SAS 70 -- A Strategic Advantage in Challenging Times

Captive Resource Center

Ask the Expert Forum

Ask the Expert FAQ

Captive Basics

Businesses and Associations

Links to Member Websites

Captive Yellow Pages

Captive Associations

Group & Rental Captives

Research & Information

News/Library

Domicile Showcases

Conference Calendar

Employment Opportunities

Website FAQ

Tips & Tricks

Membership Info

Credit Card Authorization

Captive.com, llc

E-mail captive.com

SAS 70: A Strategic Advantage in Challenging Times

By
Andrew Pinnero, CISA
Deborah Lambert, CPA, CPCU
James Murphy, CPA

Setting: Your office – a typical day

These are tough economic times for insurance industry third-party service providers, such as TPAs, MGAs and MGUs, and you feel the pressure. You are concerned about increasingly stiff competition, pricing pressures from existing customers and the ever present specter of regulatory change. Between keeping customer service up 24/7, IT systems performance maximized and application processing running smoothly, your day is pretty much booked.

As soon as you have a chance, you plan to focus on initiatives to enhance your organization’s value: enhanced customer services, development of prospective customers and internal cost savings measures. Then you check your e-mail inbox and find the following new messages-

	From: Customer - An examiner from the Department of Insurance has commenced a financial examination today. The document request requires a description of our IT controls including IT controls at any TPAs (i.e., your organization). Please send me the required documentation ASAP!
	From: Prospective Customer - You are one of three finalists in our search for a new TPA. I have one follow-up question. Under the pending changes to the NAIC Model Audit Rule, we will be required to perform an assessment of our internal controls. My compliance team informs me that we would need to include in the scope of our review your controls over the transactions you would process for our organization. How are you planning to facilitate that for your customers?
	From: Customer’s External Auditor: We need to schedule a visit to your location to arrive next week. We will be sending two people, we plan on spending two weeks on site and will need assistance from your staff to identify, document and test your processes, controls and IT environment. How does Monday morning work for you?

You sit back and think - There has to be a more efficient way of doing business!

* * *

There is a more efficient way for insurance industry service providers to respond to these time-consuming requests - “SAS 70.” A SAS 70 audit report is the ideal tool for an insurance industry third-party service provider to demonstrate that it has adequate processes, controls and safeguards in place to process customer transactions and maintain customer data.

What is SAS 70?

A SAS 70 is an audit engagement that results in a report describing a service provider’s internal controls over some or all of its third-party processing functions. The SAS 70 audit report signifies that the third-party service provider has had the description and design of its controls examined by an independent CPA firm.

The term “SAS 70” is derived from Statement on Auditing Standards (SAS) No. 70, Service Organizations, an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). The service was originally developed to facilitate the interactions between a third-party service organization and its customer’s auditors. However, in recent years, the uses of SAS 70 reports have rapidly expanded to meet the needs of customers and prospective customers.

There are two types of SAS 70 audit’s in wide use today: Type I and Type II. The type selected depends on the overall objectives of the service provider. Type I audits include an examination of controls that have been placed in operation and illustrate how these controls achieve the specified control objective for a stated period of time. There is no testing of controls performed in a Type I audit. Type II audits include matters covered in a Type I engagement as well as defined tests of operating effectiveness. Testing of controls is required for Type II audits. Most SAS 70 audits performed today are Type II engagements.

Once I have a SAS 70, how will it be used?

Three primary users of SAS 70 audit reports are customers, prospective customers and customer’s auditors.

Customers use SAS 70 audit reports in their monitoring of outsourced activity. They receive valuable information about the design and effectiveness of the service provider’s controls from the SAS 70 audit report. Publicly held customer companies generally require SAS 70 audit reports to comply with Sarbanes-Oxley Section 404 requirements. As the NAIC Model Audit Rule requirements regarding internal control assessments become effective for insurance companies, SAS 70 will play a similar critical role in the assessment of internal control by private insurance company customers of service providers.

Service providers also effectively use SAS 70 reports in marketing to prospective customers and to differentiate their organization from competitors. Increasingly, the requirement for a SAS 70 audit is included in contracts between a customer and the service provider. Failure to have such a SAS 70 audit available could hamper or preclude a service provider from being successful in winning a new business opportunity.

Customers’ external auditors use the SAS 70 audit report to obtain evidence required in planning and performing audits of the customer’s financial statements. The availability of a SAS 70 Type II audit report will usually eliminate the need for the customer’s auditor to perform work at the third-party service provider’s location or at least reduce the scope of the work required, thus minimizing the disruption to the service provider’s personnel.

How will my organization benefit from a SAS 70?

The service provider benefits from having a SAS 70 audit report because its relationships with customers, prospective customers and its customer’s auditors are more efficient. The communication of similar critical information needed by each of these different users is provided efficiently and cost-effectively through one uniform reporting format: the SAS 70 audit report. The service provider also enjoys the benefit of receiving objective audit based recommendations on improving its operations and controls.

I see the benefit, what is the process for getting a SAS 70 audit performed for my organization?

A SAS 70 audit can only be performed by an independent licensed CPA firm. In selecting a firm to perform a SAS 70 audit, a service provider should consider the CPA firm’s experience in performing SAS 70 engagements for similar organizations.

An efficient and cost-effective SAS 70 audit engagement relies on fundamental project management concepts. A detailed project plan should be developed jointly by the CPA firm selected to perform the SAS 70 audit and the service provider. The project plan will have three phases: planning, fieldwork and reporting.

During the planning phase, agreement will be reached on the specific scope of the engagement. Because the nature and extent of third-party services provided by service providers varies, the specific scope of the engagement will be customized to reflect the operations of the service provider and to meet the needs of the users of the report. A timeline should be developed detailing the various activities and milestones of the engagement. The project team will include both employees of the service provider and the members of CPA firm’s engagement team. During the planning phase, specific roles and responsibilities of each of the project team members should be established.

The fieldwork phase of the engagement begins with the development or updating of management’s description of internal controls applicable to the services it provides to its customers. This description which typically runs between 8 and 20 pages or more in length will become a component of the final SAS 70 report. While management is responsible for this description, the auditor can be very helpful in assisting with management’s determination as to what types of information to include in the description. In the first SAS 70 audit performed for a service provider, the development of management’s description can be challenging. However, in subsequent years, it is normally fairly easy to update. Through inquiry, walk-through and observation, the CPA firm then verifies that management’s description fairly presents the relevant aspects of the Company’s controls that have been placed in operation as of a specified date. Management and the auditor then discuss and agree upon the nature, timing and extent of planned control testing procedures and the CPA firm executes the control testing plan. The detail description of the control testing performed and the results of the tests become a part of the final SAS 70 audit report.

During the reporting phase, management and the CPA firm collaborate to pull together the various components of the SAS 70 report. The components of the SAS 70 report typically include:

Independent auditor’s report;
Description of processes and controls provided by management;
Control objectives and related controls and independent testing of effectiveness of controls provided by the auditor;
Other information provided by management.

A SAS 70 report is a substantial document, typically between 40 and 70 pages or more for complex organizations. The reports are usually available in both hard copy and PDF.

For a service provider that wants to have a SAS 70 report prepared for the first time, a preliminary project often referred to as a “readiness review,” is highly recommended. A SAS 70 readiness review is performed by the CPA firm and precedes the SAS 70 audit engagement. The readiness review helps to prepare a concise documentation of the processes and controls that will ultimately become part of the SAS 70 report. It also identifies control design or effectiveness issues that need to be remediated before the actual SAS 70 audit begins. This is an important step as the objective of the SAS 70 is to ensure that controls are working as designed. A readiness assessment is a useful and proactive tool in successfully completing an initial SAS 70 audit.

Setting: Your office – a typical day after obtaining a SAS 70 Type II audit report

You are feeling much more relaxed now that you have a SAS 70 report in hand. While there were some challenges in getting processes and controls documented and in-shape for the initial SAS 70 audit, your overall operations seem to be running a little more smoothly. You notice that your personnel have a better understanding of how your operation works and you even implemented some of the improvements that were identified during the course of the audit. You also happily observe that the monthly income statement that just came out shows expenses favorable to budget; could that possibly be the effect of some efficiencies that were identified during the SAS 70 readiness review and audit? Now maybe you can focus on those initiatives to enhance your organization’s value: enhanced customer services, development of prospective customers and internal cost savings measures. But first you better check your e-mail inbox.

You find three e-mail messages very similar to those you received on that typical day not so long ago – before you had a SAS 70 audit performed. However, you are now able to efficiently and immediately respond to each of those messages with the following:

To: Customer, Prospective Customer or Customer’s External Auditor - I received your e-mail requesting information about our processes and controls over third-party services. I am attaching for your reference a PDF copy of our most recent SAS 70 audit report covering our TPA services. I believe this report will be responsive to most, if not all of your information needs. Please do not hesitate to contact me if you need any further information.

Wow – now you finally do have time to focus on those initiatives to enhance your organization’s value!

* * *

Andrew Pinnero, CISA; Deborah Lambert, CPA, CPCU and James Murphy, CPA are all affiliated with Johnson Lambert & Co. LLP, a CPA firm formed in 1986. Johnson Lambert & Co. LLP’s business strategy, unique among CPA firms, is to focus aggressively on distinct industry niches where the firm can differentiate itself by possessing a unique depth of technical expertise and experience specifically relevant to client needs. The insurance industry has been a primary focus of Johnson Lambert & Co. LLP since its inception. The firm provides financial statement audit, SAS 70 audit and tax services to insurance companies and organizations serving the insurance industry. For contact and further information visit www.jlco.com.