Offsite security complicates compliance

Offsite security conditions are always a factor to consider when a company enters an outsourcing deal, but regulatory initiatives are raising the stakes.

IT executives need to ensure service providers have proper system controls in place before and after they enter into sourcing and hosting arrangements, analysts say. It's not only a good business practice, it's also increasingly required by law.

One law putting a spotlight on outsourcing deals is the Sarbanes-Oxley (SOX) Act of 2002, which Congress passed in the wake of accounting scandals at firms such as Enron and WorldCom.

SOX has IT and finance departments working closely to review and modernize companies' financial reporting systems to comply with its regulations. Of particular concern is Section 404 of the legislation, which calls for company executives and third-party auditors to certify the effectiveness of internal controls - technologies and processes put in place to preserve the integrity of financial reports.

Doing due diligence to Section 404 means looking into conditions at outsourcing and hosting providers' sites, where sensitive corporate data might be accessible, processed or stored. That's where Statement on Auditing Standards (SAS) 70 comes in.

SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants for service organizations. It prescribes a method for an auditor to examine control activities at a service organization or outsourcing firm.

There are two types of SAS 70 audits. A Type 1 audit focuses on general controls at a single point in time and doesn't include testing by auditors. A Type 2 audit is more intensive - and more appropriate for SOX compliance. It looks at conditions over a prolonged period of time, and auditors perform testing to verify the effectiveness of controls at service organizations.

SOX compliance efforts have elevated interest in the auditing standard, which has been around since 1992. "We are doing a lot more SAS 70s lately," says Ed Byers, a principal at Deloitte & Touche.

Outsourcers agree that users are beginning to ask for SAS 70 audits. "It was something our customers were looking for," says John Engates, CTO at Rackspace Managed Hosting.

Ernst & Young recently concluded an SAS 70 Type 2 audit for the San Antonio managed hosting provider. The audit covered controls related to service delivery and operations, infrastructure maintenance, change management, back-up processes, and logical and physical data center access, Engates says.

Rackspace underwent the audit at the request of some of its largest customers, which are facing SOX Section 404 deadlines, Engates says. Section 404 says companies must prepare reports - to accompany their annual reports filed with the Securities and Exchange Commission - assessing the effectiveness of their internal control structures and financial reporting procedures. Section 404 deadlines are staggered and begin this spring.

"They really need some assurance that the controls that are in place outside of the walls of their companies are as effective as the controls inside their companies," he says.

At the same time, Rackspace benefits from having gone through a formal process to analyze and document its internal controls. "It put a spotlight on our documentation and the formalization of our policies and processes," Engates says.

Securing SAS 70 certification requires a commitment - of personnel and budgets - on the outsourcing providers' part. At Rackspace, the certification process took almost one year, from the early stages of defining the scope of the audit to the full-blown testing of controls.

Sierra Atlantic will spend about $25,000 to achieve SAS 70 certification this year, says Marc Hebert, executive vice president at the Fremont, Calif., company, which offers a range of offshore application services. Sierra Atlantic is in the process of securing SAS 70 Type 2 certification.

Like Rackspace, Sierra Atlantic decided to pursue SAS 70 certification because of customer demand, Hebert says.

In general, there's a tendency for

companies to secure more SAS 70 certifications from outsourcers than are needed, Byers says. "Companies are so scared about Sarbanes-Oxley they want to audit everything," he says.

There's confusion over when an SAS 70 audit is required and when it isn't - particularly when it comes to smaller service providers that might not have the necessary controls in place, Byers says.

The most common scenario that would require a company to secure an SAS 70 audit from its service provider is when the company outsources application processing such as payroll. "If you outsource a transaction process like payroll, then you probably want an SAS 70 - because the control is at the service provider," Byers says.

But not every outsourcing arrangement necessitates an SAS 70. For example, a company that uses contract employees from an IT service provider to help manage its applications probably doesn't need an SAS 70 from the service provider because control over the systems remains internal.

Likewise, if a company uses an outsourcer for certain application development activities but retains control over application testing and change control, an SAS 70 might not be required. "If management is providing all the control, you don't need to have an audit of the service provider," Byers says.

Some arrangements are particularly cloudy about SAS 70 requirements. In a hosting arrangement, it's important to determine who has control over updates to an application, Byers says. Additionally, even if a company retains control over application testing and updates, an SAS 70 audit might be required to assess physical and environmental controls at the service provider's site, Byers says.

Even if an SAS 70 audit has been completed, it might not be adequate for SOX compliance, Meta Group says. The SAS 70 standard was developed long before SOX regulations and doesn't necessarily focus on the type of controls that SOX requires, according to the research firm.

There's no standard prescription for what is covered in an SAS 70 audit, Byers agrees. A service provider typically defines the control objectives and activities covered in an SAS 70 audit of its operations. "An SAS 70 can include as much or as little as a service provider wants. It's not a standardized audit report," Byers says.

Because the comprehensiveness of SAS 70 audits varies, it's up to the contracting company and its auditors to assess a service provider's SAS 70 for completeness and adequacy.

"Since the SAS 70 isn't standardized, you need to assess its completeness," Byers says. "Does it cover all your general computer controls? Does it cover applicable business process controls via the application controls?" In theory, a service provider could exclude areas from an SAS 70 audit where it knows it's vulnerable. But that's not typical, Byers says. In general, SAS 70 audits have become more comprehensive in light of SOX, he says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.