Professional Documents
Culture Documents
Independent Validation and Assurance SAS 70
Independent Validation and Assurance SAS 70
Christopher C. Boutin
Mm AUGUST 2008 77
FEATURE STORY
the SAS-70 is important in the very least hecause Elements of Internal Control
the report may include details relating to the hos- Most SAS-70S provide information for under-
pital's responsihilities regarding the husiness standing the service provider's internal control
relationship with the third-party service provider. structure in accordance with the COSO compo-
nents. The report examines five internal control
The SAS-70 Audit Process elements:
When examining a third-party service provider's > Control environment—the foundation of the
ABOUT THE AICPA internal controls for a type I report, the CPA internal control system, as defined hy funda-
STATEMENT might study the general and application controls mental discipline and structure
within the provider's computer system. Once this > Risk assessment—the service provider manage-
Statement on Auditing evaluation is completed, the CPA lists opportuni- ment's ability to identify and analyze relevant
Standards No. 70
ties for improvement with proposed remediation risks in achieving predetermined ohjectives
(SAS-70), Service
and documents all audit-related information and > Control activities—the provider's policies, proce-
Organizations, is an
activities. dures, and practices that ensure management
auditing standard devel-
oped and issued by the ohjectives are achieved and risk mitigation
American Institute of If control remediation is necessary, the CPA can strategies are implemented
Certified Public Accoun- give the third-party service provider time to cor- > Information and communication—the means hy
tants (AICPA) for use by rect or strengthen the various internal controls. which employees are informed of their respon-
CPAs. Assisting the The CPA concludes the field work for the type I sihilities and provided sufficient time and
AICPA in developing the audit hy conducting a final walk-through and resources to perform their duties, and—as such—
content for a SAS-70
examination of all internal controls, and then the support for all other control components
"service report" were the
issues the report. > Monitonng—the external oversight of internal
Committee of Sponsor-
controls hy management or other parties out-
ing Organizations of the
Treadv/ay Commission If the engagement progresses into the control side of a process, and the application of inde-
(COSO), Information design and testing phase, then the third-party pendent methodologies, such as customized
Systems Audit and Con- service provider has requested a type II audit, procedures or standard checklists, hy employ-
trol Association which calls for at least a six-month design review ees within a process
(ISACA), and members and testing of the general and application controls
of the IS017799 stan- within the computer system. In this instance, the SDLC Approach
dards committee. Origi- CPA works with third-party service provider In the past, software development consisted of a
nally, SAS-70 service
employees to review controls, test their effective- programmer writing code to solve a prohlem or
reports were created by
ness, and correct those that require remediation. automate a procedure. Today, systems are so hig
auditors for auditors as a
Results are enumerated in the type II report. and multifaceted that teams of programmers,
means to assess the pro-
cessing of transactions by analysts, testers, and users work together to
a service organization. The hospital recipient of either type of SAS-70 can create the programming code to make computer
The reports are now used expect to find within the report assessments of the systems work. To manage this process, a com-
more broadly by service third-party service provider's elements of inter- puter service provider uses an SDLC approach
providers as a means to nal control. Depending on the SAS-70 scope, the to prohlem solving.
provide service inde- hospital CFO might also find information on the
pendent validation
system development life cycle (SDLC) approach, The controls under an SDLC approach deal with
assurances to potential
general computer controls, and application com- the sequence of events in the development of an
clients.
puter controls. Most important to the CFO is the information system (or application). The CPA
section entitled "Client Control Considerations." looks to see whether the computer service
This section defines the controls for which the provider's SDLC process is ongoing, so that the
hospital organization is responsible. The client cycle will repeat as a hospital undergoes changes
control considerations are complementary to the in its husiness and information requirements.
controls in the SAS-70 report for which the serv- The CPA also seeks to verify that the SDLC
ice provider is responsihle. process includes effective controls over system
design, authorization, programming, implemen- computer, and they therefore define the permis-
tation (especially training), and acceptance hy the sions that the hospital and other groups will
hospital clients. require to access data. The CPA looks for a
defined process for matching hospital user
The SDLC approach should result in a high-qual- accounts to authorized users, detecting unautho-
ity system that meets or exceeds the hospital's rized access, and policing access hy the computer
expectations. This systematic approach com- service provider's employees.
prises several segments, each containing many
steps and controls pertainingto the design cycle, Program change management controls. These con-
development cycle, and testing cycle. trols ensure that the computer service provider
effectively monitors its computer system for
The CPA pays attention to the controls in each of changes to ensure that all changes are recorded,
these cycles. The SAS-70 should address con- explained, documented, authorized, and success-
cerns such as: ful. The CPA should seek to verify that the con-
> Whether the service provider has controls (e.g., trols include testing and emergency change
documentation) in place over operations to procedures.
ensure the quality of the service features, such
as effective, user-friendly screen layouts and Data center physical security controls. A consider-
the use of husiness rules, including the need to ahle part of the SAS-70 process should he
meet regulatory requirements devoted to examining data center physical secu-
> Whether the service provider has controls rity controls. It is important for the computer
in place to check for errors, hugs, and service provider to show that policies are in place
interoperahility and are heing followed effectively. To assess these
> Whether the service provider has a quality controls, the CPA asks questions such as:
assurance process > How do people get access to the huilding? (For
example, how are ID cards issued and security
General Computer Controls guards vetted?)
General computer controls apply to the system > Where is the computer equipment (hardware)
components, processes, and data that the com- kept and how is it secured from theft, fire, and
puter service provider uses for the hospital. flood?
These controls ensure the proper development > What are the policies dictating physical security?
and implementation of applications, as well as > Who is alerted when intrusions are detected,
the integrity of program, data files, and computer and what is the policy for handling intrusions?
operations, and they therefore are extremely
important in a SAS-70. System and data backup and recovery controls. At
the heart of these controls is the issue of disas-
With respect to general computer controls, most ter recovery. The CPA must verify that the com-
SAS-70S cover five areas: puter service provider can restore information
> Access controls availahility should all or part of the computer
> Program change management controls assets he destroyed or damaged. Risks to the
> Data center physical security controls data center include natural disasters, inten-
> System and data hackup and recovery controls tional and unintentional damage, theft, and
> Computer operation controls SDLC controls, hardware and software malfunction. Controls
discussed separately previously, could also he include a written disaster recovery plan; peri-
regarded as falling into this category. odic hack-up of the operating system, programs,
and data; file-retention schedules; and a com-
/Access controls. These controls deal with the plete, written, and up-to-date computer asset
management of permissions for logging on a inventory maintained off-site.
Mm AUGUST 2008 79
FEATURE STORY
When assessing recovery controls, the CPA seeks The importance of gaining a thorough under-
to determine whether the computer service standing of this section should not he under-
provider has sufficiently analyzed threats, stated: Although reviewing the controls explained
explored all alternatives for an effective recovery in the SAS-70 can seem tedious, the CFO needs
plan, developed a plan with appropriate support- to understand how the service provider is pro-
ing documentation, and instituted appropriate cessing the hospital's data.
periodic testing of the plan.
The CFO also should he aware of how much test-
Computer operation controls. The CPA also must ing was performed hy the CPA for the report, and
verify that the computer service provider has con- understand the results. In a well-prepared type II
trols designed to ensure the ongoing, uninter- report, the CPA testing includes large sample
rupted operation of the computer system; to sizes. The CFO should review the SAS-70s with
provide reasonable assurance that the computer the hospital's CPA firm to ensure adequacy and
system is used for authorized purposes only; and to reliability. The SAS-70 should encompass the full
ensure that errors are detected and fixed promptly. extent of the service provider's services that the
hospital will use. For example, if the service
Application Controls provider is processing employee health henefit
The purpose of application controls, which may he claims, the SAS-70 should state user controls.
manual or programmed, is to ensure the totality
and correctness of the hospital computer records. Ask for a SAS-But Don't Get Sassy!
In a type II engagement, the CPA detaus in the SAS- Traditionally, SAS-70S were intended for CPAs'
70 the testing and operating effectiveness of these eyes only. Now, as services providers have hegun
controls. In hoth types of SAS-70, the computer to make SAS-70S availahle to their prospective
service provider may include information such as clients, hospitals have gained a valuahle means to
network diagrams or other supporting materials. assess the quality of a potential husiness partner.