The Sarbanes-Oxley Act of 2002, or SOX, impacts the financial reporting of every public company in the US. SOX also impacts IT departments, to the extent that IT intersects with the reliability and integrity of financial reporting in areas like data security.
What does this have to do with application hosting? SOX Section 404 mandates corporate management to annually assess the effectiveness of internal financial controls, including related IT systems. If a public company outsources IT services that relate to financials, the services provided are considered part of its “information system” for SOX compliance purposes.
In short: the operational processes and controls of your IT service providers (e.g., payroll companies, data centers, SaaS providers, etc.) can directly impact whether your company is SOX compliant.
How can you know whether a provider’s operations are up to SOX standards? Simple: ask if they are SAS 70 or SSAE 16 compliant.
SAS 70 (aka Statement on Auditing Standards No. 70) and SSAE 16 (Statement on Standards for Attestation Engagements No. 16) are auditing standards issued by the American Institute of Certified Public Accountants (AICPA). Auditors of public companies’ financial statements use this guidance to examine the internal controls of service organizations.
SAS 70 was in place in the US since 1992. In order to update US auditing standards in line with their international counterparts, the AICPA issued SSAE 16 in April 2010. SSAE 16 supersedes SAS 70 for reports with periods ending on or after June 15, 2011. The two standards differ in several important ways.
Both SAS 70 and SSAE 16 focus on a service provider’s control activities, especially around IT Service Management and related processes. Business areas evaluated include:
• Security across business systems and applications
• IT control systems
• Contact center and client services processes
• HR policies and practices
A SAS 70 Type I audit reports on “controls placed in operation,” while a more comprehensive SAS Type II audit also encompasses “tests of operating effectiveness;” that is, analysis of how well the control processes actually work over a period of up to six months. SSAE 16 has similar Type I and Type II reporting forms.
A key difference is that SSAE 16 is an “attest” standard, not an “audit” standard. Perhaps the most significant implication of this shift is that SSAE 16 requires a written “assertion” by the service provider’s management regarding its control systems and their objectives.
The successful completion of a SAS 70 or SSAE 16 control audit demonstrates a service provider’s commitment to secure, reliable and effective operations – while helping to ensure that its clients’ SOX compliance requirements are met. Conversely, if a provider is not certified compliant, its processes could directly and negatively impact its customers’ SOX compliance.
If SOX regulations are of concern to your business, you should consider choosing compliant service providers. Yet the vast majority of IT service providers do not meet their clients’ needs in this vital area. For example, Charles Weaver, CEO of MSP Alliance, offered during a talk in July 2010 that “… only 10% of MSPs have any certification at all.”
iStreet Solutions has been SAS 70 Type II compliant since 2009 for both infrastructure and application platform management. We will similarly comply with SSAE 16 on schedule, at our next report date in March 2012. This assures our clients that our operational processes and controls meet superior standards of security and reliability. We have implemented controls specifically designed to meet our clients’ compliance needs, helping to make sure your SOX and other regulatory requirements are met.
To learn more about how iStreet’s commitment to operational excellence can benefit your organization, visit http://www.istreetsolutions.com/.
Has the issue of service provider compliance ever impacted your company’s compliance activities? Please comment and share your experiences, questions or opinions.
President and CEO