|
As outsourcing of business functions continues to grow, even small outsource providers are beginning to receive requests for a third-party review of their internal control policies and procedures. Often the request is for a SAS 70 report.
Companies that typically need a SAS 70 include service organizations that perform outsourcing services on behalf of their customers. Examples are trust departments at banks and insurance companies, transfer agents, custodians, and recordkeepers for investment companies, mortgage servicers or depository institutions that service loans for others, ISP and web hosting services providers, ASPs, payroll processors and many more.
While SAS 70 reports have been around for over a decade, an increase in demand has resulted from the passage of Sarbanes-Oxley, HIPPA, and other privacy laws and regulations.
What's involved?
Like a financial statement audit, a service auditor's engagement under the provisions of AICPA's Statement on Auditing Standards No. 70 can only be issued by a certified public accountant. The engagement includes a review of the company's policies, procedures and controls that relate to the outsourced functions provided for clients or customers.
There are two types of engagements and the CPA's procedures will vary depending on the objective of the engagement. Generally the SAS 70 engagement will determine if:
-
The company's description of its control policies and procedures is appropriate
-
The company's controls are adequate and properly designed to achieve the control objectives
-
The controls, when tested, are operating with the effectiveness needed to obtain reasonable assurance of accuracy and security
Benefits
Having third-party assurance of your company's control policies and procedures sends a message to customers and prospects that they can rely on your company to handle information accurately and securely. It helps to create customer confidence in your business and can be included in marketing materials to attract sophisticated customers who are rightly concerned with these important issues.
The KraftCPAs solution
Because of the sophisticated technology intrinsic to many service organizations, few CPA firms have the high-level of technology skill and credentials needed to perform SAS 70 engagements. At KraftCPAs we assign a team of experienced, management-level CPAs and technology professionals, including a certified information systems auditor (CISA) and certified information security manager (CISM), to each SAS 70 engagement. We have performed SAS 70 attestation engagements and related consulting for a variety of industries.
The firm is a member of the Center for Public Company Audit Firms (CPCAF). Membership in Center is voluntary and is evidence of the firm's commitment to maintain the highest level of quality control in the profession. To verify our compliance with Center standards, KraftCPAs submits to external peer reviews every three years as required by the Center for Public Company Audit Firms and the Public Company Accounting Oversight Board. KraftCPAs most recent peer review was conducted in 2008. Results of our recent PCAOB inspection are available to the public at www.pcaobus.org/inspections. | 
