Copyright © 2008 ISACA. All rights reserved. www.isaca.org.

SAS 70 Reports—What Do They Really Tell You?
By Silka Gonzalez, CISA, CISM, CISSP CITP CPA , ,

M

any organizations outsource some type of information systems (IS) operations to third-party providers, as they can offer a cost-effective alternative to obtaining necessary expertise and expand the range of products and services. However, outsourcing also introduces additional risks that range from having inaccurate information, which could affect financial statements, to serious security breaches. It is critical for the company that provides the outsourcing services to have reliable controls. Organizations that outsource part of their IS operations often rely on Statement of Auditing Standards No. 70 (SAS 70) reports to determine if the third-party providers have adequate controls. Currently, there are serious limitations in the way SAS 70 reports are performed and used. This article examines how SAS 70 reports can be improved and how businesses can use them more effectively.

subject). Thus, when dealing with public companies, audits of internal controls need to be consistent with both the AICPA’s SAS 70 and the PCAOB’s Auditing Standard No. 5. Although SAS 70 reports were originally intended for use by auditors while evaluating controls that affect the reliability of financial statements, in recent years, many organizations have been using SAS 70 reports to evaluate whether their third-party providers have sufficient IS controls, such as security access controls, to address regulatory requirements. Thus, the use of and reliance on SAS 70 reports continue to grow.

Recent Concerns About SAS 70 Reports
There is a need for better understanding of the limits of different types of SAS 70 reports. Companies seeking information about their third-party provider’s controls need to be aware of the differences between a Type I and Type II report. Limits of Type I Reports SAS 70 Type I reports provide only a generalized overview of the third-party provider’s IS control structure. A company may request a SAS 70 report and receive a Type I report from its outsourcer that does not validate the stated control objectives through testing.

SAS 70 Reports
SAS 70 reports are provided by independent Certified Public Accountants (CPAs). SAS 70 is one of the auditing standards promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). CPAs who perform SAS 70 reviews follow the specifications of the AICPA guide Service Organizations: Applying SAS No. 70, as Amended. There are two types of SAS 70 reports: • Type I—Provides the independent CPA’s opinion of the third-party provider’s control structure and a description of the implemented IS controls • Type II—Contains the same information as a Type I report, plus the results of testing performed by the independent CPA to validate the existence, adequacy and effectiveness of the reported controls

Limits of Type II Reports SAS 70 Type II reports about a service organization are often insufficient to meet the needs of the company that is receiving the outsourcing services. When a Type II SAS 70 review is conducted, certain control objectives are selected, and then testing is conducted with respect to the selected objectives. However, the selected control objectives often do not address all the essential areas necessary to provide reasonable assurance regarding critical IS controls. Furthermore, in many SAS 70 Type II reports that appear to have addressed adequate control objectives, the level and The Use of SAS 70 Reports extent of testing per control objective may Because many of the functions not be enough to provide a reliable opinion performed by third-party providers affect A SAS 70 attestation report of the status of essential IS controls. For user organizations’ financial statements, auditors performing audits of financial based on inadequate testing may instance, a common control objective of a third party that provides data-processing statements need to obtain information give a false sense of controls. services to small and medium-sized banks about the services and controls of thirdwould typically state that information party providers. Such information about security mechanisms restrict system users third-party providers is usually obtained to only the data files and application functions they are through SAS 70 reports. authorized to use. There are a number of ways to test this When auditors work with publicly traded companies, their control objective. It would be insufficient to test this control work is guided not only by the AICPA’s standards, but also by objective using superficial tests related to the adequacy of standards issued by the Public Company Accounting password controls; however, SAS 70 reports have been issued Oversight Board (PCAOB). In May 2007, the PCAOB issued with such limited testing. This is a critical control objective Auditing Standard No. 5, which addresses audits of internal that relates to the reliability and integrity of financial and controls (and replaces Auditing Standard No. 2 on this
JOURNALONLINE 1

SAS 70 audits should also have skills and experience with ethical hacking tests). this particular area continues to present a with the necessary background for the evaluation. It is reviews lack the proper coverage and testing of key IS essential for the organization to assign a person with a controls. A SAS 70 attestation report based on inadequate testing may give a false sense of controls to a recipient who is relying on the CPA’s conclusions. some regulatory figure 1 are covered. The lack of detailed guidance is one of the reasons services of other subservice organizations that affect the that SAS 70 reviews sometimes lack adequate testing of business. There is consensus that reports should Evaluating the Adequacy of SAS 70 Reports not be more than one year old. The contract must indicate • The type of SAS 70 report—Ensure that the organization that the organization reserves the right to perform its own has a Type II SAS 70 to ensure the testing of key control audits or technical reviews if it is not satisfied with the areas and evaluate the type of SAS 70 opinion provided. areas and provide adequate testing coverage of all relevant • Other types of security testing—Consider asking the thirdinformation systems and security control aspects related to the party provider for reports involving additional testing such function being outsourced. More detailed guidance and increased of the subservice organizations. especially with respect to the • Date of report—Ensure that the reporting period of the internal controls that relate to information systems.g. testing to ensure that they are adequate. Proper testing of this control objective requires many more critical security controls in addition to basic password controls. contracts with third-party providers indicate the types and CPAs who provide SAS 70 reports need to have skills scope of audits and technical reviews the organization beyond general accounting knowledge. Also. audits provided by the third party.. ensure that the SAS 70 covers key control aspects critical IS controls. frequency of the required reports. requirements call for testing of a greater scope and depth • Scope and level of testing—Evaluate the scope and level of than what is usually provided by SAS 70 reports. • Operational recovery including controls relating to • Segregation of duties information systems and security. as vulnerability assessments and penetration tests (“ethical outsourcers should consider the following: hacking”). However. vulnerability assessments. oversight would be beneficial. perform the evaluation of the testing. If the organization • Limited guidance and oversight—While AICPA and the does not have the personnel with the skill sets to perform PCAOB have worked to provide auditing standards and this review. Businesses have turned to SAS 70 reports to provide some assurances laws and regulations. implementation and maintenance • Application documentation • Quality assurance Transactions • Recording • Data transmission • Reporting • Calculations Limits of SAS 70 Reports Limits of SAS 70 reports include the following: Security Computer Operations • Limited scope with respect to regulatory requirements—There • Logical security • System processing • Physical security • Operations support are increased regulatory requirements • Environmental controls with respect to internal controls. To accomplish this objective.customer data. it should consider using an outside consultant guidance. Figure 1—Areas of Controls Application System • System development. The contracts should state the respect to information systems and security. Ensure that the areas of controls in about internal controls. SAS 70 Type II. most relevant areas of key controls for the business are properly CPAs have not been formally trained to deal with complex addressed by the SAS 70. This is one of the reasons why some SAS 70 support the overall opinion provided in the report. Ensure that all • Limited CPA training and experience—Currently. SAS 70 is current. ensure that the level of automated system infrastructures and their related technical testing for each control area is sufficiently detailed to controls. CPAs performing requires (e. such as security access controls. • The controls selected for testing—Evaluate whether the control objectives covered by the SAS 70 properly address the needs of the business as well as the requirements of relevant 2 JOURNALONLINE . challenge to auditors and to the businesses that rely on the • Subcontractors—If the third-party provider uses the auditors. • The auditor—Consider whether the SAS 70 was performed • Legal contracts—The organization must ensure that legal by professionals with integrity and the appropriate skills. Also. if applicable to the organization. there is a concern that Organizations that outsource IS operations need to ensure reports on internal controls should cover the same time that they receive SAS 70 reports that address essential control period as the financial statements. that are directly strong technical IS control and security background to related to the reliability and integrity of financial statements.

© 2008 ISACA. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. Copying for other than personal use or internal reference. Membership in the association. volume. They are key to the accuracy of financial statements. regulators. She can be reached at info@emrisk. audit and risk management services in the South Florida (USA) region. but only if the reports are properly performed and understood. Additionally. and the reliability and security of businesses often depend on their effectiveness. or the editors of this Journal.Conclusion Organizations that outsource some type of IS operations to third-party providers need to manage the risks that outsourcing creates. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees. CPAs performing and/or evaluating SAS 70 reviews should have formal IS training and knowledge in addition to their accounting background. CISA. CISM. a voluntary organization serving IT governance professionals. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. 27 Congress St. and first and last page number of each article. SAS 70 reports that evaluate these controls can be a helpful tool. All rights reserved. businesses. or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. Information Systems Control Journal is published by ISACA. CITP. reprint or republication. permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC). Finally.org JOURNALONLINE 3 . entitles one to receive an annual subscription to the Information Systems Control Journal. for a flat fee of US $2. CISSP. permission must be obtained in writing from the association.com. CPA is the president of Enterprise Risk Management. It is imperative that organizations take a closer look at their SAS 70 reports to identify those reports that are not providing sufficient assurance about the effectiveness of IS controls relevant to the organization’s operations and financial statements. For other copying.isaca. Mass. Salem.. investors and consumers have come to realize how important internal controls are. to photocopy articles owned by ISACA. date. They must also demand SAS 70 reports with more detailed testing of key IS controls when their evaluations indicate that current SAS 70 reports are not providing a sufficient basis to properly evaluate the effectiveness of controls. Where necessary. professional bodies such as AICPA and the PCAOB need to provide more guidance and oversight to CPAs who perform IS control evaluations and SAS 70 reviews. one of the leading providers of IT security. Information Systems Control Journal does not attest to the originality of authors' content. These organizations usually rely on SAS 70 reports to determine if their third-party providers’ internal controls are adequate to manage their risks. and from opinions endorsed by authors’ employers. In recent years. Send payment to the CCC stating the ISSN (1526-7407).50 per article plus 25¢ per page. 01970. Silka Gonzalez. www.