SAS 70 certification validates that Sabrix operates as a certified and trusted outsourced tax research provider that meets the rigorous operational controls associated with Sarbanes-Oxley compliance.
That declaration, which resided at press time on the Website of Sabrix, a tax-management software-as-a-service (SaaS) provider, is typical of the language that SaaS vendors and other third-party service organizations use to highlight the importance of auditor reports that are based on the guidance known as Statement on Auditing Standards No. 70.
Yet the professionals that conduct SAS 70 audits and the organization that develops auditing standards both warn that such descriptions often mischaracterize the nature and purpose of SAS 70. While marketers routinely exaggerate the value of all kinds of external validations, from “Ten Best” car lists to “Best Places to Work” rankings, corporate IT decision-makers must beware this overreach, because as the rush toward SaaS and other forms of cloud computing accelerates, understanding the true capabilities of third-party service providers becomes more critical than ever.
A SAS 70 audit is a check on a service firm’s controls over processes and systems that could have an impact on the accuracy of entries in its customers’ general ledgers. Audit firms and the American Institute of Certified Public Accountants (AICPA) are concerned that as more service providers trumpet their receipt of a clean SAS 70 audit, misunderstandings about what the reports truly address will result in the finger of blame (and the lawsuits that may follow) being pointed at auditors for failures that lie outside the scope of SAS 70.
“The way SAS 70 reports are being marketed, service organizations are implying a level of assurance and trust that simply doesn’t exist,” says Dan Schroeder, a partner with accounting firm Habif, Arogeti & Wynne and chairman of the AICPA’s Information Technology Executive Committee. “It is grossly over the top.”
There are two types of SAS 70 audits. Type 1 merely describes the services provided and the financial controls in place with regard to them. Type 2, which is where the controversy mainly resides, additionally offers an opinion as to whether there was reasonable assurance that the controls were operating effectively during a defined time period. Any broader claims about what a SAS 70 audit means are likely to be invalid.
In part, that’s because SAS 70 reports are meant to be shared only with the service provider’s customers and the customers’ auditors, for use in helping them evaluate controls over outsourced functions. Trying to claim that the mere existence of a report has value to potential customers, which is implicit in marketing activities, “doesn’t make sense,” says Chuck Landes, vice president of professional standards and services for the AICPA.
The implication that “because you have a report anyone can trust you to meet their specific needs,” says Schroeder, who specializes in SAS 70 audits, “is a misrepresentation of what SAS 70 is about.”
What grates on the auditors, in particular, is the use of the terms “SAS 70 certified” or “SAS 70 compliant,” which they argue imply guarantees or the meeting of statutory or regulatory requirements that in fact don’t exist. A vendor voluntarily engages an auditor to prepare the report, and there is no specific criteria for its content. “When somebody says they are ‘SAS 70 certified,’ I have no idea what that means,” says Landes.