Print this issue
Send us your comments

Service providers are frequently asked to provide SAS 70 reporting to their customers and prospects. Many times, the rationale for the SAS 70 request is clear and obvious. Other times, it’s not so clear.

SAS 70 reporting has become increasingly relevant as businesses outsource aspects of IT environments and business processes. Under the right circumstances, and when effectively deployed, SAS 70 reporting can help a service organization improve and streamline its control structure, strengthen its relationship with its customers, and minimize auditing inquiries from its customers’ auditors.

However, not all forms of third party support are relevant for SAS 70 reporting. Even though a third party may provide a mission critical service, it does not necessarily mean that service meets Applicability Criteria for SAS 70 reporting (Click here to view table in TechNews Interactive.) Unfortunately, the SAS 70 report is often misunderstood and it is not uncommon for customers and prospects of service providers requesting (and sometimes demanding) an SAS 70 report when it does not apply.

What is the purpose of an SAS 70 report?

The purpose of an SAS 70 report is to represent an independent, objective, and consistent assessment of a service provider’s internal controls as the controls pertain to information services provided to one or more customers (user organizations). In general, the report is applicable when a service provider’s services represents audit risk that is material to the financial statements of one or more user organizations.

An important benefit of SAS 70 reporting is the reduction or elimination of over-auditing. For example, a service provider’s internal controls could be relevant to the financial statements of several companies (users). The user auditors are required under professional standards to understand their client’s information system and the internal controls of that system. So, when a company uses a third party for processing that could be relevant to financial statements, the user auditors needs to take steps to understand the controls associated with the information system provided by the third party. Thus, the purpose of the SAS 70 report is to enable the user auditor to understand the nature of controls at the third party. And, when appropriate, the user auditor can lower their assessment of control risk for the third party, which in turn could lower their need to test controls at the third party.

What to do when SAS 70 Criteria Isn’t Met

Many third parties provide services that are critical to their customers but do not meet the SAS 70 applicability criteria (Click here to view table in TechNews Interactive.) Examples include:

• A provider of a communications gateway that bridges clients’ back-office applications and remote wireless applications.
• Providers of data management, storage, and retrieval services.
• Providers of network management services.
• Provider of an application (SaaS, or Software as a Service) that does not represent a material financial audit risk to their customers.

In that these services often represent significant operational risks (e.g., related to security, confidentiality, availability, processing integrity and/or privacy); customers of these services frequently want some form of assurance that the service provider has effectively designed and deployed controls to effectively mitigate these risks. For these reasons, the AICPA, in conjunction with the Canadian Institute of Chartered Accountants (CICA) designed the Trust Services Principles and Criteria program (SysTrust). The Trust Services reporting program provides a controls framework that covers the five principles outlined below.

• Security: The system is protected against unauthorized access (physical and logical).
• Availability: The system is available for operation and use as committed or agreed.
• Processing Integrity: System processing is complete, accurate, timely and authorized.
• Privacy: Personal information is collected, used, retained, and disclosed in conformity with the entity’s privacy notice.
• Confidentiality: Information designated as confidential is protected as committed or agreed.

Service providers can choose to provide their customers, prospects, and other interested parties, with independent audit reports that reflect their deployment of the Trust services principles and criteria.

There are many key differences between SAS 70 and Trust Services reports. Check with an informed advisor to learn how these affect your company.

Business Continuity and contingency planning is specifically addressed by the Trust Services Availability principle, whereas Control objectives relating to business continuity and contingency planning are not allowed in the description of controls in the auditor’s report under SAS 70

In summary, service providers almost always represent some form of risk to their customers. Customers and prospective customers of service providers typically want assurance that the service provider has effectively mitigated that risk. If your customer or prospective customer requests an SAS 70 Report, consider the guidance provide in this document, and speak with a CPA experienced in producing these reports. He or she will be able to determine whether the SAS 70 or Trust Services report will best serve the customer’s needs, and guide you through the next steps.