Compliance Tools: How to properly review a SAS 70 - the checklist

  

 Email Article  

Tweet  

  

  

So I can't tell you how many times I have asked a client if they have reviewed the SAS 70's of their applicable service providers (ADP, Equity Edge, Wells Fargo, etc.) and I get the old "Yep - reviewed it and even signed the cover to prove it." To which I reply, "OK, so what controls does it tell you that you must have to ensure your product/cash is safe?" 

-INSERT BLANK LOOK HERE-

Then I get..."I DON'T HAVE TIME TO READ THAT WHOLE THING?!?! I received it, isn't that good enough?"

So yes, reading a SAS 70 would be equivalent to chewing glass since the things are typically 50+ pages of pretty much all together boring information (unless you enjoy audit talk (which I actually do)) BUT, they do require a read and actually, an analysis. 

SAS 70's will tell you all kinds of information including:

1. What controls were tested at your service provider
2. What deficiencies were found
3. What controls they expect you to have in order to protect your products/cash
4. and lots more.

The way to properly review a SAS 70 is to examine all of the information in the document (all 50+ pages) and then come to a conclusion about how the vendors control environment, or lack thereof, could impact your company and whether or not your assets are at risk because of their controls...or....lack thereof.

If that seems confusing, it basically is so what I recommend is for you to use our SAS 70 review checklist.  It will tell you what to look for and after it is filled out once, all you will need to do is a cursory review in the following years to ensure the answers and conclusions are staying consistent.  Our checklist does not take the place of your inside knowledge about your company and how the details in the SAS 70 could impact you but it will give you some structure around what you should look for and the questions you should ask yourself after you have read the SAS. 

Remember, service providers who create a SAS 70 typically have a material amount of goods or cash of yours and could truly cause a bad day if said goods / cash walked away because of lack of internal control - ESPECIALLY - if they told you there was a problem in their SAS 70 and you didn't make the time to read all about it.  So, yes, you must read that thing but spend your time wisely and get our checklist to help you.

One final point, many SAS 70's cover odd periods such as March 31 - September 15.  If you encounter this odd period of time and if a SAS 70 does not cover your entire fiscal year period then you must request a "Negative Assurance Memo" or a "Gap Letter" for the remainder of your fiscal year. The names in "quotes" are what people commonly call a letter that you may receive from your vendor that will detail the effectiveness of the vendor's internal controls during the periods between the end of the old SAS 70 and the beginning of the new one or the in-between period when the new one has not been published yet. 

Getting these letters can sometimes be a hassle but your auditors will require this - without fail (I've had external auditors almost hold a 10K filing because a very common payroll provider was late getting their Negative Assurance Memo out.  They would have held the K but the memo was issued in time).  So, start harassing your vendor early about getting the letter so this isn't a roadblock at the 11th hour. 

Update: You can get our updated SOC 1 SSAE 16 checklist by checking out this post.