Background on SAS 70s
A SAS70 which is also known as a "Service Auditors' Report" is a report on the controls in place at an outsourced service provider. It is typically prepared by an Independent Accounting firm.A Type 1 report describes the controls as of a particular date, but does not include testing of the effectiveness of the controls, whereas a Type 2 report also includes testing of the effectiveness of the controls over a period of time. You ideally want a Type 2 report, that covers at least six months of your internal controls testing, and that is pretty close in timing to your company's year end. I typically consider a Type 1 SAS 70 to be pretty useless since the controls represented in the document have not been tested by a third party.
When to ask for a SAS 70
A general rule of thumb when it comes to requiring a SAS 70 from a vendor is if they are holding something of value in trust for your company, then you have the right to ask them for a SAS 70. An example of holding something of value could be in the form of data (server farm), inventory (logistics center), cash (payroll service (ADP, etc)), stock (Equity Edge, etc.) and so on.
What can I expect to learn from a SAS 70?
A SAS 70 will detail the controls available at your vendors company and whether they have passed or failed testing. It will also detail what controls your vendor expects you to have at your company to ensure they can live up to their end of the bargain, e.g., if you do not encrypt the data being sent to your payroll service provider, they cannot guarantee the safety of that highly confidential information. The information in the SAS 70 will let you know if you should feel comfortable or nervous that they are protecting the assets you are trusting them with.
What to do if your Vendor does not offer a SAS 70
There isn't a clear answer for this issue. If a vendor is holding a material amount of assets for you and they do not offer a SAS 70, that means you will need to implement more internal controls at your company to ensure the vendor is not stealing from you. This could equate to a lot of work and money. I personally would not store highly confidential data or a material amount of cash or inventory with a company who wasn't willing to provide me with a clean Type 2 SAS 70. There are plenty of vendors out there who are willing to earn your business by proving they are worth doing business with and a Type 2 SAS 70 is a way to demonstrate that commitment to your assets safety.
I received a SAS 70, now what?
Once you receive a SAS 70, you must analyze it to determine if your vendor was given a clean report or not (only in a Type 2). You must determine what controls your vendor requires of you (above) and whether or not you have them. You should also review the controls testing to see what, if any deficiencies were found during testing. When it comes to external audits and internal controls testing, your auditors will ALWAYS review your SAS 70's. When you receive one, just signing the top isn't proof that you have reviewed it. We have a great SAS 70 analysis document that we'd be happy to give to you. Click on this link to register to receive it.
What is a Negative Assurance Memo?
Better question, why does it have such a weird name??! A Negative Assurance Memo or Gap Letter is a letter from your vendor that will tell you if any of their internal controls have failed testing between SAS 70's. SAS 70's typically span nine-month periods. Because of this, you will need to gain comfort from your vendor that for the last three months of YOUR fiscal year, (not theirs but yours - you need comfort that their controls were working for the entire 12 months of your fiscal year) their controls were working. Because the SAS 70's typically come out at the same time each year, say March, for instance, then you will need a letter from your vendor stating that either nothing has changed from Jan - Mar or telling you that the sky is falling and it is just another issue you're going to have to deal with...but, at least you'll know!
Bruce Pounder wrote a great article on codification and the possibility that it might weaken internal controls (excerpts below). We have a complete listing of codification mappings available for viewing via this link: Vibato's Codification Listing.
"Could Codification Weaken Internal Controls? Maybe. And here's what you can do to mitigate the effect on your accounting policies, disclosures, and error detection.
On July 1, 2009, the Financial Accounting Standards Board formally adopted its Accounting Standards CodificationTM (ASC) as the source of authoritative generally accepted accounting principles for nongovernmental entities in the United States. The codification profoundly changed the way U.S. GAAP is documented, updated, referenced, and accessed."
He also gives the following list (with explainations in the article):
Five Areas to Focus On:
-
Accounting policies;
- Accounting policy disclosures;
- Accounting principle changes;
- Error detection and correction; and
- Competencies.
Click here for the complete article
I hear stories daily about people who are paying incredible amounts of money to have a third-party implement their internal control infrastructure and then test their internal controls on an annual basis.
Just today we had the opportunity to bid on a pre-revenue non-accelerated filer with less than 30 employees. Competitors had already submitted their bids - both upwards of $50,000 based on our familiarity with their approach - in our book, this would be a SOX Basic® project that would be fixed price at $5,590 that includes the software, all of the best practice controls, consulting time to complete the implementation, and all of the supplemental documents (i.e., policies, forms, checklists, etc.) to help the company execute each control. Don't get me wrong, I understand the value CPA's bring but are they honestly worth upwards of $350 + an hour for non-specialized work? And when I am speaking of non-specialized work, I am including Sarbanes-Oxley Compliance work – even if - you have material weaknesses. I have put forth nearly 10 years worth of work to streamline the implementation and testing process required to become and stay compliant with Sarbanes-Oxley. Additionally, we’ve put into place measurement tools that allow you to see a four-year plan on reducing your own internal control count down to the minimum amount of controls required to stay compliant; thus reducing your overall compliance costs going forward. This tool also shows you exactly what you need to do to take all testing in-house thereby removing your reliance on a third-party service provider and allowing your company to be completely self sufficient.
You may have heard about or personally experienced companies who are trying hard to reduce their controls. This doesn't mean they are no longer performing all of their controls; it just means that those controls that are subjected to internal and external testing each year are reduced. My experience has taught me that each internal control will cost a company roughly $50K in its lifetime. It is in your company’s best interest to get this number down.
To that extent and back to the title of my blog post, if you are paying tnes of thousands of dollars for annual testing by a third-party for around 80 controls, we believe you are paying too much. Testing 80 controls on an annual basis - if well managed by professionals who understand external audit requirements and who are looking out for your best interest - can easily be handled by one to two people annually. Well qualified Sarbanes-Oxley testers with CPAs shouldn’t cost you as much as higher-level audit and legal services.
Additionally, I would highly recommend that every company consider testing quarterly rather than annually to ease the year-end workload but more importantly, to allow you to find errors early and give yourself time to remediate in the current year.
If you are paying more than you think you should for controls testing or if you would like to see how your internal control count could be reduced over a four-year period, give me a call at Office: 415.240.4867 x 2300 or Mobile: 707.477.0008 or email me at tbockwoldt@vibato.com. We would be happy to provide you with a free analysis so you may explore your options. This is especially important for those non-accelerated filers facing SOX 404(b) compliance this year...
Look what our clients have to say:
"We didn't have a dedicated budget to complete our SOX compliance but as a small public company that was going to be an accelerated filer by our next year-end, we knew we had to figure something out quickly that would allow us to comply with the full SOX 404 requirements. Vibato had a solution for us that cost less than $6,000, which was significantly less expensive than anything else we had seen in the market. I would recommend them to anyone looking for a cost-effective and scalable solution." Bob Ogden, CFO, Omni Bio Pharmaceutical, Inc.
___________________________
"Working with Vibato has allowed us to focus on reducing the costs associated with the ever-challenging Sarbanes-Oxley compliance regulations," said Margaret Randazzo, CFO, Akeena Solar, Inc. "As a public company, it is important that we use a tool like SOX Compliance Made Simple, as it allows us to efficiently manage the internal controls processes and external audits. Thus far, we've reduced our costs by over 75% on our SOX preparations and ongoing maintenance. In addition, we are already seeing a positive peek into the expected ROI - we expect to save more than this next year, which is huge for a company of our size and a great example of improving shareholder value!"
___________________________
ZAGG completes a full Sarbanes-Oxley implementation in less than one week and for less than $45K.
"Our company was growing rapidly and we learned late in our fiscal year that we would be subjected to a full SOX 404 audit by our external auditors. Vibato helped us get everything done quickly and worked with our team to put everything in place to ensure we were ready to go. Their approach is the most cost-effective and efficient that I have seen and they did the entire project at a fraction of the cost of competing alternatives. We were thrilled with the results and I am very impressed with their unique approach." Brandon O'Brien, CFO, ZAGG Inc.
___________________________
Solar Power Inc. (OTCBB: SOPW) a leading designer, manufacturer and installer of photovoltaic solar power systems, implemented SOX Compliance Made Simple® (SCMS) to handle internal controls for five of their business divisions in their California and Shenzhen, China locations.
"When we used SCMS I was very impressed by how painless and effective the process was," said Jeff Winzeler, chief financial officer, Solar Power Inc. "We were up and running in a few days, and expect to save more than $100K per year on our ongoing compliance costs through reductions in audit fees. Our internal control infrastructure was documented cost-effectively and efficiently, allowing for greater transparency while streamlining internal activities. Vibato has really delivered a strong ROI for us by making a complex, time-consuming process a simple and effective one."
___________________________
"Vibato came into an extraordinarily difficult SOX situation at VaxGen and literally worked miracles. Vibato is extraordinarily productive, tenacious and dedicated. We called them "the bulldog" for a while, due to their determination and perseverance in overcoming all obstacles. I would and have recommended them to anyone with SOX issues to overcome and would not hesitate to use them again given the chance." Matt Pfeffer, CFO, VaxGen, Inc.
___________________________
"Vibato's work can be characterized most by the terms effectiveness and efficiency. They were a valuable addition to our team and aided, in a large measure, the advancement of our process discovery and reengineering efforts. Their productivity set a new standard for our team and their efforts made a lasting contribution." John Pearl, IT Manager, IPIX
___________________________
"It was my pleasure to work with Vibato. Our company hired them as a consultant to help us to streamline our business processes and build our internal control procedures. Within a very short period of time, Vibato had interviewed a lot of people in the company and provided a detailed flow chart for each department/ business process. The recommendations were presented to each department and the process improvement plans have been developed. Vibato is very professional and experienced. Vibato also demonstrated excellent communication skills and interpersonal skills." Shelley Chen, Accounting Manager, OVISO Manufacturing
Small Non-Accelerated Filers Now Have a Cost-Effective Option for Sarbanes-Oxley, Section 404(b) Compliance
SAN FRANCISCO, Calif. - February 17, 2010 - Vibato, the only provider of the fixed-price, best-practice, modular approach to meeting Sarbanes-Oxley (SOX) and SAS-related compliance requirements, today announced the release of SOX BASIC®. This revolutionary approach to SOX compliance delivers a size-specific SOX implementation to smaller reporting companies in just one day, and for less than $6,000; a fraction of the cost of competing alternatives and a compelling solution for this under-served segment of the market.
The latest SEC report, "Study of the Sarbanes-Oxley Act of 2002 Section 404 Internal Control over Financial Reporting Requirements," estimates the average cost of outside vendor assistance for companies with less than $75M market capitalization for their 2008 fiscal year to be approximately $82,000 for initial implementation (table 8, pg. 44). This is the result of the traditional time-and-materials approach to scoping and implementing a SOX engagement, but does not align with the budget and resource constraints faced by many smaller public companies today.
With the rapidly approaching deadline of June 15, 2010 for the auditor attestation of internal controls or SOX Section 404(b), non-accelerated filers need a reasonable solution that fits their budget, level of resource availability and ongoing maintenance requirements.
For the first time, a fully-integrated, best-practice approach to establishing and documenting internal controls for smaller public companies, as well as startups or larger companies with smaller initial requirements, is available in the form of a comprehensive toolset that can be implemented in one day and for a fixed price.
"We were impressed with the rapid implementation, thorough integration and cost-effective approach delivered in the SOX BASIC toolset from Vibato," said Rod Meisel, corporate controller, Cereplast, Inc. "The initial implementation was a very straightforward process. It got us on the right track for our year-end audit and met our budget constraints."
SOX BASIC is built on the same proven, integrated framework originally introduced in SOX Compliance Made Simple® (SCMS), but designed specifically for companies with fewer than 25 employees, or who need fewer than 20 internal controls to meet their compliance requirements. SOX BASIC includes the features listed below in a unique integration of the industry-proven, best-practice approach offered in the SCMS framework:
- Support - Includes consulting time to perform the implementation and help set up a controls testing plan.
- Risk Assessment - Measures both quantitative and qualitative factors for determining in-scope processes and identifying the high-risk areas of the business.
- Control Matrix - Supports up to 20 predefined best-practice controls available from the 17 process cycles currently offered by Vibato, covering all key areas of the business in addition to the following fully-integrated items:
o Dashboard to track initial results and ongoing updates
o Internal controls sub-certification for the 302 Attestation
o Automatic change control tracking
o Project plan with milestone deliverables
o Recommended testing sample sizes based on auditor selection
o PBC listing and summary
o Summary of aggregated deficiencies
o One-click roll-forward functionality that saves relevant historical data and prepares the tool for the next year
- Segregation of Duties Analysis - Analyzes 304 unique segregation conflicts, and identifies the specific resources affected along with suggested remediation strategies.
- Integrated Testing and Documentation - Includes test plans and every policy, checklist, form, and other documents necessary to execute each control as written.
SOX BASIC is also available for licensing by financial services and public accounting and consulting firms looking for a different approach to assisting their existing and potential clients with their compliance objectives.
"We developed SOX BASIC specifically for smaller public companies who have limited resources and internal controls needs," said Teresa Bockwoldt, chief executive officer, Vibato. "Our belief is that having a solid best-practice approach to use as a guide while a company grows will give companies an advantage from the start. SOX BASIC allows a company to start very small and scale as they grow."
To download the SOX BASIC product flyer, please click here.
We have just posted a significant amount of FAS 123(R) ASC 718 Compensation - Stock Compensation codification cross reference information to our Codification Tools page.
View the FAS 123R / ASC Topic 718 Codification Information page by clicking here
This is for all of those KPMG, PwC, IRS, and Federal Reserve people who look at our Codification cross reference tools everyday (including Saturdays....poor things...).
I've moved it all to one page so you can search by terms, etc and I am going to be adding to it shortly. Here is where it is now located:
http://www.vibato.com/resources/codification-tools/
GO CRAZY!
Want to save your accounts payable department time and money? Help them perform their job better and faster by providing them with a signature example sheet. This sheet should list the name, title, signature example, and initials example of each person who is authorized to approve payments for your company. This way, the AP Clerk will be able to recognize the approval signature and not have to ask questions or better yet, recognize when the approval signature is not correct and then escalate concerns...
We have a nice signature example template that we would be happy to give to you. Register via the below button to receive this document.
Another very good control to have in the accounts payables process is that employee expense reports should be reviewed and approved by someone who is not the owner of the expense report - this goes for company founders and C-level executives as well. This review needs to be formally documented to pass Sarbanes-Oxley.
A great way to accomplish this is to use an employee expense report form. We have a great employee expense report that we'd be happy to give to you. Register via the button below to receive it.
A very good control to have is that any non-purchase order approved payment requests should have audit support for the approval via an approved check request form, email, or the like.
For instance, someone needs to buy printer toner in bulk that costs $1000. The employee may verbally ask the AP department to cut a check to pay for the toner which seems harmless but in a Sarbanes-Oxley compliance world, you cannot prove that the conversation took place so you would need to put in procedures to make the approval process, auditable.
A great way to accomplish this is use a check request form. We have a great check request form that we'd be happy to give to you. Register via the button below to receive it.
Here is even more codification information from the FASB Accounting Standards. Please verify the accuracy of this information prior to relying on it.
We hope this information is helpful!
We have a 30+ page listing of Codification cross reference information available for download via this link.
|
DERIVATIVES |
Accounting Standards |
FASB Codification |
|
Definition |
FAS 133, par. 6, 9
FSPEITF 00-19-2 |
ASC 815-10-15
ASC 825-20 |
|
Scope exceptions |
FAS 133, par. 10
FAS 133, par. 11a
EITF 07-5
EITF 00-19
DIG A6
DIG A10
DIG A12
DIG C12 |
ASC 815-10-15
ASC 815-10-15-74
ASC 815-40-15
ASC 815-40
ASC 815-10-55
ASC 815-10-15
ASC 815-10-55-99 thru 110
ASC 815-10-15-39 |
|
Embedded Derivatives |
FAS 133, par. 12, 13, 61
DIG B16
DIG B38
DIG B39
EITF D-109 |
ASC 815-15-25
ASC 815-15-25-42 thru 43, and 815-15-55-13
ASC 815-10-15-107 thru 109
ASC 815-15-25-37 thru 39, and 815-15-55-25
ASC 815-10-S99-3 |
|
HEDGING |
Accounting Standard |
FASB Codification |
|
Eligibility/ Designation |
DIG G2
DIG G13
FAS 133, par. 20c, 28c
FAS 133, par. 29
FAS 133, par. 32
FAS 133, par. 40a |
ASC 815-20-55-111 Example 8
ASC 815-20-55-88 Example 4
ASC 815-20-25-94
ASC 815-20-25-15
ASC 815-30-40-1 thru 3
ASC 815-20-25-61 |
|
Hedge effectiveness and ineffectiveness |
FAS 133, par. 68
DIG G20
FAS 133, par. 120c
FAS 138 FV Example
DIG G7 Method 1
DIG G7 Method 2
DIG G7 Method 3
DIG H8
DIG E7 |
ASC 815-20-25-102 thru 117
ASC 815-20-25-126, 55-209, and 35-33
ASC 815-25-55-53 Example 9
ASC 815-25-55-72 Example 11
ASC 815-30-35-16
ASC 815-30-35-25
ASC 815-30-35-31
ASC 815-35-35
ASC 815-20-35 |
|
OTHER BROAD TRANSACTIONS |
Accounting Standard |
FASB Codification |
|
Transfers |
FAS 140/FAS 166***
FAS 156 |
ASC 860, ***Not yet codified
ASC 860-50-35 and 860-50-50-5 |
|
Consolidations |
FIN 46R/FAS 167***
ARB 51
FAS 160
EITF 96-16
EITF 04-5
EITF 85-12 |
ASC 810, ***Not yet codified
ASC 810-10
ASC 810-10-65-1
ASC 810-10-25-1 thru 14
ASC 810-20-25-1 thru 20, and 810-20-55-1 thru 16
ASC 810-10-25-15 |
|
Leasing |
FAS 13
FAS 98
EITF 97-10
EITF 01-8
EITF 00-13 |
ASC 840
ASC 840-40
ASC 840-40-55
ASC 840-10-15/55
ASC 360-20-15/55 |
|
Foreign Currency Matters |
FAS 52
EITF D-55 |
ASC 830
ASC 830-10-45-12 and 830-10-55-2 |