By Ted Howard
SAS 70 is becoming a “rite of passage” in the arcane world of treasury outsourcing, as the pressure on the integrity of financial statements mounts.
The growing complexity of some aspects of US GAAP (e.g., FAS 133, FAS 115), combined with the rising levels of excess cash on corporate balance sheets (see story) is encouraging more treasuries to outsource knowledge- and system-intense aspects of their work.
In contrast with the overall trend in financial outsourcing (see box), this form of treasury outsourcing focuses not on low-value and non-core functions. Rather, it concerns activities that require heavy investment in specialized knowledge and systems, which resource-strapped treasuries cannot afford.
In-sourcing finance Contrary to some market expectations, there’s less—not more—propensity among companies to outsource financial processes. While in theory, the low-value/non-core processing is an outsourcing provider’s dream, in reality, handing off a process that has an impact on financial results to an outsider is a CFO’s nightmare. That’s because SOX has made financial reporting integrity the personal responsibility of CEOs and CFOs. Overall, then, it’s no surprise that companies outsource only 4 percent of their finance processes and turn to centralization and shared service centers (SSCs) 65 percent of the time, according to a recent study by The Hackett Group. |
But while treasurers are under pressure to seek outside help, they are also under pressure to make sure that any help they solicit does not get their bosses (CFO, CEO) into trouble. Because the outsourced activities often have a direct impact on the financial results of the corporation, the stakes could not be higher.
A different paradigm
While overall, companies outsource a very small share of their financial processes (see Hackett Group study above), treasuries work under a different paradigm: they are stuck between resource constraints and the magnitude of the tasks that they must perform.
For example, often-lean HQ treasuries cannot be charged with investing billions of dollars in excess cash safely and profitably. Thus, companies with large excess-cash portfolios (there’s a growing cadre of them these days) tend to outsource investment management to professional money managers.
In addition, as they proceed to have more complex portfolios of securities (vs. short-term, investments in money market funds), treasuries also look to their custodial bank (State Street has a strong franchise in this area), or a third-party expert (e.g., Clearwater Advisors) to help generate the accounting entries and valuation.
Two degrees of (SAS) Separation There are two levels of SAS 70: Type I and Type II. Type I certification means that it has been certified that a company has specific controls in place. Type II, which Reval has, means an auditor went to the company and tested all of its controls. “Type I is you’re running the applications fine and that’s about all,” noted Reval’s Dharmendra Varma. “You don’t go into the details. Type II is when you get into the details of your controls.” That is, an auditor will go and test the controls to see that they are functioning properly. But getting Type II certification costs significantly more than a Type I, which gives many service providers pause. “Some companies get a Type I the first year; or asset managers may decide that that’s all that’s needed,” said Deloitte’s Bruce Marcus. He said he knew of one asset manager who argued that getting one does not “reduce the level of substantive testing for financial statements,” in other words, an auditor does not look at the SAS 70 as an extra layer of review. Further, according to Mr. Marcus, this manager said that since no one’s asked for it “why incur the costs?’” “But if you’re in a business that’s initiating, recording, or processing transactions, ultimately you need to get a Type II,” Mr. Marcus said. Still, the two levels of reporting “have very powerful, yet limited purposes,” according to a report written by Trent Gazzaway, managing partner of corporate governance at Grant Thornton. |
Ditto for derivatives accounting, where firms like Chatham, Reval and Hedge Trackers have created a business out of the complicated task of FAS 133 accounting.
In the past, treasuries used to lend the accounting group a hand, often even producing the FAS 133 G/L entries. SOX’s separation of duties dictum put a stop to that, and the generalist staff in corporate accounting or the shared-services center is certainly not capable of handling the accounting for an option or a mortgage-backed security.
This is where the Statement of Auditing Standards (SAS) 70 comes into play. SAS 70 provides the audit trail, or bridge, between treasury’s needs and control requirements. A SAS 70 is basically a letter from one audit firm (of the provider) to another (of the client), assuring everyone that the outsourcer has adequate controls in place. This way, the corporate client can safely turn around and produce its own financial statement. According to audit pros and practitioners, SAS 70s are playing a growing role in shaping the relationship between treasuries and service providers.
Kick it up a notch
Indeed, the ability to provide a SAS 70—and with it a measure of comfort to CFOs and the Audit Committee—has become somewhat of a marketing edge for some vendors.
This is particularly true as audit firms begin to expand the scope of the SAS 70 certification process, and treasurers begin to see an application for SAS 70s, beyond clear-cut outsourcing (e.g., in banking relationships and treasury software vendors).
Indeed, a banker at the investment banking subsidiary of a large European bank reported that his group was exploring getting a SAS 70, although he felt that since the group does not take custody of any funds, it probably didn’t need it. However, he said, “all our competitors are doing it, so we’re being somewhat forced into getting it [as well].”
Helen Kane, founder and president of Hedge Trackers, a treasury management services and compliance software firm, also saw getting a SAS 70 as a selling point.
Cannot pass the buck According to Grant Thornton’s Tom Ellis, users of outsourced services should never be too complacent about what’s in a SAS 70, and should always be sure their own controls are in good shape. “All a SAS 70 report does is deal with controls over processing of transactions that have financial significance to the service companies,” Mr. Ellis said. “It says nothing about operational efficiency or effectiveness; it doesn’t get into pricing or deeply into fraud. Nor do SAS 70 reports tell whether the processing is right,” he said. “There’s no substantive testing and there’s no requirement for the substantive auditing. There is no testing whether or not all the transactions are right. A SAS 70 simply controls transaction processes to insure that there is integrity.” On the other side of the coin is what the company does as part of its own internal controls to make sure things are right. “You could blindly outsource some significant financial processing to an outsourcer and get a clean SAS 70 report,” he said. “But if the controls aren’t good on your side to use the reporting to substantiate the results, then you are fooling yourself if you’re not holding up your end of the bargain.” |
“We’re asking to have our SAS 70 be a bit more robust,” Ms. Kane said. “Being a small outfit, if I’m going to spend that much money, I want value for my clients,” she said. And although it doesn’t seem to be a fundamental requirement, she added, “I’m going to push to get that value for my clients.”
Gray SOX
In the post-SOX world, whether SAS 70 is a requirement, or merely an added layer of protection, is not always clearcut. However, because SOX makes CFOs and CEOs personally responsible for the integrity of their company’s financials, everyone errs on the side of being conservative. With this in mind, most treasuries now are requiring a SAS 70 of their third-party vendors.
“It [the SAS 70] is our guarantee that [a vendor] is SOX compliant,” said a treasurer at a large US multinational. “It means that if I have responsibility for an outsource arrangement, I know that that arrangement is being managed according to SOX guidelines,” she said.
If the data in question ever becomes part of an auditor or SEC review, “I have that certification that the service provider said that its systems met compliance standards to rely on,” she said.
Indeed, according to Bruce Marcus, a director at Deloitte & Touche, the desire to have a SAS 70 is expanding. “Clients who in the past only thought about doing a SAS 70, or who might have considered it, now have decided they have to do it,” Mr. Marcus said.
“It’s almost become a requirement to enter certain businesses,” he added, e.g., asset management, where outside money managers invest corporate portfolios, and must prove that they have the controls in place to comply with the corporate investment policy (e.g., regarding credit rating, asset allocation or impairment). “At some point somewhere you are going to have to provide a SAS 70,” Mr. Marcus said.
Spreading offshore
Other ways in which the landscape is changing for SAS 70 usage is the scope of the reports and their reach outside the US.
Perhaps to be more competitive, “people are asking us to put more in the report than ever before,” Mr. Marcus reported, e.g., any unrealized gains or losses or in other cases, soft dollars or anti-money laundering spending.
Deloitte is also seeing demand from companies in other countries. “We do a decent amount of business outside the US,” Mr. Marcus said. The majority of that business is to support US clients, “but it’s becoming more and more the case where companies [that don’t have US clients] want a SAS 70 because it’s becoming the de facto standard around the world.”
A rigorous process
Dharmendra Varma, a senior business analyst at Reval, a treasury and risk management web-based system solution provider, said Reval went through a very thorough process to get its recent (January 2006) certification—in its case, from Deloitte & Touche.
First Reval and Deloitte sat down and discussed what controls they would need to test. Reval then “prepared a list of controls and they were sent to Deloitte,” Mr. Varma said. Next, “Deloitte gave us another list of other controls that they wanted to test.” Finally, “when Deloitte came for our audit, we showed them how we are handling those controls,” he said.
Reval, which among other things offers derivatives pricing, itself uses many third-party vendors, particularly for data. It also holds companies’ proprietary information, all of which must be secure. In light of that, said Mr. Varma, Deloitte wanted to see how secure was its network, how thorough was its testing of new products and whether it was monitoring its outside distributors appropriately.
“We also have a lot of end-of-day checklists and end-of-month checklists,” Mr. Varma said. Therefore, Deloitte wanted to know “whether we were following those checklists.”
Overuse and abuse
Tom Ellis, Grant Thornton’s national director of Business Advisory Services, Methodology & Quality Assurance, said there is a fair amount of abuse of the standard. Companies (users) and providers must be aware of two things:
• Do you need it? Does the service being provided have any impact on financial reporting? If not, there’s no need for a SAS 70.
“Just because you have a service provider doesn’t mean you need to get a SAS 70 report from them,” Mr. Ellis said. “Unless that service provider is providing services that are relevant to financial reporting risks, then the SAS 70 report is useless for the purpose for which it was put in place.”
Mr. Ellis related the story of a document-imaging company that came to Grant Thornton for a SAS 70 review. The company said it was getting pressure from a client to obtain a SAS 70, but after reviewing what the company did, Mr. Ellis told management that it didn’t need it.
• Don’t get over-confident. Just because a vendor has a SAS 70, does not mean the client has a license to stop worrying about compliance. A SAS 70 is not some “super document” that indemnifies a company against everything. “SAS 70 reviews tend to give managers a false sense of security,” Mr. Ellis said.
“Just because it’s clean doesn’t mean you can ignore your own internal controls. You still have to mntain your own fiduciary controls on your side to make sure the processing is correct.” (See also sidebar on right.)
Not being all it can be
Indeed, said Ms. Kane of Hedge Trackers, many audit experts think the document is insuperable, but it’s not. “The interesting thing we’re finding is that SAS 70 gives the audit people quite a bit of confidence; it provides apparently some relief to some treasury folks, and the frightening thing is that it doesn’t tell them what I think they want to know. “
The director of marketing at a money manager that’s also a tech company agreed; he noted that there is a gap in the entire SAS 70 process. “The perception among users is that the audit firm comes in, identifies the controls that need to be tested and then tests them,” he said. “But really, the auditors are coming in and testing the controls that the company has identified. It’s a little strange.”
Also, many auditors might not know the businesses that they are auditing (if it’s not a bank or technology company). Therefore, “if the auditors don’t know the business, how could they know that I didn’t put a control in place? Or whether I should have had it in place?” he noted.
Be reasonable
SAS 70s are no panacea for compliance jitters; indeed, some companies are loath to outsource aspects of finance precisely because the results could affect the financials, and they do not have faith in the SAS 70 certifications.
In addition, auditors now frequently require corporate clients to run “reasonableness tests” on external data—SAS 70 or not—to ensure results jibe with expectations.
“We’re proud of our SAS 70 and we understand the process,” said a SAS 70 and compliance manager at a hedge fund. “And we see where other organizations are deficient. Their SAS 70 may tell you that controls are being processed appropriately, and that they have solid infrastructure, but it doesn’t cover the numbers. It doesn’t tell you about the numbers within transactions. We double check them,” he added.
So while SAS 70s may not provide all the answers, in the super-charged control environment post-SOX, every little bit of assurance goes a long way toward assuaging senior management’s compliance woes.