Copyright © 2008 ISACA. All rights reserved. www.isaca.org.J OURNALO NLINE 1SAS 70 Reports—What Do TheyReally Tell You?By Silka Gonzalez, CISA, CISM, CISSP, CITP, CPAMany organizations outsource some type of informationsystems (IS) operations to third-party providers, asthey can offer a cost-effective alternative to obtainingnecessary expertise and expand the range of products andservices. However, outsourcing also introduces additional risksthat range from having inaccurate information, which couldaffect financial statements, to serious security breaches.It is critical for the company that provides the outsourcingservices to have reliable controls. Organizations thatoutsource part of their IS operations often rely on Statementof Auditing Standards No. 70 (SAS 70) reports to determine ifthe third-party providers have adequate controls. Currently, there are serious limitations in the way SAS 70reports are performed and used. This article examines howSAS 70 reports can be improved and how businesses can usethem more effectively.SAS 70 ReportsSAS 70 reports are provided by independent CertifiedPublic Accountants (CPAs). SAS 70 is one of the auditingstandards promulgated by the Auditing Standards Board(ASB) of the American Institute of Certified PublicAccountants (AICPA). CPAs who perform SAS 70 reviewsfollow the specifications of the AICPA guide ServiceOrganizations: Applying SAS No. 70, as Amended.There are two types of SAS 70 reports:• Type I—Provides the independent CPA’s opinion of thethird-party provider’s control structure and a description ofthe implemented IS controls• Type II—Contains the same information as a Type I report,plus the results of testing performed by the independent CPAto validate the existence, adequacy and effectiveness of thereported controls The Use of SAS 70 ReportsBecause many of the functionsperformed by third-party providers affectuser organizations’ financial statements,auditors performing audits of financialstatements need to obtain informationabout the services and controls of third-party providers. Such information aboutthird-party providers is usually obtainedthrough SAS 70 reports.When auditors work with publicly traded companies, theirwork is guided not only by the AICPA’s standards, but also bystandards issued by the Public Company AccountingOversight Board (PCAOB). In May 2007, the PCAOB issuedAuditing Standard No. 5, which addresses audits of internalcontrols (and replaces Auditing Standard No. 2 on thissubject). Thus, when dealing with public companies, audits ofinternal controls need to be consistent with both the AICPA’sSAS 70 and the PCAOB’s Auditing Standard No. 5. Although SAS 70 reports were originally intended for use byauditors while evaluating controls that affect the reliability offinancial statements, in recent years, many organizations havebeen using SAS 70 reports to evaluate whether their third-partyproviders have sufficient IS controls, such as security accesscontrols, to address regulatory requirements. Thus, the use ofand reliance on SAS 70 reports continue to grow.Recent Concerns About SAS 70 ReportsThere is a need for better understanding of the limits ofdifferent types of SAS 70 reports. Companies seekinginformation about their third-party provider’s controls need tobe aware of the differences between a Type I and Type II report. Limits of Type I ReportsSAS 70 Type I reports provide only a generalized overviewof the third-party provider’s IS control structure. A companymay request a SAS 70 report and receive a Type I report fromits outsourcer that does not validate the stated controlobjectives through testing. Limits of Type II ReportsSAS 70 Type II reports about a service organization areoften insufficient to meet the needs of the company that isreceiving the outsourcing services. When a Type II SAS 70review is conducted, certain control objectives are selected,and then testing is conducted with respect to the selectedobjectives. However, the selected control objectives often donot address all the essential areas necessary to providereasonable assurance regarding critical IS controls.Furthermore, in many SAS 70 Type II reports that appearto have addressed adequate control objectives, the level andextent of testing per control objective maynot be enough to provide a reliable opinionof the status of essential IS controls. Forinstance, a common control objective of athird party that provides data-processingservices to small and medium-sized bankswould typically state that informationsecurity mechanisms restrict system usersto only the data files and application functions they areauthorized to use. There are a number of ways to test thiscontrol objective. It would be insufficient to test this controlobjective using superficial tests related to the adequacy ofpassword controls; however, SAS 70 reports have been issuedwith such limited testing. This is a critical control objectivethat relates to the reliability and integrity of financial andA SAS 70 attestation reportbased on inadequate testing maygive a false sense of controls.customer data. Proper testing of thiscontrol objective requires many morecritical security controls in addition tobasic password controls. A SAS 70attestation report based on inadequatetesting may give a false sense ofcontrols to a recipient who is relyingon the CPA’s conclusions.Limits of SAS 70 ReportsLimits of SAS 70 reports includethe following:• Limited scope with respect toregulatory requirements—Thereare increased regulatory requirementswith respect to internal controls,including controls relating toinformation systems and security.Businesses have turned to SAS 70reports to provide some assurancesabout internal controls. However, some regulatoryrequirements call for testing of a greater scope and depththan what is usually provided by SAS 70 reports.• Limited CPA training and experience—Currently, mostCPAs have not been formally trained to deal with complexautomated system infrastructures and their related technicalcontrols. This is one of the reasons why some SAS 70reviews lack the proper coverage and testing of key IScontrols, such as security access controls, that are directlyrelated to the reliability and integrity of financial statements.• Limited guidance and oversight—While AICPA and thePCAOB have worked to provide auditing standards andguidance, this particular area continues to present achallenge to auditors and to the businesses that rely on