SoundBytes SoundBytes SoundBytes

Sas 70 Audit: Why You Should Have One

In April 1992, the American Institute of CPAs created Statement for Auditing Standard (SAS 70), which was designed to establish professional standards for auditing service providers, such as third party administrators (TPAs). SAS 70 engagements were performed primarily on large service providers. Then in mid-2004, when the Public Company Accounting Oversight Board (PCAOB) released Auditing Standard #2 as part of the Sarbanes Oxley (SOX legislation), the use of SAS 70 reports grew in importance.

Basically, PCAOB #2 established new standards requiring external auditors to perform an audit of a company’s internal controls, including those services that are outsourced. This standard also allows the external auditor to rely upon a SAS 70 report prepared by a service provider’s own auditor in meeting this requirement. Needless to say, PCAOB #2 resulted in an increase in the number of SAS 70 engagements.

Outsourcing is a growing trend across industries.  Companies may outsource any number of services, including:

  • Information Technology
  • Customer Service
  • Human Resource and Benefits Management
  • Payments and Administration

While outsourcing relationships offer many benefits, the current regulatory environment presents new challenges, specifically with regard to the Sarbanes-Oxley Act of 2002.  If third party services directly impact financial reporting or internal control environment activities, a company’s management is now responsible for evaluating the design and effectiveness of the control structure in place, both within the third-party administrator and between the two organizations.  Outsourcing organizations must provide assurance about the controls that they have in place for numerous customers without significantly impacting operations and increasing personnel costs. 

Reports issued under Statement of Auditing Standards No. 70, although used by service organizations to communicate the material integrity of controls to financial auditors, SAS 70 becomes a critical tool for the user organization’s management in a post-Sarbanes-Oxley Section 404 world:

Section 404 mandates that chief executive officers (CEOs) and chief financial officers (CFOs) of publicly traded companies take personal responsibility for the effectiveness of internal control over financial reporting.
Management’s responsibility extends to controls in place at service organizations, making controls at third-party service providers an integral component of CEO and CFO assertions that adequate controls are functioning as intended.

The Security and Exchange Commission (SEC) has interpreted Section 404 outsourcing control assessment requirements as follows: “In situations where management has outsourced certain functions to third-party service provider(s), management maintains a responsibility to assess the controls over the outsourced operations. However, management would be able to rely on the Type II SAS 70 report…”

Accordingly, SAS 70 is designated by the SEC as an acceptable method for management to obtain assertions about the service organization’s internal controls without conducting separate audits.  

There are two types of SAS 70 reports: Type 1 and Type II. The primary difference between the two reports is the level of assurance provided. Type 1, reports on the controls that are placed in operation but do not test their operating effectiveness. SAS 70 Type II reports are an optimal way to support management’s Section 404 internal control assessment without having to conduct their own audit.

The primary advantage of a SAS 70 engagement is a reduction in the scope of audit engagement of a plan sponsor (user) or the plan. A TPA (service provider) that chooses not to have a SAS 70 engagement potentially subjects itself to audit procedures from each of its clients that require financial audits. An objective auditor’s opinion of the service provider’s controls provide reasonable assurance to the user auditors that the service provider organization’s internal controls are adequate, without the need for additional audit procedures.

If the outsourcing function being provided to your client is an important component of their organization, such as payroll, 401(k) administration, medical benefits administration, or disability claims handling, they will require you to be SAS 70 certified. SAS 70 audits provide the much needed oversight benefit managers are looking for.

As a service provider, DataPath Administrative Services (DPAS) provides a host of benefit functions for companies and many of our clients were asking us to become SAS 70 certified. If your clients are SEC-registered, publicly traded companies, then you fall under the Sarbanes-Oxley Act requirements, which more than likely mandates your organization to be SAS 70 compliant. More and more service organizations in the benefits industry are being required to be SAS 70 certified. Many banks and brokerage houses are telling all their outsourcing providers to become SAS 70 compliant or risk having their contracts terminated.

It is not a matter of whether or not being SAS 70 compliant is required by law, but more a matter of the market dynamics, the hot issues that are currently affecting the benefits administration outsourcing industry, such as Third Party Administrators (TPAs). Be prepared to become SAS 70 certified sooner rather than later, as the demands put on the Third Party Administrators by their clients will continue to grow in the next couple of years.

The SAS 70 Type II audit report is being requested of Third Party Administrators and Plan Service Providers by not only publicly traded companies, banks, and brokerage firms, but also by States, Townships, Municipalities, other government clients as well many other types of organizations.

DataPath has also completed a PCI on-site audit. To achieve compliance with PCI, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands. PCI Compliance is required of all merchants and service providers that store, process, or transmit cardholder data.

Having both the SAS 70 and PCI certifications is a standard achieved by few software vendors and web hosting providers. Widely recognized as a mark of service quality, a SAS 70 audit shows that as a service organization, DataPath, has been through an in-depth audit of their control activities, including information technology processes. The PCI audit is an in-depth audit of our information security policies and procedures. The SAS 70 report and PCI compliance report provide credible proof to our customers and prospects that their critical data is secure using our hosted services, myRSC.com.

DataPath has been certified at the entire organizational level, which distinguishes it from many hosting companies that have only their outsourced datacenter provider certified. Following SAS 70 certification, all DataPath customers may now have access to a description of the company’s controls and an independent assessment of whether the controls were placed in operation and operate effectively.

The SAS 70 audit covers many of the DataPath’s control objectives including those for organizational management, security, systems availability, performance monitoring, and change management.

We at DataPath and DPAS want our clients to be assured of the accuracy and integrity of their data and to have confidence in the IT systems that house, move and transform data.  The SAS 70 Type II report will attest to the accuracy of the data by providing confidence in our accounting procedures and controls.  The SAS 70 Type II report will also lend confidence to the processes and controls used for those IT systems and databases. 

Although Section 404 increases the TPA responsibilities and costs, it also presents an opportunity to gain a competitive advantage over rivals lagging in development of a comprehensive internal control assurance process. 

Your clients may require assessment of processes not covered in previous SAS 70 reports as well as more frequent reports, not just an annual report,  to support Section 404 compliance efforts.  To better serve your clients, you should initiate this process by listing all services provided to customers and polling customers to understand SAS 70 reporting, timing and publication requirements. 

Any plan with more than 100 participants is typically required to have an independent audit of the plan’s financial statements, according to ERISA.  The SAS 70 report can help with this audit by clearly defining and explaining the internal control process.

Let DataPath help you get started.   Use our experience in preparing for our SAS 70 and PCI audits to your advantage.  We can provide you with policy and procedure templates, as well as help guide you in the risk assessment process.  We can also provide you with some insight into the administration controls you will need to have in place, such as segregation of duties. 

Powered by BlogEngine.NET 1.1.0.7
Theme by DataPath Marketing Services

Disclaimer: The views and opinions on this blog are those of the author. Nothing contained in this weblog is intended as legal advice. This weblog was created to provide general information, opinions of the author and general musings. Accessing this website is not a consultation for legal advice or services and this weblog does not create an attorney-client relationship.

Search

Type in a keyword or topic (HIPAA, Mandates, etc.)

Recent posts

Categories

Archive
Click the RSS Feed for the RSS Feed.

Resources:

HSA Resources
Cafeteria Plans Resources
HRA Resources
Transit 132 Resources
Debit Card Resources
COBRA Resources
HIPAA Resources
FSA Resources
USERRA Resources

Calendar

<<  February 2012  >>
MoTuWeThFrSaSu
303112345
6789101112
13141516171819
20212223242526
2728291234
567891011

Archive

Click the year to view posts per month

Contact

Click Here to mail questions or comments to SoundBytes@dpath.com.

Admin Login

DataPath, Inc. © Copyright 2010
Sign in