SAS 70 Deficiencies and Pitfalls
During our software selection process for an on-demand accounting software and ERP (enterprise resource planning) system, our project team searched for a industry certification or recognized credential which would provide comfort from a third party authority for the internal controls, information security and governance compliance of a future on-demand software provider. Our CPA recommended the SAS 70 certification. Our project team would later discover this was a very self serving recommendation.
Statement on Auditing Standards (SAS) 70 is a standard developed by the American Institute of Certified Public Accountants (AICPA) to be used in the auditing of third-party service organizations, which could impact the financial statements of companies who are registered with the U.S. Securities and Exchange Commission (SEC). SAS 70 audits are a by-product of the Sarbanes-Oxley Act (SOX). SOX requires that companies verify the accuracy of their financial controls, and establishes SAS 70 Type 2 audits as a method to verify that third-party providers meet those goals. Our surprise came when we looked as SAS 70 criteria and attestation in more detail. A SAS 70 audit does not rate or attest a company's internal controls against a particular set of defined criteria or best practices. In a SAS 70 audit, the service organization being audited prepares a written description of its goals or objectives and the auditor then examines the service organization's description and comments whether he or she believes those goals are fairly stated, whether the controls are suitably designed to achieve the control objectives that the organization has stated for itself, whether the controls have been placed in operation, and in the case of a Type 2 audit engagement, whether the controls are operating effectively.
The fact that a company has conducted a SAS 70 audit does not necessarily mean its systems are secure or accurate. In fact, a SAS 70 may confirm that a particular system is not secure, by design. According to Robert Aanerud, chief risk officer and principal consultant at security consultancy HotSkills, "You can have control objectives to make any statement management may want to make." Management could decide that it is acceptable for the company to operate with bad access controls, and the auditor (who must be a CPA) then needs to ensure that access control is at least bad. The SAS 70 audit opinion would essentially say that, yes, the company has achieved its stated control objectives.
Jonathan Gossel of System Experts suggests that “The Emperor Has No Clothes”, and that the SAS 70 has three underlying faults that result in SAS 70 opinions being held in very low regard. First, SAS 70 audits have no specific and objective standards. There are no predetermined standards for an organization to “pass”. Instead the organization sets their own standards and controls. The auditor simply determines if the organization meets their own self determined criteria. Companies without security policies in one area could pass a SAS 70 audit even though their information system contained a gaping security hole elsewhere because, “the control activities (none) matched the stated control objectives (none). Second, only CPA firms can perform SAS 70 audits. While many CPA firms cannot tell a router from a firewall, much less determine if information systems are properly configured and internal control effective, they are according to the AICPA the only qualified resources to perform this audit. Third, the SAS 70 process is designed to drive billable hours. Typical SAS 70 costs average between $40,000 and $250,000 per year.
The end result is that the SAS 70 is little more than an accountant's billable revenue activity, brilliantly marketed by the AICPA, and built upon fears from the violated public trust in the wake of Enron, WorldCom and other organizations that out-foxed the AICPA approved audits of those eras. The SAS 70 is without value-add to the auditee or the person reading the audit report. Its non-prescriptive structure permits gaping holes in assessing information security, financial controls and overall compliance. Its requirement that the auditor be a CPA (certified public accountant), without requisite guidelines for technical competence or experience, follows a poorly structured audit plan with potentially incompetent resources.
To achieve our need for valid information systems compliance assurance, we ultimately selected the ISO 27001 as a more relevant and trusted source. This ISO (International Standards Organization) standard is globally recognized and specifies meaningful requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS).
Post: April 23, 2008 in Strategy | Permalink | Comments (2) | TrackBack (1)
Tags: AICPA, SAS70, hosted accounting software, on-demand erp software
Comments to hailey[at]haileyblog.com
Trackback URL for this blog post: http://www.haileyblog/sas70.htm
Your comments are spot on. As a former CPA turned information systems consultant, I recognize the fundamental SAS 70 faults. Without prescriptive criteria, the audit objectives are left to the will of the company being audited and the whim of the auditor. Because of the extreme subjectivity involved, different SAS 70 auditors can audit the same process at the same company and realize completely different results and give completely different opinions - and they're both right! How does this provide comfort and assurance to third party readers?
Posted by anonymous on April 25, 2008
The revenue interests of the AICPA and CPA community are understood and not much different from other professions creating standards that only they can fulfill. The tragedy is that the government succumbed to this CPA self serving standard as a legitimate means to provide the investment community assurance and avoidance of future corporate greed scandals. It's only a matter of time before this standard proves itself not worthwhile.
Posted by Mark Gammel on April 24, 2008
Microsoft Dynamics CRM Live
Open Source CRM
Software as a Service (SaaS)
SAP Business ByDesign
online crm, customer relationship management, crm analytics, sfa, salesforce.com, mis, data center, web 2.0, erp, aplicor, social media, open source, financial services, netsuite, enterprise resource planning, sugarcrm, government crm, business intelligence, web-based accounting software