Article Surfing Archive

Just when corporate America thought it had met all of the reporting and auditing demands resulting from the Sarbanes Oxley Act (http://www.tidwelldewitt.com/sox.htm), another piece of Senate legislation is pending that would assess huge fines for financial service companies and other data managers that fail to adequately protect personal data.

The Personal Data Privacy and Security Act (S1332) is a regulatory hammer pending in Congress that supporters say will help ensure that data brokers utilize adequate data privacy and security systems. The pending legislation provides for fines of up to a maximum of $35,000 per day for violations of certain sections of the act. It's a sign of the times, and no one is going to be off the radar. Get ready for son of Sarbox.

This legislation underscores the need for companies outsourcing their business processing services to make sure their vendors have the necessary internal and external safeguards in place. The SAS 70 (Statement of Auditing Standards No. 70) (http://www.tidwelldewitt.com/sas70.htm) audit is quickly becoming the industry standard for making such determinations. We are seeing a significant upsurge in demand for the SAS 70 in this era of heightened awareness about maintaining confidentiality of personal information.

Companies outsourcing their business processing services * such as claims management, credit card processing, information technology and other data-based processes * should now insist their service vendors undergo a rigorous examination under the SAS 70. The SAS 70 is simply an auditing tool that outsourced financial service providers use to demonstrate to their clients the integrity of their processes.

For companies not already utilizing SAS 70, the pending S1332 bill * which may come up for full Senate consideration in this term of Congress * is a prudent step toward meeting expanding federal data security regulations. U.S. Sen. Patrick Leahy (D-Vt), one of the co-sponsors of S1332, puts it this way: *Insecure databases have become low-hanging fruit for hackers looking to steal identities and commit fraud during a time when we are seeing a troubling rise in organized rings that target personal data to sell in online virtual bazaars.* His co-sponsor on the bill is U.S. Sen. Arlen Specter (R-Pa.), so it is a bipartisan initiative that has a reasonable possibility of passage.

HOW TO CHOOSE A SAS 70 AUDITOR

In choosing a SAS 70 auditor (http://www.tidwelldewitt.com/), you should:

* Make sure the audit will not be done with a standard template, but will be customized for you and your data vendor.

* Choose a firm that has significant experience in SAS 70 audits, one that can take it to full completion and then stand by its work if you come under regulatory scrutiny or face a legal challenge.

* Ask for examples of their SAS 70 work in the past or at the present time.

* Ask if their clients have survived a regulatory or legal challenge to their data control standards.

* Find out if the firm has a specialized SAS 70 unit that performs only that type of work.

* Determine if the potential auditor is a consulting firm only. If so, they cannot legally sign off on the audit (only a CPA firm can do this).

TWO TYPES OF AUDITS

There are actually two levels of SAS 70 audits service organizations must complete:

In a Type I report, the service organization provides a description of its controls at a given time. During the audit, the service auditor evaluates the accuracy of that description and whether the controls were suitably designed to achieve the specific control objectives.

A Type II report includes the information from the Type I, as well as an analysis and results of detailed tests conducted on the service organization's controls over a period of at least six months.

In order to be sound, SAS 70s must be performed by outside auditing firms with significant experience in this specific type of audit.

MARKETING VALUE SHOULD BE CONSIDERED

Service organizations receive significant value from having a SAS 70 engagement performed. A service auditor's report with an unqualified opinion that is issued by an independent accounting firm differentiates the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities.

Rather than look at the SAS 70 as just another audit process to be endured, smart service providers see having an SAS 70 as a seal of approval they can use in their marketing efforts, similar in industry to the ISO 9000 designation or Underwriter's Laboratories seal of approval. Having completed a SAS 70 audit also helps service organization build trust with their customers * and get repeat business and referrals to others.

It has reached the point that the SAS 70 is no longer optional for outside vendors providing financial and I/T services to clients. Given the stakes now, companies just can*t run the risk of assuming that an outside service provider is doing all of the right things. The SAS 70 audit (http://www.tidwelldewitt.com/) is one way they can be certain those vendors meet all of the requirements of Sarbanes Oxley and the new Senate legislation under consideration.

SAS 70 was first developed by the American Institute of Certified Public Accountants in 1992, but was not widely applied until the Sarbanes Oxley Act became law in 2002. Following implementation of the Sarbanes Oxley Act in 2005, SAS 70 audit reports became essential to full compliance with the act's external service control requirements. If you haven*t asked if your service provider is SAS 70 compliant, you should do so right away.