White Papers provided by the SAS 70 Resource Guide

SAS 70 and Section 404 and 302 of SOX

The passage of the Sarbanes-Oxley Act of 2002 brought Statement of Auditing Standards No. 70 (SAS 70) into the forefront of the business arena. Sarbanes-Oxley (SOX) was intended to help revitalize and restore investor confidence and stabilize the damage inflicted upon the U.S. and global economies from the collapse of a few notable corporate giants.

This act, which is overseen by the Securities and Exchange Commission (SEC), resulted in the creation of eleven titles, and covers topics such as criminal penalties for corporate officers along with provisions for establishing internal control processes. The most widely recognized elements of the Act are Section 302 and Section 404:

• Section 302: Holds senior executives within a company responsible for financial reports. Additionally, these officers have a responsibility for internal controls, such as maintaining and establishing controls along with evaluating the effectiveness of these controls by a variety of methods. Officers must also disclose any significant deficiencies that could affect the issuer’s ability to record, process, and report financial data. Any fraud related issues involving management or reporting officers, whether material or not, must be reported. Lastly, quarterly sign-off on financials is mandatory for management and reporting officers.
• Section 404: Highlights the need for management of a corporation to establish effective internal controls and contain an assessment, as of the end of the most recent fiscal year, of the effectiveness of the internal control structure and procedures for financial reporting.

The relationship between Sarbanes-Oxley and SAS 70 begins with Section 404. Because management must report annually on it’s effectiveness of internal controls, it then has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. Since a large number of publicly traded companies outsource a host of critical services, these outsourcer providers, commonly referred to as "service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission's (SEC) Chief Accountant and the Division of Corporation Finance has stated that "In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant's financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report."

PCAOB Auditing Standards

Additionally, the Public Company Accounting Oversight Board (PCAOB) was established, which became the watchdog to oversee auditors of public companies and to ultimately help protect investors by ensuring a fair and independent audit process. On March 9, 2004, PCAOB issued Auditing Standard No. 2, whereby guidelines concerning audits of internal controls on financial reporting in relation to an audit of financial statements are discussed. This standard is significant because it gives auditors a structured format to follow when examining management’s assertions on the effectiveness of internal controls regarding financial reporting. The PCAOB standard also discusses SAS 70 audits, identifying it as suitable for assessing internal controls on service organizations who handle outsourcing services for companies. Since then, subsequent standards have been issued by the PCAOB regarding similar matters.

As a result, SAS 70 Type II reports provide the needed assurance on service organizations that are conducting outsourcing services for publicly traded companies. Without question, these service organizations will see a significant increase in the number of companies requesting SAS 70 audits, and will need to be prepared for the time and costs involved with the process.

But service organizations can only effectively prepare for SAS 70 compliance if they know they are a candidate for this audit. The increasingly complex and growing outsourcing trend has created a need to truly understand the parameters and scope of a SAS 70 audit.

Executives at service organizations have complained of the lack of clarity as to what processes and procedures are to be considered for SAS 70 compliance. Therefore, service organizations need to be proactive by addressing these concerns and others by communicating effectively with customers of service organizations and asking the necessary questions, such as:

• Ask user organizations (i.e., customers of "service organizations") what there intentions are regarding SAS 70 compliance for service organizations.
• If a SAS 70 audit is necessary, inquire of scope, timeline, and fiscal year end reporting dates for purposes of Sarbanes-Oxley requirements for Section 404.
• If service organizations are outsourcing services, then a "sub service" organization may need to be SAS 70 compliant.

Unfortunately, some companies may fall victim to SAS 70 compliance simply due to lacking the understanding of compliance, whether needed or not. Instances will arise where service organizations are not prepared or unable to become certified because of improper planning, budget constraints, or inadequate internal resources. Conversely, stories of non-compliance will propel a small number of companies not needing SAS 70 compliance to become certified. Alternative audits, such as "Agreed Upon Procedures" can possibly provide the benefit to both parties. Service organizations should take time to understand the facts and know the requirements from the organization they provide outsourcing for. Service Organizations can download a sample SAS 70 report to see if its contents merit the needs of undertaking this type of audit.