.

Following August 2002 enactment of Sarbox, which demands corporate assessments of internal controls over financial reporting as well as auditor attestation of corporate clients’ controls reports, SAS 70 has risen to prominence. Since Sarbox offers no guidance about how to audit outsourced controls services provider, the standard has become the de facto guideline for auditing the outsourced service concerns of publicly-traded companies.

But there are widespread misperceptions about the standard’s purpose, particularly about what an audit covers in terms of technology activities, some say. “A SAS 70 is intended to be a service-auditor-to-client auditor communication tool. But some [information technology] people think it affirms privacy and security. It doesn’t,” says Everett Johnson, president of the Information Systems Audit and Control Association in Rolling, Meadows, Ill.

For instance, at a company like Vengroff, Williams & Associates, a service group that handles receivables processing for its clients, a SAS 70 would only cover business-process controls pertinent to the revenue cycle. It wouldn’t necessarily cover other areas, like IT, as extensively as a client and its auditor might think.

Gabe Torek, Vengroff’s chief information officer, says that having a SAS 70 to review is important for corporate clients seeking services. “But by no means does it eliminate due diligence,” he said. “If you’re depending on SAS 70 for assurances around information security, you’re depending on the wrong thing.”

Similarly, Stan Lepeak, a former finance executive and current managing director of research for Equaterra, a Houston-based outsourcing consultant to corporations, says that a completed SAS 70 audit may not be enough to deflect regulatory blame if something goes wrong. “It all depends on what service is being outsourced, where the services are being performed, who is performing the service, and the quality of controls in place within the process outsourced,” he says.

Most basically, a vendor must show corporate procurement and finance officers that it has controls over the process entrusted to it in place, vendors and users say. In some cases, the need for the provision of a SAS 70 audit is written into service-level agreements between companies and outsourcing organizations.

The distinctions between vendors and outsourced vendors when it comes to the audit standard can be hard to make, however. On the one hand, for instance, Allianz Global Investors, recently completed its SAS 70 audit to convince existing and potential corporate customers in the United States that its controls are up to snuff. At the same, time, the German asset-management group also requests SAS 70s from groups to which it outsources some of its processes.

Globalization, too, may complicate matters. Gesa Walter, Allianz’s spokesperson, said the company’s multi-national clients and partners are operating in an integrated way, and that as international standards are spliced with SAS 70 and new controls for information technology are added, a globally accepted framework will materialize.

Another source of complication may be an ongoing disconnect between finance and technology in the minds of audit firms, outsourcers, and corporations looking at outsourcing as an option, according to Vince Laino, the CFO of Weston Solutions, a West Chester, Pa.- based environmental consultant.

The finance chief believes that misconceptions about the dividing line between the two departments are a continuing source of mix-ups over SAS 70. “You have to know how [finance and information technology] work together in order to make an effective evaluation. And that’s from a corporate standpoint and a vendor standpoint. Everybody has to know what controls apply to what processes and, for that matter, what information is important to their respective business goals,” he says.

But techies get turned off when they hear about the stress SAS 70 audits are placing on financial controls, notes Tommie Singleton, a professor of information systems and accounting at the University of Alabama at Birmingham. “I think once people understand the balance between the money and the systems the money flows through with the business processes that serve as the conduit for both, they can interpret SAS 70 a little better,” he says.

Nevertheless, lingering drawbacks remain in the audits, and corporations looking at SAS 70 need to be aware of those shortcomings, experts say. First, the outsourcing services auditor only reviews controls deemed relevant by the services provider.

Further, the services auditor makes one overall evaluation rather than expounding on the environment control by control. And finally, the corporation’s auditors may not concur with the service auditor’s findings—or worse, they might just look for a clean opinion, locate it, and stow the document away without reading further. Thus, compliance experts suggest, the best tip for corporate executives struggling to understand the implications of a SAS 70 audit might be the most obvious one: read the darned thing.