Ever since the Sarbanes-Oxley Act pushed SAS 70 (Statement on Auditing Standards 70) to the forefront of the internal-control certification debate, there have been questions among auditors and their corporate clients about its usefulness and when (and whether) a SAS 70 is required.
The usefulness of SAS 70s remains debatable, but three trends are making them a more contentious issue for treasury practitioners:
1) Auditors’ hunger for documentation. The prevailing mood in the audit world is such that auditors are grasping for any shred of evidence that gives them comfort in their own audit conclusions, and provides a paper trail to support them in case the PCAOB comes calling.
As a result, audit firms are requiring more documentation across the board, and a document that’s signed by another auditor permits them to check another item off their auditing checklist.
“Truly, a SAS 70 is typically an auditor-to-auditor communication,” said Michael Leary, director of treasury and compliance services at JPMorgan Fund Services. “Since the dawning of SOX, it has morphed a little bit and treasurers are starting to utilize it more.”
According to Tom Ellis, national director of Business Advisory Services at Grant Thornton, the SAS 70 allows an independent auditor to not only evaluate the control requirement but also produce a report that’s standardized, allowing other auditors to rely on the document. ”Over time,” he said, “[the SAS 70] has taken on larger proportions.”
Other auditors basically use the SAS 70s to reduce the amount of independent testing they have to do for each client. Said Mr. Leary: “They can rely on another auditor’s work so that each
auditor doesn’t have to come in and do transaction testing.”
2) Treasury’s outsourcing efforts. Because treasury accounting has been going through a particularly difficult period, or re-interpretations, treasury has been looking to outsource a lot of the number-crunching and valuation work to outside experts.
Running regression analyses and marking to market complex derivatives and securities portfolios simply outstrips the capability of many corporate treasury and accounting systems. Thus treasurers have been turning to banks and system providers to help fill the gap.
“Be careful,” cautioned the director of treasury at a large MNC: “Your auditors will require you to show that the bank has provided you with a SAS 70 before those calculations and data can be used to produce financial reports.”
3) Banks’ reluctance to pay the bill. Because it’s often unclear whether SAS 70s are a must or exactly what level of comfort they provide, banks and other service providers have become a lot less eager to provide them free of charge.
The cash manager at a global consumer-products company recently lamented his inability to get his banks to offer up a SAS 70. “We use web-based [applications] almost exclusively, and we have found it difficult to obtain a SAS 70 from most of our banks to reassure us that they have adequate controls around these electronic banking systems. Only one was able to provide a SAS 70.”
To comply, very often SAS 70s and like “certifications” are baked into contracts ahead of time. But the headache of having to extract them from banks has been compounded by the fact that some banks want to “charge-back” clients for the cost of securing their own SAS 70s.
“Typically we view [a SAS 70] as a pass-through cost that we would pass on to clients because in theory, you’re making their audits and/or their internal compliance groups more efficient,” said JPM’s Mr. Leary.
Corporate treasury practitioners disagree with the assigned “beneficiary” of the SAS documentation. “What we expect is something to establish what testing a bank has done to support its claims of how system security and user entitlements are supposed to work,” explained the cash manager of the
consumer products company.
“For example, what prevents a hacker from breaking into their system and moving funds from my account? What about breaking in and obtaining our account information, balances, or
activity?” this practitioner added.
Practitioners argue that while banks may want to portray SAS 70s’ costs as a pass-through, in reality, the process and certification are simply a cost of doing business in the corporate space. To this end, treasury should, as with any service level agreement, get the banks to sign on upfront , because most outside providers will likely consider a late add-on as their clients’ problem—not theirs.
YOU GET WHAT YOU PAY FOR
Perhaps more concerning than who is paying for the SAS 70 is what it actually means, and whether there’s any value to it beyond keeping external auditors happy (not that that in itself isn’t a significant accomplishment).
For years, the PCAOB has been fielding letters from all sectors regarding what a SAS 70 covers and what it doesn’t. And while it may be on auditors’ checklists, it may not provide much of a security assurance to treasury after all.
Meanwhile, constituents in the banking industry have pushed back hard: “We are concerned also that some may believe that SAS 70 reports provide a much higher level of assurance regarding the effectiveness of controls over certain processing functions than is actually the case,” wrote the Mortgage Bankers Association last year.
Were SAS 70 a “sure thing,” the cost of paying for it would be a lot easier to swallow because companies are now grasping for indisputable measures of the authenticity of their financial results to satisfy auditors and investors.
However, as it stands, SAS 70’s objective value is in question. “SAS 70 is neither a meaningful security metric nor worth the high cost of obtaining the SAS opinion,” wrote Jonathan Gossels,head of the network security firm SystemExpertsin a white paper entitled“SAS 70: The Emperor Has No Clothes.”The problem is that in this case, the emperor [read: external auditor] is not the one that’s paying for the outfit.