|
As outsourcing of business functions continues to grow, even small outsource providers are beginning to receive requests for a third-party review of their internal control policies and procedures. Often the request is for a SAS 70 report.
Companies that typically need a SAS 70 include service organizations that perform outsourcing services on behalf of their customers. Examples are trust departments at banks and insurance companies, transfer agents, custodians, and recordkeepers for investment companies, mortgage servicers or depository institutions that service loans for others, ISP and web hosting services providers, ASPs, payroll processors and many more.
While SAS 70 reports have been around for over a decade, an increase in demand has resulted from the passage of Sarbanes-Oxley, HIPPA, and other privacy laws and regulations.
What's involved?
Like a financial statement audit, a service auditor's engagement under the provisions of AICPA's Statement on Auditing Standards No. 70 can only be issued by a certified public accountant. The engagement includes a review of the company's policies, procedures and controls that relate to the outsourced functions provided for clients or customers.
There are two types of engagements and the CPA's procedures will vary depending on the objective of the engagement. Generally the SAS 70 engagement will determine if:
- The company's description of its control policies and procedures is appropriate
- The company's controls are adequate and properly designed to achieve the control objectives
- The controls, when tested, are operating with the effectiveness needed to obtain reasonable assurance of accuracy and security
Benefits
Having third-party assurance of your company's control policies and procedures sends a message to customers and prospects that they can rely on your company to handle information accurately and securely. It helps to create customer confidence in your business and can be included in marketing materials to attract sophisticated customers who are rightly concerned with these important issues.
The KraftCPAs solution
Because of the sophisticated technology intrinsic to many service organizations, few CPA firms have the high-level of technology skill and credentials needed to perform SAS 70 engagements. At KraftCPAs we assign a team of experienced, management-level CPAs and technology professionals (including Certified Information Systems Auditors, CISA) to each SAS 70 engagement. We have performed SAS 70 attestation engagements and related consulting for a variety of industries.
"SRS recently went through a SAS70 audit. We had concerns that it would be a difficult process and too expensive for us to deal with. Well, KraftCPAs proved us wrong. They worked with us and made the process an enjoyable and rewarding experience. The SAS70 audit made us a better company. Thank you KraftCPAs."
Gary Semanchik,
Statement Rendering Solutions
The firm is a member of the Center for Public Company Audit Firms (CPCAF). Membership in Center is voluntary and is evidence of the firm's commitment to maintain the highest level of quality control in the profession. To verify our compliance with Center standards, KraftCPAs submits to external peer reviews every three years as required by the Center for Public Company Audit Firms and the Public Company Accounting Oversight Board. Our most recent peer review was conducted in 2006; click here to download a PDF of the report. Results of our recent PCAOB inspection are available to the public at www.pcaobus.org/inspections. |
|
Tom Boles, CPA, CSPM
Steve Lineberry, CISA, NSA-IAM, IEM
