Why are SAS 70 audits so important? SAS 70 (which is becoming SSAE 16) is an audit that effectively examines a company’s internal control framework. These audits strengthen a service organization’s internal controls and promote change along with improvement where it might be needed. Working with a SAS 70 audited company will give you the peace of mind that they are constantly looking for ways to improve their service offering and increase client data security.
A brief history of SAS 70 Audits
SAS 70 (Statement on Auditing Standards No. 70) has been around for nearly 20 years. SAS 70 was designed to focus on internal controls over financial reporting. The SAS 70 audit verifies that the controls and processes that the data center operator has in place are followed. The auditor’s consideration of an entity’s internal controls and the impact a service organization may have on the entity’s control environment has long been an area of focus. SAS 70 is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. The Service Auditor’s Report helps a service organization build trust with its user organization or clients and offers valuable information regarding the service organization’s controls and the effectiveness of those controls.
In today’s economy, third-party service providers must demonstrate that they have adequate controls and safeguards when they process data belonging to their customers. Other service organizations that undergo SAS 70 audits include application service providers, bank trust departments, claims processing centers, data centers, third party administrators, or other data processing service bureaus.
SAS 70 Facts and Questions
1. Who can perform a SAS 70 Audit?
An independent certified public account (CPA)
2. What should the service organization look for in the CPA firm that handles the audit?
Experience in performing SAS 70 audits, relevant industry experience, audit professionals that understand the business and IT controls and processes, availability to deliver the services on time and have project management skills
3. Does the entire organization have to be audited?
No, Only the division that process transactions or provide data processing services for its customers.
4. How often does a service provider go through the audit?
Most service organizations will have the SAS 70 audit conducted annually, because the user organizations and their auditors need assurance that the service organization’s controls are operating effectively for the current fiscal year. The service auditor must conduct a full and complete audit each year and report on the results. The service auditor’s tests will be new every year.
5. Do all service providers have a SAS 70 audit performed?
No, you may want to request an individual audit. In some cases where the service organization has a small number of clients, individual audit requests may be practical, but multiple user organizations, accommodating individual audit requests can become cost prohibitive and affect bottom-line of small companies.
SSAE 16 vs SAS 70
The SSAE 16 (Statements on Standards for Attestation Engagements No.16) is the next generation of American Institute of CPAs (AICPA) auditing standards for service organizations in the United States. SSAE 16 is an improvement to the current standard for Reporting on Controls at a Service Organization, and goes beyond SAS 70 by requiring the auditor to obtain a written statement that confirms the design and effectiveness of the operating controls being reviewed are true.
The major differences between SAS 70 and the SSAE16 are that Management of the Service Organization will be required to provide the service auditor with a written statement about the accuracy of the description of the service organization’s system; the suitability of the design of the controls to achieve the related control objectives stated in the description; and the operating effectiveness of those controls to achieve the related control objectives state in the description.
As a third-party service organization, many of your prospective clients will want to review the results of an SSAE 16 audit prior to making a decision to outsource work to you. More often than not, a written document stating the understanding of your control environment is required by client auditors, chief compliance officers, and others. You want to remain competitive so, you need to demonstrate that top notch internal controls are in place and working.
SSAE 16 is an auditing standard that provides guidance to enable an independent auditor to issue an opinion on a service organization’s internal controls and promotes trust in User Organizations. Think of the SSAE 16 as an annual investment into your company, increasing potential new clients, productivity and accountability.