Most service firms (like payroll and healthcare claims processors) have provided a SAS 70 report to their clients simply as a matter of course. Over time these CPA reports on the service organization’s internal controls have evolved from being solely an auditor-to-auditor communication to include information about risks beyond financial reporting, and in some cases they’re being used as a marketing tool.
As of June 15, SAS 70 reports were replaced by SSAE 16 reports. There are any number of publications and opinions about the transition (just ask Google), but it strikes me that there is an opportunity here to take a fresh look at the value of these reports. I’ve seen a tendency to for companies to include SAS 70 reports in the SOX controls only because they are available, and my guess is that there are probably quite a few them with other controls that cover the same bases. On the flip side, the SAS 70 might not address risks that need additional work to mitigate, or the business has changed and the risks are no longer consequential.
So, take a closer look at past SAS 70 reports and determine if you’re actually relying on them for your internal control environment. If you don’t need to include them in your SOX controls—don’t. (That will apply to the SSAE 16 as well.) You’ll save time and possibly a bit of money.
This is not to say there is no value to the SAS 70 or SSAE 16 report if you don’t need it for SOX. Companies just need to ask themselves whether that value is as a SOX control or for other operational or risk mitigation purposes. Seize this opportunity, and at the very least you’ll have a good understanding of your controls environment.