Financial Services Industry

Industry: Email Alert RSS Feed

Incorporating SAS No. 70 and other third-party reports into a vendor management program

RMA Journal, The, April, 2004 by Joel Lanz

The SAS No. 70 report is a helpful tool for operational risk managers in their management of vendor risk, but it has its limitations. This article explains the problems and suggests a way to use SAS No. 70 as one tool in a comprehensive vendor management program.

If a financial institution (FI) offers any of the services in the box at right, there is a good chance that it contracts with an outsourced third party (vendor) to assist with various elements of the service's delivery. In the never-ending challenge to deliver increasing value to various stakeholders in the face of economic realities, FIs have increasingly turned to vendors to deliver services in a more effective and efficient fashion. And this reliance is no longer limited to back-office, non-customer-facing activities.

Most PopularCBS MoneyWatch.com Articles

As with most opportunities, reliance on vendors creates risk that must be managed. In some cases, regulatory agencies drive the demand for managing vendor risk. In other cases, business common sense and fiduciary responsibilities, including potential legal liability, generate the demand. Well-respected organizations--including the Bank Information Technology Secretariat (BITS), Federal Financial Institution Examination Council (FFIEC), Software Engineering Institute, Information Technology Governance Institute, and the Institute of Internal Auditors--have issued guidance on establishing a program to manage vendor risk. Meanwhile, vendors and other consultancies have issued their own perspective on vendor management due diligence and monitoring. Frequently, this latter perspective espouses the need to leverage the vendor's or consultant's particular area of expertise.

In both cases, however, the discussion of monitoring vendor activity--especially for processing activities related to information technology--includes the Statement on Auditing Standard No. 70 (SAS No. 70). Standards issued by the American Institute of Certified Public Accountants constitute the body of Generally Accepted Auditing Standards. (1)

The basic precept of a SAS No. 70 report is for the vendor to engage a single independent auditor to audit its control environment and produce a report that can be distributed to the vendor's clients (that is, one audit) rather than have each client send its own auditor to audit the vendor individually (that is, multiple audits).

Vendors are quick to proclaim the success of their SAS No. 70 efforts as shown in the following press releases: (2)

* ... it has successfully issued its SAS No. 70 Type 1 report.... The self-initiated audit demonstrates ... commitment to its customers as a reliable, transparent, secure ASP that is focused upon minimizing risk, increasing value, maintaining service availability, and preserving client privacy and data security.

* ... is built on a foundation of values, and two of our most important values are integrity and "customer first." Earning a SAS No. 70 Type 1 certification [demonstrates our] acting on both of these values.

* Protecting customer data is the cornerstone of ... success. Our SAS No. 70 audit is an important war to independently validate how well we manage ... security.

* ... passing the SAS No. 70 ... Type I audit is a key requirement for companies who wish to perform data-center and Web-hosting functions for financial ... or other security-sensitive or regulated organizations. Such institutions can't use ... firms that haven't passed the SAS No. 70 audit.

The mounting responsibilities of operational risk managers and the mandate for FIs to comply with evolving corporate governance initiatives can lead them to rely on their vendor's SAS No. 70 and associated proclamations to manage their vendor risk. Unfortunately, neither the managers nor their auditors may fully understand SAS No. 70 and so may rely on it alone for assurance that was never intended to be given. And if an auditor may not fully appreciate the true scope of SAS No. 70, then it should come as no surprise that an individual regulatory field examiner may also not be applying it correctly in insisting that financial institutions pay significant attention to its contents. Then again, maybe regulators understand all too well how financial institutions are using SAS No. 70, and perhaps that is why many FIs now are encouraged to implement a program to satisfy increasing regulatory expectations for vendor management.

Vendor Management and the Regulatory Environment

Auditors and regulators have long expressed degrees of concern over how financial institutions managed vendors. For example, the 1996 FFIEC IS [Information Systems] Examination Handbook provided significant guidance in provisions that would protect financial institutions and their customers from weak vendors. Yet, pre-2000, many of these professionals experienced significant frustration when they would query FI representatives on their responsibilities for outsourced processing. Examples of typical responses follow:

* We received a SAS No. 70 (and no, we didn't read it) as performed by a large accounting firm. Why do we need to do anything else?


 

BNET TalkbackShare your ideas and expertise on this topic

Please add your comment:
  1. You are currently: a Guest |
  4.  

Basic HTML tags that work in comments are: bold (<b></b>), italic (<i></i>), underline (<u></u>), and hyperlink (<a href></a)

advertisement

Brought to you by CBS MoneyWatch.com

advertisement
  • Click Here
  • Click Here
  • Click Here
advertisement
Click Here

Content provided in partnership with Thompson Gale