subject: Application Outsourcing Companies & Sas 70 Audits [print this page] As it develops its compliance plan, a company that implements application outsourcing, along with its auditors, should look at the details of the SAS 70 Type II report of a provider to do an apples-to-apples comparison. It's important to understand the scope of the audit in order to accurately compare and evaluate application outsourcing companies. Plus, the scope of serivces provided by the application outsourcing company and the control objectives for the SAS 70 Type II must match. If they don't, the SAS 70 Type II cannot be counted on by management to demonstrate full compliance with SOX and further audits would be required.
For example, a comprehensive application outsourcing agreement includes seven service components. It's possible to have a SAS 70 Type II audit done on only three of the areas: the physical data center, the network, and the operating system. But if the service provider is also managing middleware, databases, and applications, those areas must be included in the scope of the SAS 70 Type II audit for it to satisfy those requirements.
In short, not all SAS 70 Type II audits are alike. The application outsourcing companies themselves define which control objectives are to be examined in the report, and the options are many. The widest range of control objectives are found in COBIT (Control Objectives for Information and related Technology) 4.0, a set of best practices for IT management created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in the mid-1990s. COBIT was widely accepted because it's platform independent.
However, in a post-SOX environment with increased scrutiny on IT controls and application outsourcing, COBIT's 34 control objectives were considered by many to be too broad and too expensive to audit. In the IT Governance Institute's (ITGI) 2004 report, "IT Control Objectives for Sarbanes-Oxley," 12 key control objectives were identified, and the report's preface noted:
"Many IT controls were considered in developing this document. However, a significant effort was made to limit the discussion of such controls to those more directly related to internal control over financial reporting. As such, this document is deliberate in its exclusion of controls supporting operational and efficiency issues. It is, however, inevitable (and desirable) that operational and efficiency issues will be addressed over time and built into the control structures and processes that are developed."
In refining the number of control objectives that should be included in a thorough SAS 70 Type II audit, the AICPA's (American Institute of Certified Public Accountants) Audit Guide, "Service Organizations: Applying SAS No. 70," lists seven controls. The Guide suggests that the seven IT control and governance objectives may be applicable to any application outsourcing company that uses IT in providing services that are part of a user organization's information system.
In summary, we've gone from COBIT's 34 to ITGI's 12 to AICPA's seven suggested control objectives to be audited as part of a SAS 70 Type II report at IT application outsourcing providers. However, the list of audit options doesn't end with selecting a number of control objectives. That's because within the realm of SAS 70 reports, there are Type I and Type II audits.
A SAS 70 Type I is a point-in-time, snapshot audit that focuses on general and application outsourcing and controls but does not include testing by auditors. A Type II audit occurs over a period of time (typically six months to a year), focusing on general and operational controls during a life cycle, with auditors typically performing actual testing. A Type II is generally more expensive as well as more burdensome for the application outsourcer. Since a Type I is only a snapshot in time it cannot be used to satisfy SOX control requirements. In short, only a Type II audit can be relied upon by an auditor.
SAS 70 engagements are generally performed by control-oriented professionals - Service Auditors - who have experience in accounting, auditing, and information security. A SAS 70 engagement allows a service organization to have its control policies and procedures evaluated and tested (in the case of a Type II engagement) by an independent party. Very often this process results in the identification of opportunities for improvements in many operational areas.
User organizations - companies who outsource all or part of their IT environment - should provide a Service Auditor's Report of their outsourced business processes to their auditors. This will greatly assist the company's auditor in planning the audit of the user organization's financial statements. Without a Service Auditor's Report, the company would likely have to incur additional costs in sending their auditors to the service organization to perform their procedures.
