Sas70 Choosing An Audit Firm

About The SAS70

SAS70 is short for Statement on Auditing Standards Number 70. It defines the standards used by an auditor to assess the internal controls of an organization that provides services. In many cases, the controls that are audited are related to transaction processing, and the transactions are specific to the type of service being provided.

A SAS70 type 1 report is concerned with the controls that are in place in an organization and the auditor’s opinion of the effectiveness of the controls. The type 1 SAS70 report may include background information about a business and its processes, along with a detailed list of controls (broken out into subsections) and information about how the processes are interrelated, along with information about how the controls meet the specified goals.

A SAS70 type 2 report is issues after a period of observation of the practices specified in the type 1 report. The type 2 SAS70 will also include an opinion issued by an auditor on whether the controls were in operation during the observation time period. Type 2 reports are usually issued on an annual basis.

Current SAS70 reports deal heavily with the technology infrastructure being used by the service operation, as most modern service operations leverage information technology to provide the services in question. SAS70 reports are an excellent way to get an understanding of how a potential service provider will be managing the process they have been contracted to provide.

An Example Of A Control Objective

Controls in place provide a reasonable assurance that physical access to the processing center and other sensitive areas is restricted to authorized personnel

Examples of controls that address this objective:

  1. Physical restrictions are implemented and maintained by appropriate personnel.
  2. Physical access is restricted via key lock access.
  3. Key access and alarm codes are issued on an as needed basis only.
  4. Keys are numbered and traceable. Alarm codes are unique and access is logged.
  5. Documented request procedures are utilized for granting, modifying and revoking access to the facilities.
  6. Keys are reclaimed from terminated employees.
  7. Visitors must be accompanied by appropriate personnel.
  8. Visitors are required to sign in at a single point of entry and are required to display a visitor badge.
  9. Visitor badges are numbered and are tracked on issue.

A SAS70 type1 report would define the above controls and define them as approprite for the objective. The auditor would also make sure that that the controls have been implemented by interview, observation and by looking for documentation produced in support of the controls.

Examples Of Individual Control Item Evidence

  • Physical access is restricted via key lock access
    1. Auditor could observe the door has a lock and it functions.
    2. The auditor could try to open the door during a period when it should be locked.
    3. The auditor could note the lock cylinder number and compare it to others in the building. The auditor could photograph the door itself.
  • Key access and alarm codes are issued on an as needed basis only.
    1. The policies related to issuance could be reviewed and a copy taken for the client’s file.
    2. A sample of employees could have their access reviewed and matched up to the needs of their company role.
    3. The auditor could interview a control group of employees and make sure that their perception of their access meets the corporate access granted to them.

 

By taking each control objective, and determining what controls are applicable to each objective, a SAS70 type 1 review can be completed. Each control will be scrutinized not only to how applicable it is to the overall objective, but also to how it is implemented. Finally evidence of the implementation will be gathered, as these will be used during the SAS70 type 2 review. Each SAS70 is different, as controls at one business will not be the same as another.

The Sas70 Type II report

A SAS70 type 2 report is based on a term of observation of the controls defined in the type 1 report. The SAS70 type one had a few outputs- the control objective, the controls, and the evidence that the control had as an output. Going back to the earlier example:

The output of control b is a door was locked, and needed a key to open it.
During long term observation:

  • Is the door continuously locked, or is it left open?
  • Do employees prop the door open at times?
  • Has the lock been changed since the type 1 was performed?
  • Who has been observed opening the door? Is there an audit trail that points to said employee specifically being granted access to the door in question?

 

The output of control c was that keys and alarm codes have been issued within company policy.
During long term observation:

  • Has the company had employee turnover?
  • If so,were the keys recovered?
  • Have employees moved departments or job roles, and if so, is there documentation that the access was changed for a transferred employee?
  • Have employees been observed loaning each other their keys or share alarm codes that should be unique?

 

A lengthy SAS70 type 2 report will be generated based around the auditor’s opinions on whether the controls stated on the type1 are implemented and uses as intended in the daily operation of the service provider. Each control will output an evidence trail, and the auditor’s job is to collect this evidence, and match it up to the controls specified under each SAS70 objective.

Choosing a SAS70 auditing firm

There are a few factors to consider when choosing a firm to perform a SAS70 audit.

  1. The firm’s reputation in the industry -Do they do business in your industry? Some auditors are focused on a specific industry, and choosing one that is in your industry may have a few tangible benefits. They may have experience auditing the specific services provided and have a good idea of what they are looking for before they even walk in the door. This saves time, and auditor time is directly correlated to money. Another benefit is reputation – when presenting a SAS70 review to another firm, the name of the audit firm can provide trust (or the inverse, lack of trust) simply by name alone.
  2. Will the audit firm be sending low level employees to conduct the review, or experienced veterans? This can play into cost again, but an inexperienced auditor will typically be sent back for more or different evidence by the SAS70 audit company’s review process. This is bound to happen, but keeping it to a minimum is a time saver.
  3. Will the company be around long enough to provide a SAS70 type 2 review a few years down the road? Once committed to an auditor, you do not want to switch. Check out the potential company, ask for financials, and perform due diligence – research their reputation and staff. Arthur Anderson once looked like a great company, but their actions at Enron put them out of business. Ask for not only example SAS70 reports they have provided, but a SAS70 that was performed on the potential auditor’s company- they are, after all, a service provider.
  4. Price shop, and do not be afraid to ask for a discount. Obvious enough, but the bigger names are not afraid to start high. Smaller firms are able to discount as well, in an effort to win market share.

 

Compliance and Reasoning For Performing A SAS70 Audit

SAS70 audits can help acheive compliance with the big governmental regulations, such as HIPAA or Sarbanes-Oxley. Some of the ‘quality’ standards, such as the ISO 17799 standard include the SAS70 as part of the process. When dealing with suppliers, many banks are interested in seeing a SAS70 report from a prospective vendor, and some non financial companies also include a checkbox (Has the potential vendor completed a SAS70 review?) as part of an internal vendor risk profile process.