What is the usability of third party assurance reports like SAS 70?

-

In response to the need to understand the service providers’ control environment, companies turn increasingly to requesting a Statement on Auditing Standards number 70 (SAS 70) report.

SAS 70 is based on SAS 55 (Consideration of Internal Control in a Financial Statement Audit) and on the Committee of Sponsoring Organisations of the Treadway Commission (COSO) framework. SAS 70 reports come in two formats: Type I and Type II. Type I is a description of control activities while Type II includes the testing of controls over a period of time (typically six months).

The SAS 70 is actually a hybrid audit that includes many of the audit objectives performed during operational audits with a close secondary focus on the information technology that supports the business process and may even include elements of financial audits.

A SAS 70 can be useful, but only when it is applied with care. Some of the issues are:

  • If the service provider defines the scope itself, it is likely to include those controls with which it feels comfortable. So the client itself has to define the scope of controls/assets/processes etc that have to be audited.
  • If there are no issues reported in the SAS 70 report it is likely that the service provider selected the scope very carefully and did not include complex process activities as they are more likely to show issues over time (in case of a Type II SAS 70 report).
  • Some service providers may market themselves as being SAS 70 compliant but there is no such thing as a SAS 70 compliant organisation. SAS 70 does not pre-define standard controls that should be included in the report, this is up to the service provider and the client. This in contrast to for example ISO27001 but part of the disadvantages of SAS 70 are also applicable to ISO27001.
  • The SAS 70 review is a standard guideline, not a standard audit program. The Big 5 do not use rigid review programs with a fixed audit scope. This is why one SAS 70 review may appear different from others.
  • SAS70 is typically provided once a year which makes it a very reactive control.

Recommendation
Ensure you are closely involved in scoping or processes, controls, assets, countries et cetera.

Do not rely on the standard report provided by the supplier for high risk area’s (typically type 1 report is for free) and ensure your scope is included in their standard report.

Products and services that are higher in risk require greater control scrutiny, while products and services with low inherent risk may not require as much attention. Define the scope of the SAS70 accordingly.

SAS70 is one of your assurance mechanisms (and an expensive one at that), so use it sensibly. More on the alternatives of SAS70 reports, including my view on ISA 402 and ISEA 3402 here.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

The importance to innovate as a supplier

-
Image
I spoke recently with a senior executive of a small external service provider. A service provider with a staff of 350+ in the year 2000 and some 75 today. So one of the main topics we discussed was how this happened. The founders of the company identified some twenty years ago a software niche in supply chain management. In this period manufacturers and their up-and downstream partners in the supply chain were looking for solutions to exchange information to optimize their logistics processes and stock levels. The founders came up with some very clever concepts and for many years the sky was the limit. What the founders and subsequent managers overlooked however is that every (software) product goes through a lifecycle. And at the end of the lifecycle the software product has become obsolete. It may become obsolete because of not anticipating on evolving functionalities, technologies (e.g. Cobol) or because business models. Functionalities. In the past many software vendor
Read more