SAS 70: Implications for Outsourcing Service Providers!
Kenneth A. Polcyn, Ph.D.
© 2006, Deva Industries, Inc.
Through the years worldwide service providers have executed functions for governments and businesses. But in the second half of the 20th Century a dramatic growth occurred in the business of outsourcing in the United States as well as worldwide as the world economy shifted into high gear. It was in the 90’s that numerous outsourcing service companies emerged to meet the administrative and technical requirements of all sizes of businesses, contributing to reduced company operating costs and increased profitability, and giving rise to providers such as PEO’s, HRO’s, BPO’s, ASP’s and ASO’s. However, the growth in the service provider sector raised concerns about whether outsourcing providers could meet accounting, information protection and other vital transactional requirements critical to an organization’s well being.1 Traditionally service companies relied principally on a few internal experienced and knowledgeable personnel for controls. But when not available there was no assurance controls were repeatable and effective.
As a result, in 1992-93 the Statement on auditing Standards (SAS) No. 70 was created by the American Institute of Certified Public Accountants (AICPA); the purpose being to report on service organization’s internal policies, processes and controls when hosting or processing information /data belonging to customers.2 SAS 70 becomes applicable when auditing the financial statements of a company using outsourcing services that are critical and vital to operations and the bottom line. Nevertheless, the audit is at the discretion of the services user.3 But since its inception SAS 70 has been increasingly imposed on service companies to insure they are meeting financial and information security requirements.
Adding impetus, in 2002 Sarbanes-Oxley Act (SOX) became law requiring SEC-registered, public companies to verify the accuracy of their financial statements so corporate executives cannot manipulate financial and related numbers or functions.4 Moreover, Section 404 of SOX added teeth to SAS 70 audits of, and reporting on, internal controls of outsourcing service provider organizations if what has been outsourced may affect its financial reporting. If so, auditors must verify that the outsourcing provider’s controls meet the SOX/SAS 70 requirements. For example, if a company is outsourcing garbage removal, building cleaning, physical security or vehicle maintenance there may be no applicability. However, if for example they are outsourcing payroll, human resources, 401 (k), medical, workers comp, claims processing or Internet data center, an audit of the service provider will be required and they must be SAS 70 compliant.
Furthermore, if U.S. public companies outsource to service companies or set up offshore companies, for example, in the Caymans, or in India, Philippines, China or Romania… SOX and SAS 70 still apply. Consequently, companies outsourcing administrative or operational processes as well as the outsourcing providers executing the functions that relate to the financial statement are subject to the laws and standards, with U.S. resident companies subject to related penalties should they be derelict.
SAS 70 indicates how an external auditor should assess the internal controls, operational and financial, of an outsourcing service provider delivering these reports to the outsourcer or perhaps others. The AICPA audit guide provides guidance for auditing service companies.5 There are two types of audit reports:6 Type I reflects the opinion of the auditor at a specific point in time addressing a description of the company’s objectives and controls and suitability of control design for meeting the objectives; Type II includes Type I information but goes beyond to test and evaluate the effectiveness of the controls to meet objectives. A Type I audit may take several weeks with a Type II audit lasting several months, but time depends on size, services being provided, and so on. Nevertheless, both Types of audits must be executed. How often should audits be executed? Annually to insure proper controls are in place and adhered to as companies evolve.
Preparing for initial audits can save time and money and increase the odds for continuing successful examinations: 7 First, obtain an AICPA Audit Guide at www.cpa2biz.com or by calling 1-888-777-7077; second, appoint an audit leader and team and have them trained by experts. An SAS 70 audit requires that controls be built on business processes. Consequently, if processes are not documented, that is the third step. Fourth, establish/document process controls with related objectives, policies, procedures and quality standards; fifth educate and train all personnel; sixth insure everyone, management and staff, are adhering to SAS 70 audit requirements by conducting a pre-audit identifying gaps and making adjustments.
Small and mid-sized service providers will more than likely asked whether being SAS 70 compliant is worth the cost of doing business with public companies. But the question really should be…what is the cost of not being compliant…because SAS 70 is not so much driven by law as it is by market forces. The number of companies outsourcing, whether public or non-public, large or small, are growing and are becoming aware of SAS 70 and it’s meaning for them. It demonstrates to the marketplace that the service provider is committed to standards for control of processes, functions and information that have been outsourced to them. More than likely those that are certified will receive increasing business because SAS 70 certification is a standard companies will be looking for when outsourcing.
1 Eugene Tyrrell, “SAS 70 Frequently Asked Questions,” Polarcove.com/whitepapers/sas70FAQ.htm
2 ---- “About SAS 70,” sas70.com/about, 2004.
3 Charles Denyer, “Ask The Auditor: Getting answers about SAS70”, Employee Benefits News, benefitnews.com, September 15, 2006, p. 22.
4 Philip Cronin, Eugene Tyrrell and Bruce Eissner, “SAS 70: Proven Approches for Mid-Sized Organizations,” polarcove.com/whitepapers/sas70approaches. 2006.
5 ----“Service Organizations, Applying SAS 70 No. 70, as Amended: AICPA Audit Guide.” Pub. No. 012772SK.
6 Tyrrell, Ibid.
7 Cronin, et. al., Ibid