Compliance Tools: How to Properly Review a SAS 70 - the Checklist
So I can't tell you how many times I have asked a client if they have reviewed the SAS 70's of their applicable service providers (ADP, Equity Edge, Wells Fargo, etc.) and I get the old "Yep - reviewed it and even signed the cover to prove it." To which I reply, "OK, so what controls does it tell you that you must have to ensure your product/cash is safe?"
-INSERT BLANK LOOK HERE-
Then I get..."I DON'T HAVE TIME TO READ THAT WHOLE THING?!?! I received it, isn't that good enough?"
So yes, reading a SAS 70 (the name was changed to SSAE 16 in 2011 - click here to learn about this change) would be equivalent to chewing glass since the things are typically 50+ pages of pretty much all together boring information (unless you enjoy audit talk (which I actually do)) BUT, they do require a read and actually, an analysis.
SAS 70's will tell you all kinds of information including:
- What controls were tested at your service provider
- What deficiencies were found
- What controls they expect you to have in order to protect your products/cash
- and lots more.
The way to properly review a SAS 70 is to examine all of the information in the document (all 50+ pages) and then come to a conclusion about how the vendors control environment, or lack thereof, could impact your company and whether or not your assets are at risk because of their controls...or....lack thereof.
If that seems confusing, it basically is so what I recommend is for you to use our SAS 70 review checklist. It will tell you what to look for and after it is filled out once, all you will need to do is a cursory review in the following years to ensure the answers and conclusions are staying consistent. Our checklist does not take the place of your inside knowledge about your company and how the details in the SAS 70 could impact you but it will give you some structure around what you should look for and the questions you should ask yourself after you have read the SAS.
Remember, service providers who create a SAS 70 typically have a material amount of goods or cash of yours and could truly cause a bad day if said goods / cash walked away because of lack of internal control - ESPECIALLY - if they told you there was a problem in their SAS 70 and you didn't make the time to read all about it. So, yes, you must read that thing but spend your time wisely and get our checklist to help you.
One final point, many SAS 70's cover odd periods such as March 31 - September 15. If you encounter this odd period of time and if a SAS 70 does not cover your entire fiscal year period then you must request a "Negative Assurance Memo" or a "Gap Letter" for the remainder of your fiscal year. The names in "quotes" are what people commonly call a letter that you may receive from your vendor that will detail the effectiveness of the vendor's internal controls during the periods between the end of the old SAS 70 and the beginning of the new one or the in-between period when the new one has not been published yet.
Getting these letters can sometimes be a hassle but your auditors will require this - without fail (I've had external auditors almost hold a 10K filing because a very common payroll provider was late getting their Negative Assurance Memo out. They would have held the K but the memo was issued in time). So, start harassing your vendor early about getting the letter so this isn't a roadblock at the 11th hour.
SAS 70 to SSAE 16 Transition:
The transition from SAS70 to SOC 1 SSAE 16 reports has brought added complexity for companies using Service Providers. Vibato offers a SSAE 16 Review Checklist that will show you when to ask for a SSAE 16, what questions to ask, and how to review your vendors internal control report to ensure you understand what it means and so you can demonstrate your analysis to your stakeholders and external auditors.
For additional information, follow these links to read our blog posts about:
|SAS 70 to SSAE 16 - A New Standard for Service Organizations|
|When to ask for a SAS 70 / SSAE 16|
|How to Review your Vendors Internal Control Report|
Watch our videos:
|Click here to watch a video on How to Deal with your SSAE 16|
Download our tip sheets:
|Download our tip sheet - "4 Tips - What to Consider in the Transition to SSAE 16."|
The SSAE 16 Review Checklist is available for purchase on our sister site, AccountingTemplates.com. Accountingtemplates.com contains nearly 1000 Internal Control Procedures™, like the SSAE 16 Review Checklist, that can help take the complexity out of your day-to-day accounting work and help you understand how to prepare your audit evidence documentation.