Mention the term SAS 70 in a roomful of accountants and business executives, and the conversation is likely to escalate into a chorus of disparate voices, all rendering different takes on the auditing standard.
Indeed, the contentiousness surrounding the auditing standard has deep roots. Underlying the disagreements is an ongoing argument about what the Statement on Auditing Standards No. 70, Reports on the Processing of Transactions by Service Organizations, really covers.
To be sure, it’s clear that SAS 70 calls for a comprehensive report detailing the design, assessment, and effectiveness of a vendor’s internal controls and how they affect financial reporting for clients of the outsourcing services vendor.
But the standard’s origins in the area of technology assessements may have led to misperceptions about the extent a SAS 70 audit can help prevent tech-security glitches. Adding to the confusion is the increased globalization of rulemaking and a blurring of the lines between finance and technology department roles, experts say.
What’s more, all of these issues are occurring in the context of the fast-changing world of U.S. regulation. In December, for instance, the Public Company Accounting Oversight Board will update AS2, the standard governing auditor internal controls assessment, and the Securities and Exchange Commission will issue clarifications of section 404 of the Sarbanes-Oxley Act, covering corporate assessments of their own controls. Observers wonder whether such developments will lead to a wider SAS 70 audit scope and a better understanding of why the standard may or may not be needed.
Says Judith Sherinsky, technical manager for audit and attestment standards for American Institute for Certified Public Accountants: “I envision SAS 70 evolving with AS2 and with new methods of risk assessments that will be outlined by our auditing standards board,” she said. PCAOB, under pressure from the SEC, has been looking at ways for auditors to be more selective in their attestation of client internal-controls risks.
Set up by AICPA in 1992, SAS 70 is the spawn of SAS 44, Special Purpose Reports on Internal Accounting Control at Service Organizations . At the time of SAS 70’s inception, electronic data processing was increasingly becoming the function of outsourced vendors who didn’t want auditors from different clients making continual trips to their locations. Thus, guidelines governing mere “special purpose reports”—covering occasional specified outsourcing—evolved into a broader standard.
Amendments to the standard in 2001 solidified the connection between internal controls and financial reporting, adding an IT element to the pronouncement. From 2001 on, a SAS 70 evaluation could reasonably accommodate an audit of a service organization that provided IT hosting, data processing, and other technology services for clients.
Following August 2002 enactment of Sarbox, which demands corporate assessments of internal controls over financial reporting as well as auditor attestation of corporate clients’ controls reports, SAS 70 has risen to prominence. Since Sarbox offers no guidance about how to audit outsourced controls services provider, the standard has become the de facto guideline for auditing the outsourced service concerns of publicly-traded companies.