Keeping Up With SAS No.70
September 27, 2010
Author: Dennis Cristofoletti
Benefits of a SAS No. 70 Report:
Builds trust with clients by proving controls over all processes
Independent review by a third party
Extremely thorough and unbiased opinion
Helps strengthen internal controls
Identifies procedural weaknesses or deficiencies that a business can improve upon
The Importance of SAS No. 70
In today's highly regulated market place, a financial services organization needs to have a SAS No. 70 audit completed to be competitive. This "SAS 70 audit" ensures that a service organization has been through an independent third party review of their control objectives and activities. The successful completion of a SAS70 audit provides investment advisors with the assurances and confidence that their service partner has the proper control procedures in place. We understand at STP, even though costly and time consuming, a completed SAS70 audit is critical to ensuring a focus on accuracy in everything we do.
In preparation for our audit, we engaged in a complete diagnostic of our control procedures before our testing period began. This diagnostic from our auditor provided a benchmark of our preparedness for the audit. We were able to implement some proprietary applications to track and store procedures, review signoffs and compile backup documents that are crucial in passing the audit. The benefit to this diagnostic helped us become more efficient and improve our day-to-day processes. Since all of our clients request a SAS70 report each year, we implemented a web-based control checklist coupled with a document management solution to help track all of control objectives.
Through our web-based checklist, each task listed requires a reviewer and processor to sign off on it. Along with capturing the time and date of the signoff, we are proving that each task has had the "four eyes" review that is a standard in our operation. The document management system that coincides with the checklist helps us capture and link to any backup documentation needed. We believe that each task and control we create needs to have a reviewer so that nothing "slips through the cracks". We use this checklist for other aspects of our business besides only SAS70 controls. It's an excellent tool to use to follow our day-today schedule. An example would be that we use this to capture all data feeds and uploads that flow into our system. We capture when the feed occurred, that the data flowed into our system successfully, review any exception reports and evaluate other additional checkpoints to ensure accuracy of the data. Through our web-based internal audit checklist system, we can confirm that it has been reviewed by two people.
Did you know?
In June 2011, the SSAE16 will be taking over the SAS No. 70 audit due to a number of new rules and requirements.