Reviewing a SAS 70 report (and getting it right)

Welcome to the second “The Risk Rack” column. What I would like to talk to you today about are SAS 70 assessments. Not the actual performance of the assessment but, the proper way to review a SAS 70 assessment to ensure your service provider has the appropriate controls in place to protect the information you have entrusted to them.

First as always the definition SAS 70 is the abbreviation for the ‘Statement on Auditing Standards No. 70: Service Organizations. The SAS 70 was created by the Auditing Standards board of the American Institute of Certified Public Accountants (AICPA). There are two types of reports. A Type I report includes the service auditor’s opinion on the fairness of the presentation of the service organization’s description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II report includes the information in Type I but also includes the service auditor’s opinion on whether the controls were operating effectively during the review period. In other words a Type II review actually tests the controls to ensure that they are in place and operating effectively. A type I will merely assess the control design and base its opinion on that understanding.

All SAS 70s must provide assurance of reliability, availability and security of the service being provided. In the past the SAS 70 reports were commonly only used between auditors. For example an auditor is auditing company A and company A uses service provider X, company A’s auditor (user auditor) will obtain a SAS 70 for the services provided to company A from service provider X. The SAS 70 would have been compiled by service provider’s auditor (service auditor). Today because of GLBA SAS 70 reports are commonly used as part of an ongoing compliance program and are therefore being reviewed by staff that has not been trained to review them.

The five most common errors in the review of a SAS 70 are as follows:

    1. Wrong type of report provided
    2. Old report provided
    3. Service opinion rendered is not for the service provided to your organization.
    4. Issues noted in the opinion not identified and followed up on.
    5. Missing test and test results.

To properly review any SAS 70 provided by a service providers supporting their control environment I suggest the following simple rules be followed in preparing and performing the review.

In preparation for the review the reviewer should clearly document the name of the service provider and all the contact information needed to obtain a SAS 70 from them, the name of the business unit or department that has the need for this service provider, a list of what service(s) and for what period they wish to receive a SAS 70 report for and clearly convey that information to the service organization.

When the SAS 70 arrives the reviewer must first confirm the scope of report provided which consists of three steps let us call this Phase I: first determine that the SAS 70 does in fact cover the company and all of the services that you requested supporting information for, second that the report covers the period of time you requested, and third confirm the type of SAS 70 that was provided. If there are discrepancies with any of these items the reviewer should contact the service provider as soon as possible to resolve the discrepancies noted.

When the reviewer has been satisfied with the service providers responses to Phase I * they should continue on to the review of the SAS 70 which we will call Phase II. Assuming a Type II SAS 70 was provided the review should consist of the following: first read the opinion and determine if the service auditor found the controls to be sufficient. A service auditor may very well write a SAS 70 and note that the service provider did not have a sufficiently controlled environment. The reviewer is responsible to read the SAS 70 to determine if the service auditor found the controls sufficient. The second thing the reviewer should do is to carefully read the opinion to determine if there are any items that are currently of concern or items that may be areas of concern in the future, the reviewer should make a note of these items. A service auditor may find the controls sufficient but note concerns. The last thing the reviewer must do is to review the test plan provided and the results of that test plan. In most cases only a summary is provided which should be sufficient for the reviewer. When reviewing the test results the reviewer must make sure the test plan and results coincide with the opinion. Note any discrepancies and follow up with the service provider as soon as possible to resolve.

When the reviewer has completed the Phase I and Phase II the reviewer is ready to write a summary report, let us call this Phase III. In the past many organizations would just check off a box in their vendor review process and move on. I have always believed that a summary report documenting the review that was performed and what the results were was always a good idea and is very helpful when regulators, examiners, or any other auditor comes by. The report should be simple and consist of at least the following: The service provider name, services provided to your organization (if necessary identify specific business units or departments), the time period covered by the review, The type of SAS 70 provided (Type I or Type II), the opinion of the controls as per the service auditors conclusions, any issues or concerns that the reviewer had after reviewing the report and the service providers response to those concerns or if the service provider did not provide a response a note in the report noting all the open concerns not responded to as of the report date. Finally the reviewer should include their opinion on if the SAS 70 sufficiently meets or does not meet their organizations service provider control standards and if necessary make recommendations to the relationship owner about this service provider. If there are concerns with the vendor control environment the reviewer should escalate the issue through their organizations compliance/control channel.

In summary when reviewing a SAS 70:

  1. Make sure you know what you are asking for
  2. Make sure you ask what you are asking for
  3. Make sure you get what you asked for
  4. Make sure you know what the SAS 70 says as it relates to your needs.
  5. Properly act upon what is reported based on regulations as well as your internal standards and procedures.

* If the service provider fails to respond to an inquiry within a reasonable amount of time after the reviewer has made a good faith effort to contact them with their questions then the reviewer should move on to the next phase and note the issue in their summary report.

Post a Comment

Your email is never published nor shared. Required fields are marked *