IT vendors' certification by auditors may not amount to much
Friday, 06 August 2010

By Karen Kroll

CFOs who rely on auditors to vouch for the internal controls of outside firms that help process their financial information may be in for a rude awakening, according to a recent report. Under Sarbanes- Oxley, companies are liable for their internal controls, even when they've outsourced some finance and accounting services to third parties.

The Statement on Auditing Standards (SAS) 70 for service organizations, which was developed by the American Institute of Certified Public Accountants (AICPA), defines the standards an auditor must employ in assessing the contracted internal controls of an organization that provides software and IT services, according to

However, SAS 70 does not specify the set of control activities or objectives that the organization needs to achieve. "The vendor has a lot of say over which controls actually get audited," says French Caldwell, research vice president at Gartner. While the auditor can challenge the selection of controls, the audit report typically focuses on the effectiveness of the controls that the vendor selected.

That's why many vendors' claims that they've been SAS 70 certified are misleading, Caldwell adds. For starters, there really is no such thing as being SAS 70 certified, as SAS 70 is a protocol that allows communication from the vendor's auditors to its customers' auditors. "If you follow the protocol, there's some assurance that the right procedures were followed in the audit," he notes. In other words, the standard governs the audit process, not the controls themselves.

The biggest concern here, perhaps, is that SAS 70 does not address such issues as data security and privacy - issues which become even more challenging as service providers increasingly move their operations to the cloud, or via software as a service (SaaS). When a service provider hosts data onsite, it's usually pretty clear what security measures, such as restricted access to the computers, need to be in place. When a service provider offers an SaaS structure, however, its customers' data may be stored across the globe. It's up to the customer to determine this, and ask for modifications - say, to keep the data all on servers within a specific region of the world - if necessary. SAS 70 won't provide this information.

Companies that work with service organizations also need to check their backup and disaster recovery plans. Again, in a cloud computing environment, "the controls get to be quite a bit different if the data is over a large number of servers across a span of geography," Caldwell says. SAS also doesn't address this risk.

That's not to say that SAS 70 offers no value. It is one of several tools companies can use to evaluate a service provider's control environment, along with other external audits, as well as assessments by the company's own security team, Gartner says.

At this point, in fact, standards organizations like AICPA and Shared Assessments are "trying to puzzle out what the controls should be," within cloud computing environments, Caldwell says. "They're not done." Shared Assessments is a consortium of financial institutions, accounting firms, and service providers, working to streamline the process of assessing service providers.

Until more robust standards are available, the onus is on CFOs and other execs to closely monitor the processes that are outsourced, think through the potential security risks, and work with service providers to address them. When your firm engages outsourcers and IT service providers, it is potentially taking on any risks these businesses have assumed. "It sounds like a bad STD commercial," Caldwell says, referring to sexually transmitted diseases. "But it's the reality."

Comments (0)Add Comment

Write comment
You must be logged in to post a comment. Please register if you do not have an account yet.