SAS 70 Reports, in Harsh Spotlight Again

A recent analyst report is reminding the compliance community yet again that so-called SAS 70 reports—the supposedly formal assurances software vendors give to corporate customers about their own internal controls—should be viewed with a skeptical eye.

Analysts Jay Heiser and French Caldwell, both research vice presidents at Gartner, say some vendors (and even some of their customers) treat SAS 70 reports as certifications “proving” the vendor’s compliance with privacy or other regulations, ostensibly to ease the corporate customer’s fears about its own compliance risks when entrusting its data to third parties. In truth, SAS 70 reports are nothing of the sort.

Heiser

Heiser and Caldwell’s report focuses on vendors in the cloud computing market, where corporations outsource their data storage to independent providers and then access that data through “the cloud” of the Internet. Others, however, have voiced similar concerns about SAS 70 reports for years.

SAS 70 is the Statement of Auditing Standards No. 70, published by the American Institute of Certified Public Accountants. Its true purpose is to offer guidance for a vendor’s auditing firm on how to report on process-related risks relevant to financial statements and transaction processing. A Level I report serves as attestation that the processes as documented are sufficient to meet specific control objectives. A Level II attestation includes an on-site evaluation to determine whether the processes and controls function as anticipated.

SAS 70 Level II audits are the ones most often touted by vendors as proof that they have strong internal controls. But SAS 70 reports (both Level I and II) only provide assurance that the controls examined by auditors are effective—not whether those controls are actually important to give corporate customers peace of mind. The reports are also silent about all of a vendor’s other controls that aren’t audited, and whether any material weaknesses exist there.

Pawlicki

The final document is “intended as an auditor-to-auditor report or a service organization report,” says Amy Pawlicki, the AICPA’s director of business reporting, assurance, and advisory services. “It’s not a public-use report, and it’s not something that can be used for marketing purposes.”

According to the Gartner report, however, “Many vendors are using [SAS 70 reports] to imply that they are secure and compliant, some auditors are misapplying it beyond the financial audit realm for which it is intended, and customers are looking to it as a checklist item for compliance with privacy-related regulations.”

“SAS 70 is being used for a lot of compliance and security purposes to which it was never intended,” Caldwell tells Compliance Week. He says the problem is driven by the proliferation of outsourcing, which has corporations scrambling to verify that their outside vendors have the appropriate controls in place to meet the myriad privacy and security regulations.

Worries about “vendor risk” were put under a harsh spotlight in 2008, after a massive accounting fraud was discovered at Satyam Computer Services, one of the largest IT outsourcing vendors in India—which had passed a SAS 70 audit. None of Satyam’s customers ever had their data stolen or otherwise harmed as part of Satyam’s scheme, but the very idea that such a supposedly trustworthy vendor could pull off a fraud like that for so long left compliance executives at U.S. companies aghast.

Beyond SAS 70

The AICPA has actually crafted a successor to SAS 70: the Statement on Standards for Attestation Engagements 16. Judith Sherinsky, a technical manger at the AICPA, says the new standard will be effective for service auditor’s reports for periods ending on or after June 15, 2011, and early adoption is permitted.

‘SAS 70 is being used for a lot of compliance and security purposes to which it never intended.’

—French Caldwell,

Research Vice President,

Gartner

Pawlicki says the AICPA also plans to release two new audit guides in early 2011. One is a rewrite of the current SAS 70 audit guide, to provide guidance on examining and reporting on vendor controls that are relevant to customers’ internal control over financial reporting. The other will offer guidance on examining and reporting on vendor controls over subjects other than financial reporting: security, confidentiality, privacy of customer information, and the like.

Until those new standards come into practice, Heiser says some vendors use SAS 70 to fill the gap. He describes it as “putting a square peg being put in a round hole.” He also argues that while auditors may be able to identify gaps in controls over financial reporting and transaction services, they may not be the best ones to assess risks and gaps in IT controls.

Barton

For those companies that do require SAS 70 reports from their vendors, David Barton, a principal at UHY Advisors, say the onus is on those reading the reports to know what they’re looking at. He agrees with Caldwell and Heiser’s contention that vendors are misusing SAS 70 reports as a form of certification.

“There’s a lot of misconception about what it is and what it does,” he says. “When you receive a SAS 70 report, you have to read it and interpret it in terms of what you’re looking for in that company. It may not address all control you are concerned about as a customer.”

For instance, he says, a SAS 70 report often doesn’t address the full scheme of a cloud computing system. A vendor might house its servers in an off-site facility, and that location isn’t covered by the report.

Bledsoe

MAKING SAS 70 REPORTS USEFUL

Hal Garyn, vice president of North American Services at The Institute of Internal Auditors, offers the following tips on how companies can use internal auditors to add value to a SAS 70 report:

1. Get internal auditing involved at the front end. “A SAS 70 report is basically an agreed-upon procedures review, ” Garyn says. “Making sure that the scope is adequately comprehensive to assess those controls your company is relying on is critical.”

2. Get internal auditing involved at the back end. Two key components of a SAS 70 report are deficiency findings at the third party and dependent user controls. Garyn says internal auditing can help create the appropriate tension to be sure the vendor addresses deficiencies and can also make sure any controls that act as the “handshake” controls between the vendor and your company actually exist and work.

3. Be sure executive management and audit committee fully understand the strengths and weaknesses of SAS 70 report and understand what reliance they can place on them.

—Melissa Aguilar

Yanan Bledsoe, manager of financial accounting and reporting at Sara Lee Corp., has seen some vendors try to hawk the SAS 70 report as general assurance of their control environment. Sara Lee, however, dictates its own list of control objectives that a vendor has to meet and have certified in its SAS 70 report. The reports are a prerequisite to signing a contract with Sara Lee and must be renewed annually, Bledsoe says. In addition, Sara Lee asks vendors to provide a self-assessment as additional assurance and does independent testing and on-site visits.

“The report provides quality assurance for us for the service provided by the vendor,” she says. “While we still have to do independent testing, getting a SAS 70 report reduces the amount, time, and cost of the independent testing we have to do.”

Caldwell

Caldwell and Heiser say SAS 70 reports are just one of several tools companies can use to evaluate a service provider’s control environment, and they may not always even be appropriate. Other methods include background and reference checks; vendor self-assessments with additional evidence gathered as necessary by the company’s own efforts; or direct controls on the vendor, such as having its employees sign your company’s code of conduct.

They also cite other options for assessing vendor security, such as ISO certifications, BITS Shared Assessments, SysTrust, and WebTrust. BITS Shared Assessments, originally developed to ensure that large banks could comply with vendor risk management requirements of the Federal Financial Institutions Examination Council handbook, has since been expanded beyond banking. It will be updated later this year.

Robert Jones, a senior consultant with the Santa Fe Group, which manages the BITS program, says Version 6.0 of the Shared Assessment tool is due to be published by the end of October and will include guidelines for assessments of cloud service providers.