This article is based on the challenges one organization faced in assisting customers as well as its business lines in making a rational decision on which business projects and subprocesses to include and exclude from the purview of a Statement on Auditing Standard (SAS) No. 70 assessment, developed and maintained by the American Institute of Certified Public Accountants (AICPA).
This article sheds some light and aid for compliance professionals at user and service organizations to arrive at an acceptable (both internally and externally) selection of projects for a SAS 70 assessment.
A Short Primer
A SAS 70 Type I report describes the service organization’s controls at a specific point in time (e.g., 30 June 2007). Typically, business process control objectives are established to ensure:
- Input/output (I/O) authorization
- I/O accuracy
- Completeness of processing
A Type II report includes not only the service organization’s description of controls, but also detailed testing, i.e., validating control effectiveness, of the service organization’s controls over a minimum six-month period (e.g., 1 January 2007 to 30 June 2007).
Figure 1 gives an overview of SAS 70 and the types of reports.
Ideally, the user organization’s auditor would prepare a list of controls for outsourced processes, and send them to the service organization and the service auditor for validation. However, in reality, the contract or service agreement may mention only at high level that a SAS 70 report is to be published annually, with no indication as to which business processes or what control objectives need to be assessed. This can lead to a lot of confusion while defining and finalizing the scope of a SAS 70 assessment.
Applicability of SAS 70
The guidance in SAS 70, Service Organizations, as amended (AICPA, Professional Standards, vol. 1, AU sec. 324), is applicable to the audit of the financial statements of an entity that obtains services from another organization that is part of the user organization’s information systems. Based on the criteria as defined in the SAS 70 audit guide, “controls at the service organization may be part of a user organization’s information system in the context of an audit of the user organization’s financial statements.” The controls do not include service organization controls that are not relevant to a user organization’s information system. Thus, not all outsourced businesses, processes or controls at the service organization need to be assessed. Ideally, outsourced business processes that could impact the user organization’s financial reporting systems need to be considered for review.
Typically, one or more of the following situations colors the decision processes and causes the scope of SAS 70 Type II reviews to grow large and unwieldy.
One method is the “blanket” or “machine gun” approach, which means to cover all projects within the business, so there is no danger of missing anything. However, an issue with this approach is the time and effort expended to document and test control objectives and controls that the service organization is aware of or thinks are appropriate. Later, it comes to light that many of these “controls” are in addition to upstream or downstream controls that reside at the user organization and their effectiveness is not visible to the service provider or its auditors, which results in many subprocesses with control failures that must then be revisited and, in most cases, documented as user control considerations (UCC).
SAS 70 Certification
Oftentimes, the business lines, marketing team and prospective clients ask if they can be shown an organizationwide SAS 70 certificate. The challenge here is that, in an IT service organization that provides a bouquet of services (e.g., application development, maintenance, testing, back-office operations, managed infrastructure services, consulting) to a variety of industries (e.g., aerospace, healthcare, retail, banking, insurance), each business line supports multiple clients. Sharing a report containing process descriptions and the control environment of several user organizations would be a breach of confidentiality.
A SAS 70 report is business- and customer-specific; therefore, unless the vendor organization caters to just one customer and one business line, an organizationwide SAS 70 is impractical.
For assurance on a vendor’s information security practices, an ISO 27001 certification, from the International Organization for Standardization (ISO), which considers the information security controls implemented within the vendor organization, would perhaps be of more value to a prospective customer.
Many audit firms “sell” their SAS 70 service offering as a product. Service organizations are often under the impression that they can use the SAS 70 report as a marketing tool to obtain new customers. A SAS 70 report is customer-specific and confidential.
SAS 70 Provides Information Security Assurance
To an extent, the service organization’s information security controls (also known as general computer controls [GCC]) are assessed. But, the primary objective of a SAS 70 assessment is to provide assurance to the user organization’s auditor that control objectives and controls that ensure the proper authorizations for business process inputs and outputs (that could impact the user organization’s financial reporting) are in place.
The GCC section is only a subset of implemented controls for that specific business process. The GCC review typically would cover physical security and technology controls that could impact financial reporting and not the service organization’s overall information security risk environment.
A SAS 70 review is a valuable tool that aids the user organization’s auditors to gain insight into the control environment at the service organization, which would otherwise be invisible to them. A SAS 70 review is meant to provide assurance that the vendor’s control environment for outsourced businesses processes is designed suitably and functioning effectively. Ideally, a SAS 70 report should not be used to assess an organization’s information security practices.
American Institute of Certified Public Accountants, Audit Guide for Service Organizations Applying SAS No. 70, 1 May 2006
The author has developed an Excel-based tool that attempts to assess projects/business processes and ease the scoping decisions based on the criteria defined in the SAS 70 guide. The decision logic and selection criteria behind the tool are shown in figure 2.
The views and approach expressed here are solely the author’s. The approach tool is a starting point and is not to be considered as a definitive approach to SAS 70 scoping or assessment. Various guidelines have been published by relevant authorities to aid both the service and user organizations; please refer to those when making decisions. Readers are free to use and improve upon this approach; the author would greatly appreciate readers’ views, feedback and comments at firstname.lastname@example.org.
Jose K. Samuel, CISA, CISSP, GCIH
is an electronics engineering graduate, with more than 17 years of information technology experience. He is currently senior manager, information security, with HCL Technologies Ltd., in the Financial Services Division, and is based in Bangalore, Karnataka, India. His responsibilities include managing the firm’s information security audits and ISO 27001 compliance initiative, delivering business continuity solutions to business lines, conducting information security awareness programs, and driving the SAS 70 initiative. Samuel is also an active member of the ISACA Bangalore Chapter; he served on the chapter board as webmaster in 2006-07 and is currently the chapter secretary. He may be reached at email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.