Many companies outsource support
and backroom-operations functions to third-party service providers (service organizations). This option
allows companies to invest their resources
in providing core services to their customers and often provides access to state-of-the-art technology and processing capabilities, best practices and an overall
reduction in costs. The types of services
being outsourced include information
technology support, payroll processing,
claims processing and financial custodial
services.
User organizations (companies using the
services provided by a service organization) can select from numerous organizations and services. Once a service organization is selected, a user organization must
have a process in place to monitor the performance of the service organization and
evaluate internal controls of the service
organization.
“Historically, companies have conducted
site visits, performed audits and/or requested documentation to ensure their outsourcing partners are serving their needs
properly,” says David Guenther, director of
comprehensive risk services at Alpern
Rosenthal. A SAS 70 Review is designed to
serve both the needs of the user organization and the service organization says,
Guenther.
Smart Business spoke with Guenther
about the SAS 70 Review, what the review
offers user organizations and how it can
be used as a self-evaluation tool to
improve the services offered by the service organization.
What is the SAS 70 Review?
The American Institute of Certified
Public Accountants Statement on Auditing
Standards 70 defines the professional standards used by a service auditor to assess
the internal controls of a service organization and issue a service auditors report.
There are two types of reviews. A Type I
Review describes the service organization’s controls and evaluates if the controls
are adequately designed and in place. A
Type II Review includes the elements of a
Type I Review and tests the controls to
determine if they are functioning as
designed.
How do SAS 70 Reviews benefit a company?
A SAS 70 Review reduces the number of
auditor visits and inquiries a service organization will field from its customers. It provides a uniform presentation of its internal
control procedures to which all user organizations have access. It can also be used as
a marketing tool to differentiate itself from
the competition and possibly provide a
competitive advantage.
A user organization is able to obtain validation by the CPA firm on the internal
controls that are in place at the service
organization. It eliminates the need for the
user organization to perform an audit of
the service organization while still providing a comfort level with the service organization’s procedures and internal control. The SAS 70 Review often provides
more information for an organization than
a user would obtain if it performed an
audit itself.
Given all of the regulatory and compliance challenges companies face today, it
is important to understand the internal
controls in place at your service organizations. It is a good business practice to
have some mechanism in place to monitor
their performance and internal controls to
ensure they continue to meet your needs
and do not expose you to unnecessary
risks.
What parts of the SAS 70 Review are critical
for a company to review?
Elements of internal control — It is
important to gain a keen understanding of
the service organization’s structure, which
includes control environment, risk assessment, control activities, information and
communication, and monitoring.
Systems development life cycle — A
cornerstone piece of this document lies
within the processes that take place
throughout the different cycles. In particular, attention is paid to the controls in the
design cycle, development cycle and testing cycle.
General computer controls — General
controls are perceived as the vital framework that must be in place for the success
of application controls. General controls
can be found in operation of the information technology function and information
technology security.
Additional general controls — A number of general controls outside the actual
computer transactions arena are deemed
vital for discussion in a SAS 70 report.
They may include data center security,
storage and disposal security, other physical security concerns, personnel security
and business continuity/disaster recovery.
Application controls — The objectives
of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and
the validity of the entries made from both
manual and programmed processing. Both
Type I and Type II SAS 70 reports should
contain a detailed examination of application controls.
DAVID GUENTHER is the director of comprehensive
risk services at Alpern Rosenthal. Reach him at
[email protected].
