Get to know SAS 70

user-gravatar

Small Business Administration and the General Services Administration have worked with other federal agencies to provide a toll-free number – 800-FED-INFO or 800-333-4636 – to make it easier for small businesses to participate in federal prime and sub-contracting rebuilding efforts in areas affected by hurricanes Katrina and Rita. For more information on pursuing these contract opportunities, visit this site and click on “Information on Hurricane Contracting Opportunities.”

SBA said it would use an expedited process for granting disaster loans under $100,000 for businesses that are in areas affected by hurricanes Katrina and Rita and meet specified criteria, including satisfactory credit and SBA loan history. For more information, contact SBA at disastercustomerservice@sba.gov or visit this site.

Internal Revenue Service announced that due to recent legislation, taxpayers in designated areas affected by Hurricane Katrina have until Feb. 28, 2006 to file returns or pay taxes that otherwise would be due before that date. IRS has compiled all its information related to Katrina in a single location. Visit this site and search Katrina News Releases & Legal Guidance.

Riviera Finance said it now is able to provide freight-bill factoring for LTL and other carriers hauling multiple shipments. Recent technological advances combined with traditional, labor-based processes allow Riviera to manage high volumes of paperwork quickly and guarantee cash within 24 hours after receipt of freight bills and backup paperwork.

By now, you have heard of Sarbanes-Oxley, law relating to the financial disclosures of publicly traded companies. But far less known is its cousin, Statements on Auditing Standards No. 70, “Service Organizations,” or SAS 70 for short. Chances are, you not only will hear about the SAS 70, but you will be asked to understand it.

“SAS 70 can best be thought of as roughly the service company equivalent of an ISO 9000 certification for a manufacturing company,” says Charles Denyer, a specialist in SAS 70 audit engagements in Atlanta. “It focuses on an in-depth audit of the company’s control activities, concentrating around controls over information technology and related processes.” Any company that hosts or processes another company’s data – or buys services from one that does – likely will be learning a lot about SAS 70 in the coming years.

SAS 70 will affect the transportation industry beyond the 30-odd publicly traded companies, and it will affect the largest players first. For example, the 250 largest trucking companies recently highlighted in Commercial Carrier Journal’s Top 100 issue most likely will be hearing about it before the rest of the industry. But even small carriers might have to deal with SAS 70 if they serve shippers that are public companies.

“Public companies that outsource key tasks or jobs to vendors must extend their Sarbanes Oxley-style internal control studies to any company that touches their customers’ or employee’s data.” Denyer said. Headline-grabbing data losses and identity-theft embarrassments concern every business. And service providers are realizing the value of touting their SAS 70 certification as a competitive advantage over rival companies. “Large private companies will likely adopt some of the public company mandates, or be offered a choice to pick between SAS 70 certified vendors compared to those that are not,” Denyer says.

The service company will engage the audit firm to conduct the SAS 70 audit and then provide the service auditor’s report to its customer as proof of the adequacy of the internal control systems. Basically, any company that performs an outsourced service or process for another company is under increasing pressure by its customers to have SAS 70 certification. In trucking, these would include primarily logistics management companies, payroll processing companies and outsourced billing or supply chain management services.

Most trucking companies will be “user organizations” – customers of the service organization. Among the benefits to the user are:

  • Receipt of information about the service organization’s internal controls over secret data, and the effectiveness of these controls;
  • Assurances that these controls were designed suitably, in operation, and operating effectively; and
  • The ability to provide the report to their own independent auditors, thereby potentially limiting that company’s time and expense in conducting the audit.
  • “Without receiving a service auditor’s report, the company might have to incur the expense of sending its own internal or external audit teams to examine the provider’s controls, systems and information security,” Denyer says.

    Service organizations may be subject to multiple requests and visits from audit teams of their main customers. With a SAS 70 report, most of these can be reduced, or avoided entirely. The company can have an independent assessment of these controls, and guidance on improvement and tightening of these controls – no small feat in this age of newsworthy breaches of private data security. “Interestingly, one key benefit is differentiation – the ability to tell major or potential customers that they already have SAS 70 certification”, Denyer said.

    SAS 70 audits are not quick, nor are they cheap. Due to the relative shortage of major auditing firms providing the reviews, it may take months to even schedule one. If you lead a major trucking industry company, it is likely you’ll be hearing more about these soon.


    Resources
    “About SAS 70” at www.sas70.com includes an overview of SAS 70, a guide to service auditor reports and other useful information.

    “e-Comment on SAS 70 Reports,” courtesy of the American Institute of CPAs, is available at this site.