As everyone who has not been hiding in a cave the last four years knows, Section 404 of the Sarbanes-Oxley Act (Sarbox) stipulates that public companies must demonstrate proper controls over financial transactions and internal processes. Every internal system and process is subject to intense scrutiny, and the documentation that must be provided is just this side of what was used to send the Apollo 11 astronauts to the moon.
What is less known, however, is that the provisions of Sarbox also make the purchasing company responsible for the quality of their suppliers' processes and controls. This can be a far more difficult assignment. After all, you know (or should know) how your organization operates. But how about your suppliers?
If you're outsourcing any type of services, from applications delivered by a managed service provider to contingent workers to an offshore contact center, this lesser-known requirement leaves you with two options. One is to conduct your own audit of all your suppliers. This method will provide you with the assurances you need, but it's not very feasible. After all, think of how long it takes to audit your own internal systems, where you already know how they work.
The other is to look for suppliers who have completed their own SAS 70 audits. These audits, which are generally conducted by accounting firms at the behest of the suppliers, dig deep into a supplier's processes and controls to assure that they are operating with sufficient effectiveness as outlined in the Statement on Accounting Standards No. 70, which was first issued in 1992 by the Auditing Standards Board of the American Institute of Certified Public Accounts (AICPA). SAS 70 has since been updated several times, and is scheduled to be updated again in 2006.
Of course, not all SAS 70 audits are the same. Type I provides a description of the controls the supplier says they have in place, but there is no independent testing that verifies their actual existence. They may be there, or they may not be. If there are controls in place, they may not be appropriately applied.
A Type II audit, on the other hand, generally takes place over an extended period of time. During this examination, the auditors conduct in-depth reviews and actual rigorous testing of processes and controls. The auditor issues a report stating what was tested and the results, including any control weaknesses. A "clean" opinion would imply that the controls are effective and validated. A clean opinion does not create "certification" or "compliance," per se. But it does indicate the presence of effective controls, as confirmed by the auditing firm. This report can then be used in the organization's own Sarbox statement as proof that the supplier they're using for this function has effective controls in its operation.
One of the side benefits of using suppliers with their own SAS 70 Type II reports is that there is no incremental cost. The supplier hires the auditing firm and pays for the report, rather than the organization having to hire the auditors and manage their work. This fact alone makes it well worth considering for large organizations already burdened with their own internal Sarbox efforts.
Ultimately, you are responsible for everything done by your suppliers. Using suppliers who can supply SAS 70 Type II reports makes sure you've met your due diligence responsibility.
About the Author: Dan Bell is vice president of quality assurance for Fieldglass Inc. Dan recently led Fieldglass' own efforts to achieve a successful SAS 70 Type II audit. He can be reached at firstname.lastname@example.org.