Secrets and Wisdom of a SAS-70 Pro - Part I

I've been in IT for more than 15 years and endured more than 2 dozen SAS-70 audits. It's easy to find information about SAS-70 but what I'm about to share are the unwritten rules that no one is going to tell you about how to pass a SAS-70 audit. Whether you've recently been handed SAS-70 and told to "make sure you pass" or you're a SAS-70 veteran, this four part series will give you the information and skills you need to ensure that your SAS-70 audits are virtually painless. OK, a SAS-70 is never painless but it's a lot easier to get through it if you have the right information.

Part one of the series starts with SAS-70 basics. If you're struggling with the fundamentals of a SAS-70 and need some real world perspective, this is a great place to start. Part two delves into what you need to be doing to prepare. The preparation takes longer than the audit but is well worth the time you invest. Next, part three explores what types of things auditors look for during an audit. Hint: they're not just looking at paper. Lastly, part four will provide tips on how to appropriately interact with auditors. How you interact with the auditors is both an art and a science.

I remember being told for the first time that I was going to be responsible for enforcing SAS-70 controls within my organization. "SAS-70?" I asked. "What is that?" I found out quickly that the Statement on Auditing Standards (SAS) No. 70 is one of the most widely used auditing standards enforced by the American Institute of Certified Public Accountants. Even though a SAS-70 is an American accounting standard, the heightened awareness around risk management and internal controls is global. Many organizations have expanded their operations to global market spaces. As a result, SAS-70 has become an increasingly popular audit standard in many countries. So what is it and what is the purpose?

I was asking myself those questions as I sat in the darkened conference room on the first floor of our regional headquarters. The door opened and two individuals in black suits and dark glasses entered. One of them turned on a very bright spotlight directed at my face which made it difficult to see. The first gentleman sat down and placed a manila folder on the table in front of him. Slowly, he slid it over.

"You've never been through a SAS-70 before?" he asked in a low voice. Too afraid to speak I nodded my head no. The man looked at his colleague and they both laughed in a very contrived manner. "You tell us what we want to know and no one will get hurt."

"Dawn?" Our SAS-70 coordinator, John, shook me out of my day-dream - actually it was more like a nightmare of what I pictured the SAS-70 audit would be like. "I'd like you to meet the auditors. This is Megan and Melissa." I turned to find two very pretty, well manicured and efficient looking young women with briefcases standing in the doorway.

"You're the auditors?" I asked as I shook their hands. They both nodded, smiled brightly and sat down on the other side of the table. Flabbergasted, I sat back down to face them as they neatly unpacked their briefcases, set up their laptops and obtained the tools they were going to need for the question and answer session.

And thus began my SAS-70 journey - a journey where I kept a watchful eye, took copious notes and made numerous mistakes that I hope to share in an effort to ensure that you don't make those same mistakes. The first thing I learned was that understanding the basics of what a SAS-70 was would give me almost 50% of the skills I needed to ensure that our company passed its SAS-70 audit.

What is the actual definition of a SAS-70 audit? The Statement of Auditing Standards website http://www.sas-70.us defines it as "A set of guidelines which guides the service organizations on how to disclose their control processes, activities and objectives to their customer's auditors and their customers in a uniform and standardized reporting format." My definition? A cross between an IRS audit and a proctology exam. If you're a subject matter expert, SAS-70 coordinator or business owner, plan to sit in a room for several hours with consultants freshly out of college picking apart every aspect of your business practices and questioning their validity. Even worse, if the auditors find *any* tiny part of your business practices that do not conform to their rigid code, they can fail you.

Why would a company want a SAS-70 audit? The purpose of a SAS-70 audit is to give service providers the opportunity to disclose their internal processes and controls to an independent auditor so the auditor can give their honest opinion on how effective and adequate the controls are. The findings of a SAS-70 audit are used by financial auditors to prepare reports on the financial viability of the service organization. These financial statements can be provided to companies using the services of the service provider. Bottom line, the audit is really nothing more than the objective opinion of an auditor and not subject to any benchmarked industry standards. While SAS-70 forces many companies to look at their processes, procedures and control points and improve those processes, SAS-70 is a buzz word. Many far-removed individuals get a warm and fuzzy feeling upon hearing that a company is "SAS-70 compliant."

What are the components SAS-70 audit? A SAS-70 audit revolves around a list of what are known as "control objectives." Control objectives are nothing more than statements about how a process or procedure is executed. An example might be, "User acceptance testing is conducted by the client. Clients are then asked to sign the User Acceptance Sign-off Form to ensure that the testing was complete and return it to their designated account manager." In order to test the effectiveness of this control, the auditor might ask for the signed user acceptance sign-off forms for certain dates for certain clients.

Who is subject to a SAS-70 audit? The growing popularity of businesses outsourcing non-core competencies has really forced many companies to engage in a SAS-70 audit. Ann Bednarz in her Network World Fusion article entitled "Offsite security complicates compliance" states that service providers that perform the role of an outsourced service like benefits, HR or payroll are subject to a SAS-70 audit. The key to knowing whether or not a company is subject to an audit is understanding where the control lies. If a company uses an outsourcer for certain types of transactions but is still responsible for the processes, procedures and controls, then the outsourcer would not necessarily be subject to an audit. If there is any question as to whether or not your company would be subject to an audit, it is best to obtain outside counsel from independent auditing firms.

Who performs a SAS-70 audit? Since SAS-70 reporting standards are stringent and must be followed to an exacting standard, only independent certified public accountant (CPA) or firms of CPAs are allowed under the US regulations to conduct a SAS-70 audit. One thing to keep in mind, many independent audit firms hire individuals that are not CPAs to conduct SAS-70 audits. Most of the auditors with which I have interacted have been young, driven and sharp. Usually, these individuals are sent to a training class which lasts anywhere from 4-6 weeks and then they are placed in the field with a more senior auditor to observe before going off on their own. Many of them lack true practical experience and have difficulty applying their "book knowledge" to real life scenarios. Don't get me wrong - there are plenty of experienced professionals out there but learning how to differentiate between them and the ones that are green and fresh out of college will help you understand how to appropriately interact with them.

Where is a SAS-70 audit conducted? Every SAS-70 audit I've ever been involved in has been conducted onsite. That means that auditors will be coming to your place of business to conduct the audit. Concerned? Don't be. As long as you have someone with the auditors at all times and a work location designated, this really isn't a cause for concern.

Is the audit process standardized? While auditing practices and standards can vary from state to state, the American Institute of Certified Public Accountants (AICPA) has established strict guidelines with respect to planning, execution and supervision of auditing procedures. Always remember that the auditors are not auditing against a library of "best practices."

What is the difference between a Type I and a Type II audit? Type I audits capture descriptions of controls and processes at a point and time. Type II audits are the descriptions of the controls and processes which are tested for effectiveness. Most companies opt for a Type II audit due to the stringent amount of control testing that is said to be employed by the auditors. Keep in mind, though, that the tests of effectiveness are not scenarios that an auditor dreams up and then executes. Tests of effectiveness are nothing more than showing that you do what you say you do and you can prove it.

How is a SAS-70 audit conducted? The best possible scenario for an audit is to make one individual the point person for the auditors. This person would be responsible for coordinating dates and times of the auditors' visit, gathering any documentation needed ahead of time and setting up a complete agenda. The best SAS-70 agendas I've seen have been agendas that slot 1-2 hour meetings for each control objective. Invited to those meetings are the senior leader of the department and any subject matter experts that can talk to the controls. The SAS-70 coordinator should reserve a private conference room or area which will be free from disturbances for the auditors to work. For each of the designated meeting times, the appropriate individuals should come to the designated area on time with a copy of the controls to be reviewed. As the audit begins, there is a brief question and answer session as the auditor reviews the controls. In Type II audits, documentation to support the use of the controls is required and sometimes auditors may also ask to observe the control being used in an actual situation.

How often is a SAS-70 audit conducted and how long does it take? Depending on the number of controls, companies can choose to do audits every six or twelve months (twelve being the minimum acceptable standard). Some companies choose to do an interim and a final to ensure they are prepared. Audits usually last anywhere from 2-5 days depending on the complexity and scope of the audit. It's also plausible that the auditors may request additional meetings or documentation as follow up even after the on-site audit is complete.

What are the inputs and outputs of a SAS-70 Type II audit? At the conclusion of a SAS-70 audit, a Service Audit Report is issued. The report contains a list of the controls and the auditor's opinion on the effectiveness and adequacy of the controls in use. For Type II audits, the auditor must include detailed information on how the controls were tested. The report will be issued with either a qualified or unqualified opinion or may contain exceptions. An unqualified opinion is issued when the audit examination was adequate in scope and the auditors have observed that the controls are being followed as stated. A qualified opinion is issued when the auditor observes significant limitations existed, such as an inability to prove that a process or control is being consistently followed. An exception is noted when a process or control seems to be followed a majority of the time but the service organization is not able to produce proof of a specific item requested by the auditors. Exceptions are OK and quite frequent. We're all human and it's conceivable that not all individuals will follow processes and procedures 100% of the time even if they have good intentions. A qualified opinion is NOT OK. When a qualified opinion is issued, it calls into question a company's business practices. In addition, it can also be cumbersome and time consuming. One of the large corporations I worked for once received a qualified opinion. The result was more than 50 hours worth of conference calls and conversations with corporate auditors, internal auditors and the independent auditors. On top of all that, corporate sent their own auditors out to conduct yet another audit on top of the SAS-70 audit we'd just gone through. Take my word for it, conducting your own pre-audit is never a bad idea. It will take a lot less time than if you have to endure having to explain to company executives and customers why you received a qualified opinion.

When a company is deemed SAS-70 compliant, does it mean that their controls and processes have been audited against a set of best practices? SAS-70 compliance does not mean that a company has been audited against a set of best practices; instead, it indicates that a company has a set of controls and they follow those controls. In my personal experience, I've seen SAS-70 controls that were absolutely the worst business practices I've ever witnessed; however, because they were documented and the controls were being followed, the company passed the SAS-70 audit with flying colors. The lesson here is that a process is better than no process.

Now that you know the basics, read part two of my SAS-70 series to know what you need to do to prepare.