White Papers provided by the SAS 70 Resource Guide

Impact of Audits to the Economy and SAS 70

Impacts of Audits to the economy, be it financial, operation, technology, or quality based, have been felt for years, though now more than ever, their role has increased with that of regulatory compliance provision.. Expensive, time consuming, and arduous to undertake, audits provide a much needed level of assurance and validation of an entity’s operations, especially financial statement auditing, which is mostly what people envision when the word "audit" appears.

Interestingly, the last decade has seen somewhat of a shift in auditing. That's not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.

From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.

Mc2, a publicly traded company, utilizes E3 Technologies, a service organization, for providing data hosting and firewall services. The auditors planning the financial statement audit for Mc2 have determined that the outsourcing activities conducted by E3 Technologies are considered significant because of the wealth of information housed on the servers of E3 Technologies. Ultimately, the auditors have formed an opinion that the services provided by E3 Technologies are part of Mc2's "information system", that is, the activities, transactions, processes, procedures (be it manual or automated) that could affect MC2 and it’s financial reporting process.⁽¹⁾

⁽¹⁾ The above example is a hypothetical recreation for the sole purposes of expressing understanding to the end-users of the SAS 70 Resource Guide. Any likenesses to existing companies or past situations is purely coincidental.

Because of this scenario, E3 Technologies is required to be SAS 70 compliant, and will thus have to undergo a Statement on Auditing Standards No. 70 (SAS 70) Type II audit. This example is currently playing out everyday with thousands of service organizations who have fallen under the regulatory compliance umbrella. The direct impact has been the time and costs associated with regulatory compliance, of which many critics are quick to point to. However, many significant gains have been made, such as increased awareness on internal controls, greater emphasis on corporate governance, ethics, and honesty, and a natural movement towards audits that are more conducive to evaluating an entities complex business environment.