Many organizations outsource some type of information systems (IS) operations to third-party providers, as they can offer a cost-effective alternative to obtaining necessary expertise and expand the range of products and services. However, outsourcing also introduces additional risks that range from having inaccurate information, which could affect financial statements, to serious security breaches.
It is critical for the company that provides the outsourcing services to have reliable controls. Organizations that outsource part of their IS operations often rely on Statement of Auditing Standards No. 70 (SAS 70) reports to determine if the third-party providers have adequate controls.
Currently, there are serious limitations in the way SAS 70 reports are performed and used. This article examines how SAS 70 reports can be improved and how businesses can use them more effectively.
SAS 70 Reports
SAS 70 reports are provided by independent Certified Public Accountants (CPAs). SAS 70 is one of the auditing standards promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). CPAs who perform SAS 70 reviews follow the specifications of the AICPA guide Service Organizations: Applying SAS No. 70, as Amended.
There are two types of SAS 70 reports:
- Type I—Provides the independent CPA’s opinion of the third-party provider’s control structure and a description of the implemented IS controls
- Type II—Contains the same information as a Type I report, plus the results of testing performed by the independent CPA to validate the existence, adequacy and effectiveness of the reported controls
The Use of SAS 70 Reports
Because many of the functions performed by third-party providers affect user organizations’ financial statements, auditors performing audits of financial statements need to obtain information about the services and controls of thirdparty providers. Such information about third-party providers is usually obtained through SAS 70 reports.
When auditors work with publicly traded companies, their work is guided not only by the AICPA’s standards, but also by standards issued by the Public Company Accounting Oversight Board (PCAOB). In May 2007, the PCAOB issued Auditing Standard No. 5, which addresses audits of internal controls (and replaces Auditing Standard No. 2 on this subject). Thus, when dealing with public companies, audits of internal controls need to be consistent with both the AICPA’s SAS 70 and the PCAOB’s Auditing Standard No. 5.
Although SAS 70 reports were originally intended for use by auditors while evaluating controls that affect the reliability of financial statements, in recent years, many organizations have been using SAS 70 reports to evaluate whether their third-party providers have sufficient IS controls, such as security access controls, to address regulatory requirements. Thus, the use of and reliance on SAS 70 reports continue to grow.
Recent Concerns About SAS 70 Reports
There is a need for better understanding of the limits of different types of SAS 70 reports. Companies seeking information about their third-party provider’s controls need to be aware of the differences between a Type I and Type II report.
Limits of Type I Reports
SAS 70 Type I reports provide only a generalized overview of the third-party provider’s IS control structure. A company may request a SAS 70 report and receive a Type I report from its outsourcer that does not validate the stated control objectives through testing.
Limits of Type II Reports
SAS 70 Type II reports about a service organization are often insufficient to meet the needs of the company that is receiving the outsourcing services. When a Type II SAS 70 review is conducted, certain control objectives are selected, and then testing is conducted with respect to the selected objectives. However, the selected control objectives often do not address all the essential areas necessary to provide reasonable assurance regarding critical IS controls.
Furthermore, in many SAS 70 Type II reports that appear to have addressed adequate control objectives, the level and extent of testing per control objective may not be enough to provide a reliable opinion of the status of essential IS controls. For instance, a common control objective of a third party that provides data-processing services to small and medium-sized banks would typically state that information security mechanisms restrict system users to only the data files and application functions they are authorized to use. There are a number of ways to test this control objective. It would be insufficient to test this control objective using superficial tests related to the adequacy of password controls; however, SAS 70 reports have been issued with such limited testing. This is a critical control objective that relates to the reliability and integrity of financial and customer data. Proper testing of this control objective requires many more critical security controls in addition to basic password controls. A SAS 70 attestation report based on inadequate testing may give a false sense of controls to a recipient who is relying on the CPA’s conclusions.
Limits of SAS 70 Reports
Limits of SAS 70 reports include the following:
- Limited scope with respect to regulatory requirements—There are increased regulatory requirements with respect to internal controls, including controls relating to information systems and security. Businesses have turned to SAS 70 reports to provide some assurances about internal controls. However, some regulatory requirements call for testing of a greater scope and depth than what is usually provided by SAS 70 reports.
- Limited CPA training and experience—Currently, most CPAs have not been formally trained to deal with complex automated system infrastructures and their related technical controls. This is one of the reasons why some SAS 70 reviews lack the proper coverage and testing of key IS controls, such as security access controls, that are directly related to the reliability and integrity of financial statements.
- Limited guidance and oversight—While AICPA and the PCAOB have worked to provide auditing standards and guidance, this particular area continues to present a challenge to auditors and to the businesses that rely on the auditors. The lack of detailed guidance is one of the reasons that SAS 70 reviews sometimes lack adequate testing of critical IS controls. More detailed guidance and increased oversight would be beneficial, especially with respect to the internal controls that relate to information systems.
Evaluating the Adequacy of SAS 70 Reports
Organizations that outsource IS operations need to ensure that they receive SAS 70 reports that address essential control areas and provide adequate testing coverage of all relevant information systems and security control aspects related to the function being outsourced. To accomplish this objective, outsourcers should consider the following:
- The auditor—Consider whether the SAS 70 was performed by professionals with integrity and the appropriate skills. CPAs who provide SAS 70 reports need to have skills beyond general accounting knowledge. CPAs performing SAS 70 audits should also have skills and experience with respect to information systems and security.
- The type of SAS 70 report—Ensure that the organization has a Type II SAS 70 to ensure the testing of key control areas and evaluate the type of SAS 70 opinion provided.
- The controls selected for testing—Evaluate whether the control objectives covered by the SAS 70 properly address the needs of the business as well as the requirements of relevant laws and regulations. Ensure that the areas of controls in figure 1 are covered, if applicable to the organization.
- Scope and level of testing—Evaluate the scope and level of testing to ensure that they are adequate. Ensure that all relevant areas of key controls for the business are properly addressed by the SAS 70. Also, ensure that the level of testing for each control area is sufficiently detailed to support the overall opinion provided in the report. It is essential for the organization to assign a person with a strong technical IS control and security background to perform the evaluation of the testing. If the organization does not have the personnel with the skill sets to perform this review, it should consider using an outside consultant with the necessary background for the evaluation.
- Subcontractors—If the third-party provider uses the services of other subservice organizations that affect the business, ensure that the SAS 70 covers key control aspects of the subservice organizations.
- Date of report—Ensure that the reporting period of the SAS 70 is current. There is consensus that reports should not be more than one year old. Also, there is a concern that reports on internal controls should cover the same time period as the financial statements.
- Other types of security testing—Consider asking the thirdparty provider for reports involving additional testing such as vulnerability assessments and penetration tests (“ethical hacking”).
- Legal contracts—The organization must ensure that legal contracts with third-party providers indicate the types and scope of audits and technical reviews the organization requires (e.g., SAS 70 Type II, vulnerability assessments, ethical hacking tests). The contracts should state the frequency of the required reports. The contract must indicate that the organization reserves the right to perform its own audits or technical reviews if it is not satisfied with the audits provided by the third party.
Organizations that outsource some type of IS operations to third-party providers need to manage the risks that outsourcing creates. These organizations usually rely on SAS 70 reports to determine if their third-party providers’ internal controls are adequate to manage their risks.
It is imperative that organizations take a closer look at their SAS 70 reports to identify those reports that are not providing sufficient assurance about the effectiveness of IS controls relevant to the organization’s operations and financial statements. They must also demand SAS 70 reports with more detailed testing of key IS controls when their evaluations indicate that current SAS 70 reports are not providing a sufficient basis to properly evaluate the effectiveness of controls.
Additionally, CPAs performing and/or evaluating SAS 70 reviews should have formal IS training and knowledge in addition to their accounting background. Finally, professional bodies such as AICPA and the PCAOB need to provide more guidance and oversight to CPAs who perform IS control evaluations and SAS 70 reviews.
In recent years, regulators, businesses, investors and consumers have come to realize how important internal controls are. They are key to the accuracy of financial statements, and the reliability and security of businesses often depend on their effectiveness. SAS 70 reports that evaluate these controls can be a helpful tool, but only if the reports are properly performed and understood.
Silka Gonzalez, CISA, CISM, CISSP, CITP, CPA
is the president of Enterprise Risk Management, one of the leading providers of IT security, audit and risk management services in the South Florida (USA) region. She can be reached at firstname.lastname@example.org.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.