SAS 70 reports

Outsourcing is a growing trend across many industries and the financial services industry in the Cayman Islands is benefiting from this movement.

Many organisations on island provide services to organisations domiciled in various international jurisdictions.

While outsourcing relationships offer many benefits and opportunities for service providers to expand their business portfolio, the current regulatory environment in various jurisdictions, particularly the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley) in the United States, is adding an increased need for organisations to demonstrate the existence and effectiveness of outsourced internal controls.

As a result of the regulatory changes in the United States, Canada, and many other jurisdictions around the world, user organisations are increasing their requests for SAS 70 reports, or similar relevant reports depending on the jurisdiction, from their service providers in order to ascertain whether adequate controls are functioning as intended.

While Australia, Canada, Hong Kong, Japan, the United Kingdom, Chile, and other countries all have standards similar to, or modelled after SAS 70, no single global standard exists.

Therefore, many user organisations, particularly those required to follow guidance provided by the US Securities and Exchange Commission and the Public Company Oversight Board, are requesting SAS 70 reports.

Originally designed as an auditor to auditor and auditor to management communication over specified control objectives over a specific business function in order to reduce the level of substantive audit test procedures for a Financial Statement Audit, SAS 70 has been designated by the SEC as an acceptable method for management to obtain assertions about service organisation internal controls without conducting separate assessments.

Therefore, the SAS 70 is a preferred method of providing assurance for service organisation clients subject to Section 404 of Sarbanes Oxley and it can still be used for other audit-related purposes as well.

Because many organisations in Cayman function as service providers, there is increasing demand for SAS 70 reviews for on island operations as well as operations abroad. Section 404 places a significant impact on service organisations, and the completion of a thorough SAS 70 Type II report is a critical step for service organisations with customers subject to Section 404 or other regulatory requirements.

In order to better serve their customers, service organisations should consider the following factors when obtaining a SAS 70:

Firstly, the service organisation should consider the users of the report and the underlying reasons for those requests. For example, previously, the decision by a user auditor to request a SAS 70 was a cost-benefit decision driven by the opportunity to reduce the amount of substantive testing required and related audit fees.

However, user auditors are now required to evaluate evidence of the operating effectiveness of a service organisation’s control activities in order to issue a Section 404 report on the effectiveness of internal control over financial reporting either by evaluating a SAS 70 Type II report or by testing controls themselves.

Secondly, service organisations should consider the scope and depth of procedures performed under SAS 70 because auditors are scrutinizing SAS 70s more intensely than ever before. Additionally, service organisation customers may now require assessment of processes not covered in previous SAS 70 reports to support Section 404 compliance efforts.

Finally, the service organisation should consider the reporting requirements of user organisations. User organisation reporting requirements will also affect the timing of the SAS 70 reports. Under Section 404, management must make specific certifications to the SEC on a quarterly basis on significant changes in controls during the prior three-month period.

Therefore, some user organisations are requesting SAS 70 reports from service providers more frequently than the traditional annual review.

Therefore, in order to better serve their customers, service organisations should conduct a review of all services provided to customers, and survey customers to understand SAS 70 reporting, timing, and publication requirements.

However, merely understanding the needs of the user organisation is not enough to ensure the SAS 70 report is robust. Service organisations must also consider their own outsourcing relationships with other service organisations (sub-service organisations).

A service organisation’s own SAS 70 will not provide sufficient evidence of controls in place at sub-service organisations to fully satisfy user organisation Section 404 requirements, therefore service organisations must also understand and assess the control activities those business partners have in place.

Consequently, service providers must be more vigilant about organisations within their own extended enterprise and they may need to consider the inclusive method of SAS 70 reporting or they may choose to have a SAS 70 for each separate sub-service organisation.

While Sarbanes Oxley and other international regulations increase service organisation responsibilities and costs, these regulations also present an opportunity to gain competitive advantage over rivals lagging in development of a comprehensive internal control assurance process.

An SAS 70 report will provide users with the information required to understand the preventive and detective controls that exist within the service organisation, and it will provide the service organisation with a competitive advantage over other service providers who have not made SAS 70 a key factor in their control assurance programme.

Janelle Mills is a Certified Public Accountant and a Certified Internal Auditor with over nine years experience in finance and accounting in both public and private organisations. Janelle is a manager in the Enterprise Risk Services team at Deloitte. Deloitte provides a wide range of risk management services including information security, business continuity management, internal audit, control assurance, and system project assurance.