SAS 70 Certification
The Essential Guidelines

Do you know the key SAS 70 certification guidelines that are important to you as a senior executive looking at IT project outsourcing?

1. The Auditor. Make certain that the CPAs performing the SAS 70 audits have the skills and experience in information systems and security and are not simply CPAs with general accounting knowledge.

   This applies not only to your own auditor evaluating the report, but also to the independent auditor who provided the report.

2. Type of SAS 70 Report. As can see from the SAS 70 audit page, there are two types of reports. If your organization requires Type II, be sure to address this with the services provider. Evaluate the type of SAS 70 opinion being provided.
3. Controls Selected for Testing. Do the control objectives covered by SAS 70 properly address the needs of your business as well as the requirements of relevant laws and regulations? More details about this issue are discussed below.
4. Scope and Level of Testing. Are all areas of key controls for your business properly addressed? Ensure the level of testing for each control area is sufficiently detailed to support the overall opinion provided by the auditor. If you have any doubts, then hire an outside consultant with the right level of IT expertise.
5. Use of Subcontractors. Does your potential service provider use subcontractors? If so, then it's equally important for the SAS 70 audit to cover the key control aspects related to your business.
6. Report Date. Make sure the report is current and is within the same period as the financial statements of the service provider. You need to be certain the report reflects the current state of operation of the service provider.
7. Other Security Testing. Consider asking the provider for additional testing such as vulnerability assessments and penetration tests, if these relate to the service you are potentially buying.
8. Legal Contracts. Make sure your contracts identify the types and scopes of audits, as well as the frequency of the required reports. You should also reserve the right to perform your own audits and technical reviews if you're not satisfied with the reports from your service provider.

Elsewhere in this website we made reference to developing a solid IT Service Level Agreement (SLA). SAS 70 certification and the related reports are an important element in building a complete SLA.

Non Compliant Service Providers

SAS 70 compliance and reporting can help a service provider improve its overall IT control procedures, thus helping to secure relationships with its customers.

However, not all services provided by these third-party suppliers are relevant to SAS 70 certification and reporting.

This can lead to misunderstandings on the part of a potential client who insists on having a SAS 70 certification report produced when it really does not apply.

Here are some of these service areas:

• A communications gateway linking the customer's back office systems with remote wireless systems.
• Data management, storage retrieval services.
• Network management services.
• Systems that do not represent a true financial audit risk to the client.

These services do represent some risks in terms of security, confidentiality, processing integrity etc and so customers need assurances the service provider does have effective controls in place to cover these risks.

Consequently the American Institute of Certified Public Accountants (AICPA) in conjunction with the Canadian Institute of Chartered Accountants (CICA) have developed a control program called SysTrust to cover these areas of SAS 70 certification:

1. Security. There is protection against unauthorized access both physical and logical.
2. Availability. The system is available for operation as agreed by our SLA.
3. Processing Integrity. Processing is complete, accurate, timely and authorized.
4. Privacy. Any personal that is collected is only used, retained or disclosed as per the rules defined by the client.
5. Confidentiality. Confidential information is protected and committed as agreed by our SLA.

Service providers can produce independent audit reports that reflect these trusted services. It is important to point out that there are many differences between SysTrust and SAS 70 certification reports, so it is important you review these with your auditor.

An important example is the area of business continuity services and contingency planning controls are not covered in SAS 70 but are part of SysTrust.

SAS 70 Audit

SAS 70 provides the guidance that enables an independent auditor's opinion on the service provider's description of its IT controls.

• The different types of SAS 70 reports?
• The content of the reports?
• Report limitations - Issues of concern?

To learn more about these issues, please visit our SAS 70 Audit page.

Other Useful Resources

Above and elsewhere on this website, there's no lack of information to help ensure that you're following the best business practices in looking for the right IT outsourcing provider. But we can help even more!

Our offer of professional help is a serious one. First of all, you'll find that while the site information is exhaustive, it appears in a brief, easy-to-read, often bulleted, executive style.

You won't get bogged down in details while browsing this site, but we DO have extensive in-depth information for you if you want or need it. It's free and all you have to do is ask!

Start right now by going to the Contact Us page and completing the simple online form. You'll receive immediate access to two authoritative industry books, which our site sponsor will mail to you at no cost.

As a thank you for participating in our site, you'll also receive a bonus download of "15 Interview Questions To Ask IT Outsourcing Providers".

Return to the "SAS 70 Compliance" page from
this "SAS 70 Certification" page.