A Guide to the Impact of SAS 70 on Outsourcing Projects

The worlds of outsourcing and U.S. financial regulation are beginning to coincide. In particular, a number of large (and not-so-large) companies are increasingly insisting on comprehensive regulatory-driven audit requirements as part of their outsourcing arrangements. This can be a contentious area, with the parties arguing over the scope of the audit and who will pick up the costs, which can be substantial.

The issue is not just confined to U.S. companies or even to the outsourcing of financial services. The relevant laws and standards ? the Sarbanes-Oxley Act of 2002 (SOX) and the Statement on Auditing Standards No. 70: Service Organisations (SAS 70) ? potentially affect not just U.S. companies and foreign subsidiaries of U.S. companies, but also any company based outside the U.S. that is subject to U.S. Securities and Exchange Commission (SEC) regulation or that uses U.S. accounting rules.

In order to negotiate these issues effectively, it is vital to understand why a so-called SAS 70 audit is required and what it entails. In this article, we give the background to SAS 70 and its application to outsourcing agreements and aim to answer some of the queries typically raised in respect of SAS 70. We also detail some of the issues that companies need to consider when outsourcing processes that are subject to SAS 70, and likewise some of the issues that service providers need to know when a customer insists on having SAS 70 audit rights.

What are SOX and SAS 70?

In its short life, SOX has become almost a household name. It is a U.S. federal law that was passed in July 2002 in response to high-profile business accounting scandals, such as Enron and WorldCom, in order to reinforce investment confidence and protect investors by improving the accuracy and reliability of corporate disclosure. Amongst other things, SOX establishes standards with which public companies and public accounting firms must comply, and addresses key issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

Less well-known than SOX, SAS 70 is shorthand for the Statement on Auditing Standards No. 70: Service Organisations, which is an auditing standard issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). SAS 70 defines the professional standards that govern the way in which an external auditor should assess and report on the internal controls of an external service provider, and is required for all audits conducted under Generally Accepted Auditing Standards in the U.S. (GAAS). SAS 70 is not new; it was adopted as a standard in 1992. However, increased outsourcing and the visibility of control requirements introduced in Section 404 of SOX have increased the attention required to be given to SAS 70 audits.

What is the Link between SAS 70 and SOX?

Section 404 of SOX and the relevant rules 2 promulgated by the SEC require each SEC-listed company to produce a report on the company's internal controls as part of the annual report which the company files with the SEC. 3

This report must contain, amongst other things, an assessment of the effectiveness of the company's internal control structure and procedures for financial reporting. This means that the company has to (i) evaluate the effectiveness of the company's internal control over financial reporting; and (ii) have the public accounting firm that conducted the audit attest to and report on the assessment made by the company's management. The way in which a company's internal control over financial reporting is assessed is governed by Auditing Standard No. 2 (AS2), set by the U.S. Public Company Accounting Oversight Board (PCAOB). 4

If a company does not use any external service providers to carry out its business, there is no additional SAS 70 requirement over and above this SOX Section 404 obligation. But, of course, companies that do not use any outsourcing or other external services providers to perform business functions are very rare. So any company with outsourcing arrangements which affect the company's internal control over financial reporting must also test the effectiveness of the internal controls of its outsourcing services provider as part of its SOX Section 404 assessment ? and the procedures set out in SAS 70 5 are the means by which such assessment must be carried out.

In practice, this means that the company should obtain an SAS 70 Report on the external services provider from an independent auditor.

Does SAS 70 Apply to All Outsourcing Arrangements?

In deciding whether SAS 70 applies to a particular outsourcing arrangement, a company has to consider two things: the requirements of the SEC rules and the requirements of SAS 70 itself. The basic test is whether outsourcing affects the company's internal control over financial reporting.

According to the SEC rules, 6 an internal control over financial reporting means a process which is designed by, or under the supervision of, the company's management to provide reasonable assurance...