Sarbanes-Oxley

Sarbanes Oxley (SOX) and SAS 70 | What Does the Future Hold?

Sarbanes Oxley and SAS 70 audits have had a monumental impact on corporate governance and compliance. So much so, they almost invented a huge part of the pie. As a SAS 70 auditor, i’m often asked what does the future hold for Sarbanes Oxley (SOX) compliance and also SAS 70.

Well, my friends, let’s take a look at the crystal ball and let me give you my thoughts on SOX and SAS 70.

First and foremost, compliance is NOT going away. Sure, there have been growing pains with the cost and time associated with SOX compliance, but those costs are starting to become greatly streamlined as organizations are finding ways to be more efficient with SOX compliance. In short, it’s here to stay, so consider it a part of life in the business world. With the rash of fraud that occurred on Wall Street which almost toppled the capital markets overnight, there will no doubt be MORE compliance laws, regulations, and rules echoing out of the halls of congress. I would not be worried and thinking too much about SOX, but rather, what else is in the witches brew that could be cooked up on Capital Hill. Think i’m kiding? PCI compliance recently became codified into law in MN with many other states following closely behind.

With SOX staying, you can rest assured that SAS 70 will be hanging around like a little brother. And why not, it’s been a hugely successful internal control auditing mechanism that has shed light on service organizations and how they conduct business.

Compliance is a way of life; as sure as death and taxes. The key is finding a way to meet compliance in a cost-effective and streamlined manner.

SAS 70 Audits | Understanding PRICING for SAS 70 Engagements

SAS 70 Type I and Type II audits have become common for many organizations providing critical outsourcing services to companies. Known as service organizations, they have all landed on the regulatory radar of having to be SAS 70 compliant, due in large part because of Sarbanes Oxley (SOX) or any other large number of federal regulatory compliance mandates.. I’m often asked how much does a SAS 70 Type I or Type II audit cost. Well, that depends on a number of factors and circumstances that will be discussed today.

Issue #1: Choosing a Firm for the SAS 70 Audit

There are a number of providers available for SAS 70 audits, ranging from regional CPA firms to the nationally recognized big four firms. And as with anything in life, most organizations try to find the most value for their money, but remember, you get what you pay for. Small firms may be cost-effective, but they may lack the expertise and name recognition of other firms. The big four accounting firms will charge you a heavy premium audit fee, yet you get their name on the report, ultimately giving it a high level of recognition, simply based on who they are.

Remember, SAS 70 Type I and Type II audit prices have a wide range, so it’s probably a wise choice to pick in between, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” that is fair, equitable, and you can live with.

Issue #2: Scoping the SAS 70 Audit

Numerous factors ultimately come into play for pricing considerations, but scoping is extremely important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being performed.

To learn more about SAS 70 audits, visit the official sas 70 resource guide.

SAS 70 and Regulatory Audits | What is the Impact to our Economy?

The impacts, in my opinion, are the following. Interestingly, the last decade has seen somewhat of a shift in auditing. That’s not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.

From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.

SAS 70 Type II Audit Reports | Why SAS 70 is Here to Stay

We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.

Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.

Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.

Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS70 Reports | Know the Difference Between Type I & Type II

If your company is needing to be SAS70 compliant, then a good start is to learn about what a SAS70 audit is and what the difference is between a SAS70 Type I & SAS70 Type II audit report.

In short, a SAS70 Type I is simply an audit that is a snapshot in time; an audit for a particular day. For example, a Type I report would be given a date of August 31, 2008.

A SAS70 Type II audit report is a report that will test the operating effectiveness of those controls over a time period, traditionally six (6) months. For example, a SAS70 Type II report would cover a period from January 1, 2008 to June 30, 2008.

It is important to note that a SAS70 Type II is what the market is calling for, that is, it suffices for Sarbanes Oxley compliance and is looked upon as a much superior audit than a SAS70 Type I report.

A good example of learning more about SAS70 audits is to obtain a SAS70 sample report, whereby you can read and understand what the major components and parts are of a final report.

SAS 70 & Sarbanes Oxley (SOX) | What You Need to Know

The relationship between Sarbanes-Oxley and SAS 70 begins with Section 404 of the 2002 Sarbanes Oxley Act (SOX). Because management must report annually on it’s effectiveness of internal controls, it then has a fiduciary responsibility and a requirement to inspect on controls considered critical to the organization as a whole, but more importantly, to it’s financial reporting process. Because a large number of publicly traded companies outsource a host of services, these outsourcing providers, known simply as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” What’s just as important is that this relationship between SAS 70 and Section 404 of the SOX Act has kicked off a regulatory compliance push that quite frankly, there is no end in sight.

To learn more about SAS 70 audit or to receive a sample SAS 70 Type II report, visit the official SAS 70 Resource Guide.

SAS 70 Audits | Tips on Preparing Your Organization

SAS 70 audits are being performed on many service organizations in today’s growing regulatory compliance economy. From federal legislation, such as Sarbanes-Oxley to HIPAA, the SAS 70 auditing standard has been pushed to the forefront of the business arena. It’s becoming such a big requirement now that many request for proposals (RFP) are demanding that a service organization be SAS 70 compliant for even bidding on work or submitting a proposal.

So let’s erase some myths and misconceptions about the SAS 70 auditing standard. First and foremost, the audit can be done in an efficient, cost effective manner, provided you find a firm that has a good working knowledge of the SAS 70 auditing standard AND your industry. Put both of those variables together, and you should get a good fee from a quality auditor who truly knows what they are doing.

Secondly, you don’t have to do a SAS 70 Type I first if you need a SAS 70 Type II. Why waste thousands of dollars on a Type I when it’s not really what you needed? Some CPA firms will try and sell you the full package, often including a Type I by stating its needed to begin the audit process. What you need to start with instead is a SAS 70 Readiness Assessment, which will get your organization up to speed and ready for the actual SAS 70 Type II audit.

Lastly, SAS 70 audits can be a reasonable financial proposition, if you use a firm with experience that has a working, scalable model, resulting in efficiency and cost-effectiveness.

If you want to learn more about SAS 70 audits, visit the official SAS 70 resource center where you can receive SAS 70 sample reports for review.

SAS70 & PCI Compliance | Creating Audit Efficiencies

SAS70 audits have grown tremendously in the past five years, largely due in part to the explosive growth of federal regulatory compliance laws and legislation. Interestingly also, Payment Card Industry (PCI) compliance has also received much attention as of recent, particularly with the recent breaches of security in a number of well publicized cases.

I’m often asked by organizations that have to be SAS70 & PCI compliant if these two audits can be a 2 for 1, that is, can I conduct SAS70 fieldwork and also hopefully piggyback off of that work to help augment a marginal part of the PCI compliance examination for QSA?

There are synergies that can be created, allowing an experienced auditor to use his or her best judgment for creating these synergies. If you look at the 12 core areas of the PCI compliance, you can extract elements from these very requirements that would most surely be included in a good, quality comprehensive SAS70 audit. I stress “good, quality” audit because the looseness of the SAS70 standard allows auditors to employ vastly different methodologies.

For example, PCI Requirement #9, “Restricting Physical Access to Cardholder Data” could be argued that this is very much in line with a common SAS70 control objective for “Physical Security”. Remember this, there are only so many regulatory compliance and governance laws that can be pushed forward before they start to become overlapping and redundant to a certain degree.

If you can find a quality firm that does both SAS70 auditing and PCI QSA compliance, then it would be most beneficial to create these synergies for the audit.

One of the most valuable tools I recently created was a SAS70 & PCI Gap analysis, showing you the overlapping features of both audits, allowing any firm to create these very efficiencies for these compliance examinations.

For more information on SAS70 audits, or to receive SAS70 sample reports, please visit the official SAS70 resource center