January 01, 2010
In today’s business environment, it’s common to find companies that are managing the challenges of two phenomena: 1) the outsourcing of core business processes to service providers, and 2) heightened internal control scrutiny. While seemingly unrelated, management quickly finds that this combination creates a dilemma, since they need the ability to assess internal control in the processes that are outsourced, but lack direct access and management responsibility for them. Therefore, the outsourcing companies that provide information technology, payroll processing, and other sensitive services to client companies – in particular publicly-held clients – are increasingly being asked by their clients to disclose the details of their control processes annually or even more frequently, including how such controls are tested for effectiveness, and the results of those tests. More than ever, clients are requiring what are known as “SAS 70” reports from their service partners – auditor reports issued in accordance with American Institute of Certified Public Accountants’ Statement on Auditing Standards No. 70, Service Organizations – as a means of evaluating the effectiveness and significance of service provider controls and their effect on assessments of control effectiveness at their organizations.
As defined, a SAS 70 report presents a description of controls in place at the service provider organization and expresses an independent auditor’s opinion on whether those controls are designed and operating effectively during a certain time period. Most importantly, a SAS 70 report provides client companies with the means to assess the related processes, and it provides the service organization a document to communicate its processes and controls to all of their clients – both public and private. “Any third-party organization providing outsourcing services to public company clients now is being asked to provide SAS 70 reports.” says Victor Albanese, Eisner’s managing director of operations management services. “Public companies now make the availability of a SAS 70 report a prerequisite for engaging a service provider. Many privately-held companies are following suit by adopting such best-practice principles.”
For the service provider, the benefits go beyond their client needs. First, the service organization reaps the benefits of a continuous monitoring of their own processes. Second, if designed appropriately, one SAS 70 report for each period will be accepted by all of the service company’s clients. “Without a SAS 70 report, each client will be knocking at the door to look at the service provider’s processes. A SAS 70 report will achieve everyone’s objectives with the least intrusion into everyday business,” continued Mr. Albanese.
The information required for an auditor to express a SAS 70 opinion typically is obtained through discussions with management, supervisory and staff personnel, and through the inspection of relevant documentation such as system flowcharts, procedural narratives, operational logs, and other means. Mr. Albanese notes that many client companies today are requiring from their service partners a report commonly referred to as a “Type 2” report on controls placed in operation and tests of operating effectiveness. This type of report requires an auditor to perform additional procedures including tests of specific controls to obtain evidence about their effectiveness in meeting the control objectives specified. As such, a Type 2 report additionally expresses an opinion on whether the specific controls that were tested were operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during the testing period.
According to Mr. Albanese, the actual description of controls is generally prepared by the senior management team of the service provider, often with some outside help especially in the first-year. A typical report includes a narrative overview of the service provider’s operations, definitions of several specific control objectives, and descriptions of the many individual controls in place that achieve the control objectives.
For example, a particular control objective might address measures to ensure that the service provider’s employees are appropriately qualified, experienced, and trained for the job functions they perform. Some of the individual controls that may satisfy this control objective would likely be expressed as follows:
- The Human Resource Department performs an initial screening and evaluation of job candidates in accordance with documented job descriptions.
- A comprehensive background check is required of all employees as a condition of employment.
- Managers and supervisors maintain a continual on-site presence within service delivery units, and are required to closely monitor day-to-day activities of subordinates and compliance to client and company operating policies and procedures.
- Managers and supervisors periodically conduct internal training sessions to ensure that staff are well versed in operating procedures.
- Managers and supervisors formally appraise the performance of each of their subordinates on a semi-annual basis.
To test the operating effectiveness of controls, an auditor may conduct several different procedures as appropriate. In the above example, these may include interviews with Human Resource and operating department managers to confirm present operating practice, examination of position descriptions, sample reviews of personnel records to examine evidence of satisfactory background checks and performance appraisals, and inspection of training records including continuing professional education records. According to Mr. Albanese, “exceptions in test results are noted within the SAS 70 report as are specific controls that should be in place at client organizations to complement the controls at the service provider. For example, companies that rely on outsourced information technology would likely be advised to ensure that their security administration controls are adequate to control the authorization, modification, and termination of user access privileges.”
“SAS 70 is not a new concept,” adds Mr. Albanese. “The process to articulate and report on the effectiveness of controls in place shouldn’t be daunting – rather, it should be viewed as an opportunity for a “fresh-look” assessment of organizational practices and control effectiveness”. More importantly notes Mr. Albanese, “the SAS70 report should be viewed as a vehicle to demonstrate how well a service provider’s processes promote fiscal integrity and incorporate sound internal control measures and safeguards. The report should communicate a clear message of commitment to quality and control – a message invaluable to attracting and retaining customers”.
Questions? To learn more about the SAS 70 report process and Eisner’s related services, contact Victor Albanese at 212-891-4137.