SAS 70 Audits
Collector, Mar 2008 by Kaplan, Nancy
Conducting a SAS 70 audit provides assurance to clients that internal controls are operating effectively
Because creditors are increasingly concerned with data security, many require collection agencies to perform a SAS 70 audit. Several events are responsible for this client-driven requirement, including the introduction of Section 404 of the Sarbanes-Oxley Act, which mandated that all publicly traded companies obtain a SAS 70 audit; provisions of the Health Insurance Portability and Accountability Act; and increased data and identity theft. SAS 70 audits provide creditors assurance that their collection agency's internal controls are operating effectively.
Overview of a SAS 70 Audit
Statement on Auditing Standards No. 70 (SAS 70) is an internationally recognized auditing standard that was adopted by the American Institute of Certified Public Accountants in 1992. However, increased outsourcing and the visibility of control requirements introduced in Section 404 of the Sarbanes-Oxley Act has renewed interest in SAS 70 examinations for service organizations.
The Sarbanes-Oxley Act was ratified to rebuild investor trust in public companies' financial reporting processes. Inherent in improved financial reporting is the assurance of reliable and robust internal controls throughout the organization's financial systems. The Act clearly states that outsourcing a business process does not relieve the user organization of the responsibility to ensure adequate controls over the business process.
As a result, organizations want to be ensured that their service providers have implemented appropriate controls over business processes and information technology. A SAS 70 audit is the de facto standard for demonstrating the existence and effectiveness of internal controls within a service organization.
Compliance Requirements
Any organization that provides the following services to another organization must comply with the requirements of SAS 70:
* Executes and maintains accountability of transactions.
* Records transactions and processes information.
* Has an affect on the client's financial reporting.
Typical service organizations include application service providers, managed security providers, trust departments, claims processors, clearinghouses, credit processing companies, application service providers and data hosting facilities. Collection agencies are also included within this definition.
Control Guidelines
Controls are specific to the service being provided and the objectives of the organization. Therefore, there is no formal, published standard for SAS 70 controls. The standard requires the service auditor to report on and test all internal controls relevant to the user organizations. This caveat of relevance requires the service organization and the SAS 70 auditor to use a considerable amount of judgment to determine which controls to include in the report. However, there are several generally accepted guidelines that can be useful in preparing for a SAS 70 examination.
* The IT Governance Institute has published a comprehensive framework of control objectives: Control Objectives for Information and Related Technology (COBIT). In addition, the guide, IT Control Objectives for Sarbanes-Oxley', is available to address specific requirements that were introduced in Section 404 of the Sarbanes-Oxley Act.
* The International Standards Organization (ISO) has published a comprehensive set of controls of best practices in information security, titled ISO-17799.
* The American Institute of Certified Public Accountants has published a guide for service agencies and auditors of service agencies: Service Agencies: Applying SAS No. 70, as Amended.
Importance of IT Governance
For many organizations, information and the technology that supports it represent their most valuable, but often least understood, assets. These organizations also understand and manage the associated risks by increasing regulatory compliance and critical dependence of many business processes on information technology (IT).
The need for assurance about the value of IT, the management of ITrelated risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of IT governance. IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure the enterprise's IT resources sustain and extend the organization's strategies and objectives.
Furthermore, IT governance integrates and standardizes good practices to ensure that the organization's IT resources support the business objectives.
Controls over IT should fit with and support the Committee of Sponsoring Organizations of the Treadway Commission's Internal Control-Integrated Framework, which is a widely accepted control framework for enterprise governance and risk management.
Organizations should satisfy the quality, financial and security requirements for their information, as for all assets. Management should also optimize the use of available IT resources, including applications, information, infrastructure and people.
Most Recent Business Articles
- Multiple criteria evaluation and optimization of transportation systems
- Multi-criteria analysis procedure for sustainable mobility evaluation in urban areas
- A two-leveled multi-objective symbiotic evolutionary algorithm for the hub and spoke location problem
- Multi-criteria analysis for evaluating the impacts of intelligent speed adaptation
- The development of Taiwan arterial traffic-adaptive signal control system and its field test: a Taiwan experience
Most Recent Business Publications
Most Popular Business Articles
- 7 tips for effective listening: productive listening does not occur naturally. It requires hard work and practice - Back To Basics - effective listening is a crucial skill for internal auditors
- FAS 109: a primer for non-accountants - Financial Accounting Standards Board's "Statement 109: Accounting for Income Taxes"
- LIFO vs. FIFO: a return to the basics
- Too Young to Rent a Car? - 25-years-old the minimum age for car renting - Brief Article
- Design a commission plan that drives sales - Sales Commissions
Most Popular Business Publications
Content provided in partnership with
Presented by American Express