1. S TATEMENT ON A UDITING S TANDARDS N O. 70 (SAS 70) Christa Unangst BADM 559 – IT Governance

2. W HAT IS SAS 70? Commonly recognized auditing standard that was developed by the American Institute of Certified Public Accountants in 1933 The standard provides guidance on the factors an independent auditor should use when assessing the internal controls of a service organization Two types of reports can be issued after a SAS 70 audit – Type I or Type II Hosted data centers, insurance claims processors, credit processing companies, third party administrators, etc. are the types of firms who adhere to SAS 70 1 SAS No. 70, Service Organizations, 2008, 22 November 2008. 2 Craig Schneider, Stuck in the SAS 70s, 23 February 2004, 2 December 2008.

3. O BJECTIVES – WHY HAVE A SAS 70 AUDIT ? In today’s economy, companies must demonstrate that they have adequate controls when they host or process data belonging to their customers Want to be more efficient Service organizations do not want to have each of its clients perform their own audit on the organization More and more users are requesting the audit Is a highly useful description of controls and processes Can be used to communicate details of controls and processes to a client Provides assurance to the end user 3 Richard Bejtlich, Thoughts on SAS 70 and Other Standards, 21 December 2006, 22 November 2008.

4. A PPROACHES TO SAS 70

5. C RITICISMS OF SAS 70 Is in need of a major overhaul Other standards or systems could better serves as an audit tool than SAS 70 ISO17799, Cobit, ISO 9000, SysTrust Is insufficient and too broad Does not provide enough information on the service provider Service organization chooses its own scope and controls Auditor is only required to inform its users of failures 4 Answering SAS 70 Criticism, 7 December 2007, WordPress, 1 December 2008.

6. C RITICISMS OF SAS 70 ( CONT ’ D ) Creates more work Accountants and auditors are getting technology certifications in order to be able to perform a SAS 70 audit Designed to drive up billable hours with continuous testing over time Is incompatible with Sarbanes-Oxley The audit could be performed out of sync with client’s reporting period Creates the possibility of conflicts of interest An external auditor cannot also provide consulting services to the client or the outsourcing provider on a SAS 70 audit Incompatibility could dissuade companies from outsourcing processes to emerging nations 2 Craig Schneider, Stuck in the SAS 70s, 23 February 2004, 2 December 2008.

7. B ENEFITS OF SAS 70 Advocates believe it demonstrates both the legal business commitment to high levels of reliability, availability, and security Is a sort of checks and balance system Creates efficiency – one audit can serve multiple clients’ needs Client can use the final report to help with their own auditor in the planning of their own audit To fill time gaps – could have quarterly SAS 70 audits Able to help organizations differentiate themselves from its peers by establishing effectively designed control objectives and activities SAS 70 and SAS 70 Type II Drill Down- Important Differences Between SAS 70 and SAS 70 Type II, 2008, 1 December 2008.

8. F UTURE OF SAS 70 Based on current regulatory compliance demands – SAS is here to stay More and more organizations are becoming global and so will the number of SAS 70 audit requests Pending a revisal of SAS 70 as an international standard Previous testimonies, presentations, and interviews – SAS is a growing trend Often used as the main “go to” audit tool

9. CONCLUSION Service organizations must be able to convey trust and confidence in their controls SAS 70 audit can help deliver this confidence Users must be wary that a SAS 70 audit can easily be misused, intentionally or through lack of understanding Service organizations, such as IT, are becoming integrated into business strategy Is considered a partner as opposed to a provider with no effect on revenues It is clear users value a successful completion of a SAS 70 report It reinforces a service organization’s commitment to providing the best hosting experience

10. R EFERENCES Answering SAS 70 Criticism. 7 December 2007. WordPress. 1 December 2008. Bejtlich, Richard. Thoughts on SAS 70 and Other Standards. 21 December 2006. 22 November 2008. Cytron, Scott H. Scott Price: Sassy About SAS 70 Audits. 2 December 2008. "Ernst & Young TSRS Manager." SAS 70 Objective in Accounting Technology Service Interview. Christa Unangst. Chicago, 2 December 2008. Ernst & Young, LLP. SAS 70. 2008. 23 November 2008. NDB, LLP Accountants & Consultants. SAS 70 Compliance Resource Guide. 2008. 23 November 2008. Our 5-step approach. 2008. 2 December 2008. SAS 70 and SAS 70 Type II Drill Down- Important Differences Between SAS 70 and SAS 70 Type II. 2008. 1 December 2008. SAS 70 Overview. 2007. 7 December 2008. "SAS 70 Overview." 2007. About SAS 70. 17 September 2008. Third Party Assurance - SAS 70. 2008. 2008 11 December. Walter Searcey, Business Advisory Services Manager. "Evaluating a Company's controls to Protect Information Assets - SAS 70 Overview." Ed. Grant Thornton LLP. Urbana, 15 September 2008.