Many companies outsource support and backroom-operations functions to third-party service providers (service organizations). This option allows companies to invest their resources in providing core services to their customers and often provides access to state-of-the-art technology and processing capabilities, best practices and an overall reduction in costs. The types of services being outsourced include information technology support, payroll processing, claims processing and financial custodial services.
User organizations (companies using the services provided by a service organization) can select from numerous organizations and services. Once a service organization is selected, a user organization must have a process in place to monitor the performance of the service organization and evaluate internal controls of the service organization.
“Historically, companies have conducted site visits, performed audits and/or requested documentation to ensure their outsourcing partners are serving their needs properly,” says David Guenther, director of comprehensive risk services at Alpern Rosenthal. A SAS 70 Review is designed to serve both the needs of the user organization and the service organization says, Guenther.
Smart Business spoke with Guenther about the SAS 70 Review, what the review offers user organizations and how it can be used as a self-evaluation tool to improve the services offered by the service organization.
What is the SAS 70 Review?
The American Institute of Certified Public Accountants Statement on Auditing Standards 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditors report.
There are two types of reviews. A Type I Review describes the service organization’s controls and evaluates if the controls are adequately designed and in place. A Type II Review includes the elements of a
Type I Review and tests the controls to determine if they are functioning as designed.
How do SAS 70 Reviews benefit a company?
A SAS 70 Review reduces the number of auditor visits and inquiries a service organization will field from its customers. It provides a uniform presentation of its internal control procedures to which all user organizations have access. It can also be used as a marketing tool to differentiate itself from the competition and possibly provide a competitive advantage.
A user organization is able to obtain validation by the CPA firm on the internal controls that are in place at the service organization. It eliminates the need for the user organization to perform an audit of the service organization while still providing a comfort level with the service organization’s procedures and internal control. The SAS 70 Review often provides more information for an organization than a user would obtain if it performed an audit itself.
Given all of the regulatory and compliance challenges companies face today, it is important to understand the internal controls in place at your service organizations. It is a good business practice to have some mechanism in place to monitor their performance and internal controls to ensure they continue to meet your needs and do not expose you to unnecessary risks.
What parts of the SAS 70 Review are critical for a company to review?
Elements of internal control It is important to gain a keen understanding of the service organization’s structure, which includes control environment, risk assessment, control activities, information and communication, and monitoring.
Systems development life cycle A cornerstone piece of this document lies within the processes that take place throughout the different cycles. In particular, attention is paid to the controls in the design cycle, development cycle and testing cycle.
General computer controls General controls are perceived as the vital framework that must be in place for the success of application controls. General controls can be found in operation of the information technology function and information technology security.
Additional general controls A number of general controls outside the actual computer transactions arena are deemed vital for discussion in a SAS 70 report. They may include data center security, storage and disposal security, other physical security concerns, personnel security and business continuity/disaster recovery.
Application controls The objectives of application controls, which may be manual or programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made from both manual and programmed processing. Both Type I and Type II SAS 70 reports should contain a detailed examination of application controls.
DAVID GUENTHER is the director of comprehensive risk services at Alpern Rosenthal. Reach him at email@example.com.