Thursday, July 7, 2011

The Welcome End of SAS 70

On June 15, the AICPA released a new set of standards to replace Statement on Auditing Standards #70, fondly known as SAS 70. The old standard had been abused for years, being used for situations for which it was never intended and for which it was not particularly useful. SAS 70 originated in an era when companies began to get their accounts managed by outside organizations, known as service organizations. Auditors of the outsourcing companies were concerned that they did not have access to the systems used by the service organizations and therefore could not assess the risks arising from those systems that might affect their own report. They obtained SAS 70 reports to fill this gap.

SAS 70 was therefore designed for a rather limited purpose - to provide assurance on Internal Controls Over Financial Reporting, but it began to be used for other broader assurance on controls, often extending well beyond the limited scope of the original standard.

Accountants fretted for years about this abuse, but it went on and nothing concrete was every done, other than a little tweaking of the basic standards and some cries of protest from members of the profession who were most involved in the service and who were actually following the standard.

The cloud changed all that. Suddenly companies were outsourcing whole systems and needing assurance on the systems which often extended well beyond financial reporting or even had little or nothing to do with it. The need for a broader standard became clear and pressing.

The AICPA, on June 15, released a new framework SOC (Service Organization Control) which substantially extends the scope of these types of assurance engagements. The hope is that abuses will end and the new standards that follow in this framework will provide the needed service.

So far, there are some challenges in making the transition because company executives are so used to the idea of SAS 70 reports and of obtaining them for situations where they really are not appropriate. So some education is needed as well as a dedication by professional assurance providers to insist on selecting and following the appropriate standards.

For an excellent article on this area by the chair of the AICPA's Information Technology Executive Committee, follow this link.

No comments: