The trend to outsource certain business processes has become ever more popular in recent decades and this popularity is likely to continue as more and more organisations recognise the value of buying-in resources as and when required.
It is not uncommon to find partners and alliances across a variety of business areas including: human resource services, IT, financial transaction processing, customer services, product development, research and sales management.
However, the outsourcing of services also brings risks to an organisation. For example, the most prevalent cause of loss to data confidentiality is now in relation to organisations outsourcing business functions. To ensure such alliances meet your expectations and minimise risk, it is therefore important to monitor the arrangements carefully so that the full intended value of your business relationship is actually achieved and appropriate risk management mechanisms are in place.
With regard to these requirements, the Statement on Auditing Standards Number 70 (SAS70) is an internationally recognised standard developed by the American Institute of Certified Public Accountants (AICPA), and is used for audits of service organisations. SAS 70 certifies that controls are in place over an organisation’s information technology systems and related business processes. A service auditor’s report based on SAS 70 provides you with an assurance that all your controls are operating effectively.
Why would you need it?
- You want to avoid being audited by your clients’ internal and external auditors. SAS70 allows for one report to be produced and used by several clients, thereby reducing the audit effort needed
- You wish to promote a positive corporate image by taking a proactive approach and having SAS 70 as many UK organisations are now looking to their outsourced vendors to provide assurance over their controls
Our Information Systems Assurance specialists can work with your organisation to assess your key suppliers and prepare a Service Auditor Report. This provides a description of the controls over your information systems, and a commentary on those controls. As the report is based on the stringent standards of SAS 70, it can then be made available to meet audit or regulatory requirements.