5 Outlooks for SAS 70 Audits in 2010
As I have performed over 700 SAS 70 audits, I should find that each SAS 70 audit is similar to the previous one I just performed. The good or bad news depending upon how you look at it is that they are not and 2010 looks to be even a more challenging year to stay up on the changes. I have highlighted my Top 5 Outlooks for SAS 70 Audits in 2010:
1. Cloud Computing – Several organizations have published principles and criteria on the controls a Cloud Computing company should have in place but no one has come about with a sure fire certification for Cloud Computing. A typical SAS 70 audit report falls short in that it does not dive enough into information security when compared to the early principles and criteria that have been published to date by Cloud Computing organizations. Also, per the SAS 70 audit guide, disaster recovery controls were largely removed from an auditor’s testing. Disaster recovery is a major reason companies are looking to implement Cloud Computing and therefore a risk that they want to ensure is mitigated. Having CPAs provide attestations regarding Cloud Computing would be best for the business community due to the professional standards they need to adhere to which results in a greater confidence in the Cloud Computing company.
2. Affect of Non-Accelerated Filers Not Needing to Comply with 404(b) of Sarbanes-Oxley on the need for SAS 70 audits – Now that the House has passed legislation which exempts small cap companies, those with market cap less than $75 million, from complying with 404(b) of Sarbanes-Oxley, there will be less demand for SAS 70 audits. The removal of 404(b) does not require the external auditor to provide an opinion on the company’s internal controls over financial reporting rather the company themselves only provide that opinion. Industry leaders believe that many of these smaller cap companies had not proactively began implementing controls to comply with all sections of Sarbanes-Oxley so the passage of the House Bill should not have an effect on the current SAS 70 audit demand.
3. Continued Consolidation of Service Organizations – It seems like each week, I read another story about an established data center, bank processor, or credit card processor company buying their competition. Acquisitions always bring about differences in the performance of control activities. Additionally, customer contracts may have different contractual obligations for the performance and frequency of SAS 70 audits. If the acquisition occurred during a Type 2 review period, two different control platforms may need to be tested. While a SAS 70 audit is not a deal breaker for an acquisition, the timing and effect on the control structure should be considered.
4. New SEC Rules Requiring Custodians to Have a SAS 70 Audit – In mid-December 2009, the SEC scrapped surprise audits for non-custodial advisers. However, the SEC required that firms that are subject to custody controls review will need to undergo a Type 2 SAS 70 audit performed by an accounting firm registered with the Public Company Accounting Oversight Board.
5. Change from SAS 70 to SSAE – The AICPA undertook a project to revise the SAS 70 audit standard and break it out into two different standards as well as mirror where possible with the international equivalent standard, ISAE 3402. The Audit Standards Board of the AICPA is expected to vote on the final standard in January 2010 which we anticipate to be SSAE 16.
Adoption of the new standard appears to still be slated for review periods ending after December 2010 but I am sure we will all be waiting for the final standards to be released in early 2010!
Scott G. Price, CPA, CISA, CIA
Director – A-lign CPAs
About the Author
Scott Price is a director at A-lign with over 10 years of experience providing risk advisory services including SAS 70 and internal audits, business process reviews, and regulatory compliance assessments. Scott is a Certified Public Accountant, Certified Information Systems Auditor and Certified Internal Auditor.