IMGCAP(1)]As I have performed over 700 SAS 70 audits, I should find that each SAS 70 audit is similar to the previous one I just performed. The good or bad news, depending upon how you look at it, is that they are not, and 2010 looks to be an even more challenging year to stay on top of the changes.
Here are my top 5 outlooks for SAS 70 audits in 2010:
Cloud computing One of the technology trends in recent years has been cloud computing, the use of remote servers across the Internet to access computing resources on an on-demand basis. Several organizations have published principles and criteria for the controls that a company using cloud computing should have in place, but no one has come up with a surefire certification for cloud computing.
A typical SAS 70 audit report falls short in that it does not dive deeply enough into information security as compared to the early principles and criteria that have been published to date by cloud computing organizations.
Also, according to the SAS 70 audit guide, disaster recovery controls were largely removed from an auditors testing. Disaster recovery is a major reason why companies are looking to implement cloud computing, and therefore its a risk that they want to make sure is mitigated. Having CPAs provide attestations regarding cloud computing would be the best solution for the business community, due to the professional standards CPAs need to adhere to, resulting in greater confidence in a company using cloud computing.
Effect of non-accelerated filers not needing to comply with Section 404(b) of Sarbanes-Oxley on the need for SAS 70 audits Now that the House has passed legislation exempting companies with a market cap of less than $75 million from complying with Section 404(b) of Sarbanes-Oxley, there will be less demand for SAS 70 audits. The removal of 404(b) does not require the external auditor to provide an opinion on the companys internal controls over financial reporting; instead the company itself only provides that opinion.
Industry leaders believe that many of these smaller-cap companies had not proactively begun implementing controls to comply with all sections of Sarbanes-Oxley, so the passage of the House bill should not have an effect on the current SAS 70 audit demand.
Continued consolidation of service organizations It seems like each week, I read another story about an established data center, bank processor or credit card processor company buying its competition. Acquisitions always bring about differences in the performance of control activities.
In addition, customer contracts may have different contractual obligations for the performance and frequency of SAS 70 audits. If the acquisition occurred during a Type 2 review period, two different control platforms may need to be tested. While a SAS 70 audit is not a deal breaker for an acquisition, the timing and effect on the control structure should be considered.
New SEC rules requiring custodians to have a SAS 70 audit In mid-December 2009, the SEC scrapped surprise audits for non-custodial advisers. However, the SEC required firms that are subject to custody controls review to undergo a Type 2 SAS 70 audit performed by an accounting firm registered with the Public Company Accounting Oversight Board.
Change from SAS 70 to SSAE The AICPA undertook a project to revise the SAS 70 audit standard and break it into two different standards, as well as mirror where possible the equivalent international standard, ISAE 3402. The Audit Standards Board of the AICPA is expected to vote on the final standard in January 2010, which we anticipate to be SSAE 16.
Adoption of the new standard still appears to be slated for review periods ending after December 2010, but I am sure we will all be waiting for the final standards to be released in early 2010.
Scott Price is a director at A-lign with over 10 years of experience providing risk advisory services, including SAS 70 and internal audits, business process reviews, and regulatory compliance assessments. He is a CPA, certified information systems auditor and certified internal auditor.
