As promised yesterday, I would address this issue by asking an CPA
and accounting firm to address these issues. Here is his insight into
this issue. He addresses the comment of trying to comply with the
ISO 17799 Standard and providing proof of such compliance.
____________________
There are numerous issues surrounding the understanding and use of
the SAS 70 Type 2 Certification. The following thoughts might be of
some help:
SAS 70 Type 2 Certification (“SAS 70” hereinafter) vs ISO record
keeping standards:
To begin with an audit differs from an ISO record keeping standards
examination insofar as the audit is performed by an independent
public accounting firm that issues a certificate for which it
ultimately becomes liable for damages to any third party who
ultimately relied upon its findings which subsequently were proven to
be inaccurate. In addition and perhaps more importantly, an SAS 70
like any other audit performed by an independent public accounting
firm is NOT performed to satisfy the issuer but to satisfy the needs
of the ultimate client/customer that has its own minimum performance
standards for which it alone is responsible.
Thus for an issuer to cause an SAS 70 to be performed based on very
low standards is nothing more than a “…a fool’s folly…” because the
Certification would not satisfy the users required conditions. In
other words, it is the user (i.e., client/customer) NOT the issuer
who determines whether the conditions of the SAS 70 meet its required
fiduciary standards. Sarbanes Oxley (SOX), as one example, places
the responsibility to determine satisfactory fiduciary policy
standards squarely on the audit committee of the board of directors,
the CEO and the CFO of public companies. Under that law neither the
board of director nor the senior management of the company may shift
that fiduciary responsibility to a third party. Thus the board of
directors working through the management of the company determines
what “best practices of record keeping” are required to safeguard the
company interests. Thus the SAS 70 must satisfy the standards of the
company (i.e., the client/customer), rather than the issuer.
From the issuer’s prospective, the SAS 70 is an attempt to
efficiently anticipate the due diligence requirements of multiple
clients/customers by requesting an independent auditor to perform an
SAS 70 at “best industry practices” standards. This is a matter of
efficiency simply to avoid the cost associated with multiple
redundant due diligence audits by each potential client/customer. In
practice the SAS 70 is normally performed to the “best industry
practices” standard, but standards will vary industry to industry and
are always subject to criticism when held up to scrutiny. Thus the
client/customer ultimately determines “best industry practice”
suitable to its own circumstance. To the extent that any particular
client/customer were to demand additional requirements beyond those
stipulated by the SAS 70, the client/customer would then be required
to do perform further due diligence to ultimately resolve its own
fiduciary requirements.
The assumptions that the client/customer will seek an SAS 70 as a
safe haven by shifting responsibility to the service provider; that
the client/customer will not bother to read or understand the SAS 70
content; or that the client/customer will accept the SAS 70 as the
final authoritative word concerning the performance of its fiduciary
responsibility to protect the company’s interest are simply
incorrect; or a perilous road for any who were to choose such a path.
In so far as the use of the SAS 70 is a financial tool employed to
examine adequacy of outsource service provider’s function - that is a
correct assumption. In practice these functions include but are not
limited to the back office functions in banking, brokerage, and
commodity industries; high-volume and high-structured transactions
such as accounts receivable, accounts payable; payroll and benefits
such as pension and health administration etc. By definition the
function performed by the outsource service provider is “records
keeping function” not dissimilar from the services provided by the
records storage industry. Namely: “…ensuring that records keeping
systems are designed and implemented to provide the controls to
guarantee integrity of the content, structure and context of the
records over time…”.
I can go on, but I hope this helps clarify the difference between the
SAS 70 and an ISO record keeping standards examination.
So then, these are some of the conclusions we may consider applicable
to us:
the SAS 70 will be of greater interest to some clients than others –
such as, SOX regulated public companies; regulated industries such
banking, insurance and health; municipal, state and federal
government regulatory agencies and similar enterprise institutions
where public oversight is required;
these industries require the most strenuous “best industry
practices”; thus setting SAS 70 to satisfy these respective industry
standards will raise the bar for everyone electing to use our service;
electing to go this route will put us in the discriminating premium
price end of the market rather than the lower end mass market service
provider;
the SAS 70 will not be cheap, but neither will an ISO record keeping
examination. Both will require uniform procedures across all media
vault storage vendor participants in order to have any efficacy. The
SAS 70 will undoubtedly be more expensive because it not only
requires audit verification but must cover the liability assumed by
the audit firm undertaking the certification. This is very similar
to the price paid to a law firm that renders a “Opinion” on a
selected issue;
the SAS 70 will probably require some participating offsite storage
members to change their existing procedures which may increase their
cost of operations. Existing clients not electing the pay for such
service may temporarily get a free ride, but pricing for that group
will catch up gradually over time and be immediately applicable for
new clients.
more importantly, the SAS 70 should will be focused on larger
national accounts or selected industry accounts with greater volumes
and higher net yields;
for members electing to participate in the SAS 70 premiums for
certain insurable risks may become lower or available where
previously unavailable.
I hope these remarks are helpful.
--------------------
I was corrected on this issue
Thus for an issuer to cause an SAS 70 to be performed based on very
low standards is nothing more than a “…a fool’s folly…” because the
Certification would not satisfy the users required conditions. In
other words, it is the user (i.e., client/customer) NOT the issuer
who determines whether the conditions of the SAS 70 meet its required
fiduciary standards.
If an SAS 70 Audit is performed and not reviewed by all relevant
departments will be dangerous indeed. So if you use a vendor who
offers an SAS 70 Type 2 Audit Statement, then you should have a copy
and read it. If it is available and you fail to review it for
compliance then the liability will fall back on you due to the
negligence of failing to read and interpret the SLA being offered.
Just the fact that the Listserve would discuss this and show interest
in this made this CPA interested in the records management
practitioners and drew a sort of new respect for this sophistication.
Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610) 756-4440 Fax (610) 756-4134
WWW.FIRELOCK.COM
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|