Copyright 2008 ISACA. All rights reserved. www.isaca.org.

SAS 70 ReportsWhat Do They Really Tell You?

By Silka Gonzalez, CISA, CISM, CISSP CITP CPA , ,

any organizations outsource some type of information systems (IS) operations to third-party providers, as they can offer a cost-effective alternative to obtaining necessary expertise and expand the range of products and services. However, outsourcing also introduces additional risks that range from having inaccurate information, which could affect financial statements, to serious security breaches. It is critical for the company that provides the outsourcing services to have reliable controls. Organizations that outsource part of their IS operations often rely on Statement of Auditing Standards No. 70 (SAS 70) reports to determine if the third-party providers have adequate controls. Currently, there are serious limitations in the way SAS 70 reports are performed and used. This article examines how SAS 70 reports can be improved and how businesses can use them more effectively.

subject). Thus, when dealing with public companies, audits of internal controls need to be consistent with both the AICPAs SAS 70 and the PCAOBs Auditing Standard No. 5. Although SAS 70 reports were originally intended for use by auditors while evaluating controls that affect the reliability of financial statements, in recent years, many organizations have been using SAS 70 reports to evaluate whether their third-party providers have sufficient IS controls, such as security access controls, to address regulatory requirements. Thus, the use of and reliance on SAS 70 reports continue to grow.

Recent Concerns About SAS 70 Reports

There is a need for better understanding of the limits of different types of SAS 70 reports. Companies seeking information about their third-party providers controls need to be aware of the differences between a Type I and Type II report. Limits of Type I Reports SAS 70 Type I reports provide only a generalized overview of the third-party providers IS control structure. A company may request a SAS 70 report and receive a Type I report from its outsourcer that does not validate the stated control objectives through testing.

SAS 70 Reports
SAS 70 reports are provided by independent Certified Public Accountants (CPAs). SAS 70 is one of the auditing standards promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). CPAs who perform SAS 70 reviews follow the specifications of the AICPA guide Service Organizations: Applying SAS No. 70, as Amended. There are two types of SAS 70 reports: Type IProvides the independent CPAs opinion of the third-party providers control structure and a description of the implemented IS controls Type IIContains the same information as a Type I report, plus the results of testing performed by the independent CPA to validate the existence, adequacy and effectiveness of the reported controls

Limits of Type II Reports SAS 70 Type II reports about a service organization are often insufficient to meet the needs of the company that is receiving the outsourcing services. When a Type II SAS 70 review is conducted, certain control objectives are selected, and then testing is conducted with respect to the selected objectives. However, the selected control objectives often do not address all the essential areas necessary to provide reasonable assurance regarding critical IS controls. Furthermore, in many SAS 70 Type II reports that appear to have addressed adequate control objectives, the level and The Use of SAS 70 Reports extent of testing per control objective may Because many of the functions not be enough to provide a reliable opinion performed by third-party providers affect A SAS 70 attestation report of the status of essential IS controls. For user organizations financial statements, auditors performing audits of financial based on inadequate testing may instance, a common control objective of a third party that provides data-processing statements need to obtain information give a false sense of controls. services to small and medium-sized banks about the services and controls of thirdwould typically state that information party providers. Such information about security mechanisms restrict system users third-party providers is usually obtained to only the data files and application functions they are through SAS 70 reports. authorized to use. There are a number of ways to test this When auditors work with publicly traded companies, their control objective. It would be insufficient to test this control work is guided not only by the AICPAs standards, but also by objective using superficial tests related to the adequacy of standards issued by the Public Company Accounting password controls; however, SAS 70 reports have been issued Oversight Board (PCAOB). In May 2007, the PCAOB issued with such limited testing. This is a critical control objective Auditing Standard No. 5, which addresses audits of internal that relates to the reliability and integrity of financial and controls (and replaces Auditing Standard No. 2 on this
JOURNALONLINE 1

customer data. Proper testing of this control objective requires many more critical security controls in addition to basic password controls. A SAS 70 attestation report based on inadequate testing may give a false sense of controls to a recipient who is relying on the CPAs conclusions.

Figure 1Areas of Controls

Application System
System development, implementation and maintenance Application documentation Quality assurance

Transactions
Recording Data transmission Reporting Calculations

Limits of SAS 70 Reports Limits of SAS 70 reports include the following: Security Computer Operations Limited scope with respect to regulatory requirementsThere Logical security System processing Physical security Operations support are increased regulatory requirements Environmental controls with respect to internal controls, Operational recovery including controls relating to Segregation of duties information systems and security. Businesses have turned to SAS 70 reports to provide some assurances laws and regulations. Ensure that the areas of controls in about internal controls. However, some regulatory figure 1 are covered, if applicable to the organization. requirements call for testing of a greater scope and depth Scope and level of testingEvaluate the scope and level of than what is usually provided by SAS 70 reports. testing to ensure that they are adequate. Ensure that all Limited CPA training and experienceCurrently, most relevant areas of key controls for the business are properly CPAs have not been formally trained to deal with complex addressed by the SAS 70. Also, ensure that the level of automated system infrastructures and their related technical testing for each control area is sufficiently detailed to controls. This is one of the reasons why some SAS 70 support the overall opinion provided in the report. It is reviews lack the proper coverage and testing of key IS essential for the organization to assign a person with a controls, such as security access controls, that are directly strong technical IS control and security background to related to the reliability and integrity of financial statements. perform the evaluation of the testing. If the organization Limited guidance and oversightWhile AICPA and the does not have the personnel with the skill sets to perform PCAOB have worked to provide auditing standards and this review, it should consider using an outside consultant guidance, this particular area continues to present a with the necessary background for the evaluation. challenge to auditors and to the businesses that rely on the SubcontractorsIf the third-party provider uses the auditors. The lack of detailed guidance is one of the reasons services of other subservice organizations that affect the that SAS 70 reviews sometimes lack adequate testing of business, ensure that the SAS 70 covers key control aspects critical IS controls. More detailed guidance and increased of the subservice organizations. oversight would be beneficial, especially with respect to the Date of reportEnsure that the reporting period of the internal controls that relate to information systems. SAS 70 is current. There is consensus that reports should Evaluating the Adequacy of SAS 70 Reports not be more than one year old. Also, there is a concern that Organizations that outsource IS operations need to ensure reports on internal controls should cover the same time that they receive SAS 70 reports that address essential control period as the financial statements. areas and provide adequate testing coverage of all relevant Other types of security testingConsider asking the thirdinformation systems and security control aspects related to the party provider for reports involving additional testing such function being outsourced. To accomplish this objective, as vulnerability assessments and penetration tests (ethical outsourcers should consider the following: hacking). The auditorConsider whether the SAS 70 was performed Legal contractsThe organization must ensure that legal by professionals with integrity and the appropriate skills. contracts with third-party providers indicate the types and CPAs who provide SAS 70 reports need to have skills scope of audits and technical reviews the organization beyond general accounting knowledge. CPAs performing requires (e.g., SAS 70 Type II, vulnerability assessments, SAS 70 audits should also have skills and experience with ethical hacking tests). The contracts should state the respect to information systems and security. frequency of the required reports. The contract must indicate The type of SAS 70 reportEnsure that the organization that the organization reserves the right to perform its own has a Type II SAS 70 to ensure the testing of key control audits or technical reviews if it is not satisfied with the areas and evaluate the type of SAS 70 opinion provided. audits provided by the third party. The controls selected for testingEvaluate whether the control objectives covered by the SAS 70 properly address the needs of the business as well as the requirements of relevant
2 JOURNALONLINE

Conclusion
Organizations that outsource some type of IS operations to third-party providers need to manage the risks that outsourcing creates. These organizations usually rely on SAS 70 reports to determine if their third-party providers internal controls are adequate to manage their risks. It is imperative that organizations take a closer look at their SAS 70 reports to identify those reports that are not providing sufficient assurance about the effectiveness of IS controls relevant to the organizations operations and financial statements. They must also demand SAS 70 reports with more detailed testing of key IS controls when their evaluations indicate that current SAS 70 reports are not providing a sufficient basis to properly evaluate the effectiveness of controls. Additionally, CPAs performing and/or evaluating SAS 70 reviews should have formal IS training and knowledge in

addition to their accounting background. Finally, professional bodies such as AICPA and the PCAOB need to provide more guidance and oversight to CPAs who perform IS control evaluations and SAS 70 reviews. In recent years, regulators, businesses, investors and consumers have come to realize how important internal controls are. They are key to the accuracy of financial statements, and the reliability and security of businesses often depend on their effectiveness. SAS 70 reports that evaluate these controls can be a helpful tool, but only if the reports are properly performed and understood. Silka Gonzalez, CISA, CISM, CISSP, CITP, CPA is the president of Enterprise Risk Management, one of the leading providers of IT security, audit and risk management services in the South Florida (USA) region. She can be reached at info@emrisk.com.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. 2008 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNALONLINE