“We are being audited.” This phrase is enough to make your heart race and your blood run cold, be it as a result of a friend telling you about his IRS woes or a client discussing Sarbanes-Oxley, FDIC, Gramm-Leach-Bliley or the Health Insurance Portability and Accountability Act. No matter how you look at it, businesses across all vertical industries are becoming more regulated.
The bulk of the regulations imposed on businesses center around process documentation and management, with an emphasis on access control, security and change management. Generally speaking, U.S. law cannot be imposed on other countries. However, when it comes to regulatory compliance, service providers onshore, offshore or near-shore are considered an extension of the business. Therefore, they are subject to just as much scrutiny as the business being audited.
Nearly all companies are subject to annual audits. A public company uses the audit report with its annual report and in Security Exchange Commission filings. A private company uses its report when interfacing with investors and lenders. The objective of the audit report is to demonstrate that activities directly related to financial reporting, such as transaction initiation, authorization, recording, fulfilling and billing, are reflected in the financial reports. Reports also must show that data, IT infrastructure and access security adequately ensure privacy and reduce the risk of internal and external fraud.
Being audited sounds rather daunting, and it can be. But wait, it gets worse. The complexity grows exponentially if a company uses multiple service providers such as one for IT, one for HR, one for contact centers and yet another for order fulfillment and shipping. The key to curbing the complexity is to ensure all of the service providers are SAS-70 Type II certified.
As a service provider, obtaining Statement Auditing Standard Number 70 (SAS-70) Type II Certification offers a solid value proposition for a company to choose your firm over a non-certified competitor. With certification, a service provider saves its clients substantial time and money by reducing the total audit process. Depending on the nature of the business, an audit can take hundreds, even thousands, of hours to complete. A nominal reduction in time spent in the audit process can reflect thousands of dollars in savings for each client.
As a quick aside, Type I verifies policies and procedures are in place. The more robust Type II certification confirms the policies and procedures of Type I, and substantiates a proven track record of performance under the defined controls. Go for the Type II certification. It proves as a service provider you walk the walk.
Several service providers and collocation facilities have recently announced receipt of Type II certification, including CenterBeam, CyrusOne, and Terremark Worldwide. SAS 70 Type II certification is valuable to service providers of all sizes. HP Services and Unisys, two of the largest global service providers, also are certified.
Eric Arnold, vice president of engineering, security and operations at CenterBeam said, “Nearly all of our clients have complex business environments requiring extensive information security. With our Type II certification we can save each and every one of them substantial time and money in their audit process, whether they are going through SOX or HIPPA, or any other compliance audit. We anticipate this certification will aid the decision process for prospective clients to select CenterBeam as their outsourced service provider over competing non-certified providers.”
Compliance market is a gold rush for VARs. Click here to read more.
Phillip Z. Fretwell, management director at Protiviti noted, “Not all SAS 70 Type II certifications are created equal.” Like any good government regulation, there is substantial wiggle room for quality differentiation. He listed three key areas in identifying a quality report:
“Scope: This identifies the number of control objectives being defined and measured. As a service provider, be sure you are dialoging with your customers regularly on establishing the control objectives that are covered. Include the customer’s auditor in the conversations. A report based on five control objectives may be less valuable than one with 10 or 15. However, an audit with an excessive number of objectives may be too costly.
“Timing of the Certification Report: Companies should look at the ‘as of’ date on the certification report. The closer the service provider was certified compliant to your fiscal year-end, the better. Delays associated with updating the certification can range from several hours to hundreds of hours.
“Quality of Service Auditor: It is critical the service provider use a top tier auditor when seeking SAS 70 Type II certification. The service provider’s reputation and brand is at stake. The Public Company Accounting Oversight Board, the body that provides regulations over public company auditors, has a registered list of qualified auditors.”
As a service provider with a SAS 70 Type II certification, you have an opportunity to develop a more strategic relationship with your customers. When negotiating a contract, consider the following:
• Mutually define audit requirements and control objectives. These may be different from one vertical market to another.
• Clearly define the scope and timing of the SAS 70 Type II reports. Some service providers obtain certification reports twice a year. This is important if your clients operate on a fiscal reporting cycle that is different from the calendar year.
• Offer annual reviews of the control objectives to ensure you are meeting all of your customers’ regulatory needs.
Once a service contract is in place, and for your existing clientele:
• Be sure the customer is aware of certification and report availability; don’t wait to be asked.
• Consider offering the first report at no cost to ensure customer loyalty.
• Meet with existing customers to ensure all of their control objectives are included in your certification. If not, develop a plan to incorporate them as quickly as reasonably possible.
Obtaining SAS 70 Type II compliance certification is rigorous and expensive. However, it is not a matter of whether you should seek certification; it’s about how fast you can get it.
As a managed services provider, if you have international clients, customers in the financial services or healthcare industries, or who are publicly traded, you may want to clip this article and bring it to your next management team meeting for discussion.
Martha Young is co-founder of Nova Amber LLC, a business-consulting firm based in Golden, Colo. She co-authored The Case for Virtual Business Processes, published by Cisco Press. She has extensive global expertise in the outsourcing and managed services market intelligence arena. Young can be reached at myoung@novaamber.com or (303) 642-0941.