SAS 70: Credentials for outsourcing firms

Written by Robert Bassig, 22 January 2009 (BusinessWorld)

The global economic outlook has never been brighter for the business process outsourcing (BPO) industry in the Philippines. Although there is an expected slowdown in the global economy, particularly in developed nations like the United States, demand for BPO services here is expected to grow as companies find ways to look for sustainable, cost-effective solutions in running their businesses, while maintaining focus on delivering quality products and services.

While it is true that global opportunities and growth are still possible despite the current economic crisis, these bring complex and challenging responsibilities to the management of BPO companies.

In today’s business environment, we all know that companies that engage BPOs are more pressured to comply with various regulations (e.g. Sarbanes-Oxley, Basell II) amid increasing expectations from stakeholders and customers. In addition, they are exposed to public scrutiny more than ever before.

As a result, demonstrating and communicating to the public that the organization, including its service providers such as third-party BPOs, have adopted acceptable business practices have never been higher on management’s list of priorities. Because BPO companies are treated as an extension of these companies, they are also bound to demonstrate the same.

Although the Philippines is recognized as one of the most viable destinations to look for a BPO service provider, each company still needs to demonstrate its good governance process through the adoption of a framework and adherence to widely accepted best practice standards.

One of the best ways to demonstrate this is through an independent examination of the internal processes employed by a BPO company. Good governance is demonstrated if it is in place in the organization and is being practiced consistently.

However, how to effectively communicate this to the stakeholders and to the general public is something else. And this is exactly what a SAS 70 report does: communicate.

So what is SAS 70 all about? It is an acronym for Statement of Auditing Standards No. 70 for Service Organizations, which was developed by the American Institute of Certified Public Accountants.

The report is commonly known as SAS 70 Independent Auditor’s report and is widely recognized as the acceptable method of communicating information and assurance about the processes and controls that are of interest to client customers, their auditors, and the BPO service organization as they relate to an audit of the financial statements. Its use has become more popular since the passage of the Sarbanes-Oxley Act in the US.

A company which is registered in the US SEC would normally require a SAS 70 report prior to contracting with a third party service organization providing outsourcing services and solutions. Commonly known as BPO’s, these organizations typically offer various backroom and support services such as accounting, finance, payroll, HR, IT helpdesk and maintenance, software and application hosting, and customer support, to name a few.

The SAS 70 audit is important for both the client customers and the BPO. For client customers, it gives them the assurance that they are dealing with a BPO company which is trustworthy and has a robust internal control framework and procedures in place. After all, the areas and related information being entrusted and outsourced to BPOs are critical part of a client customer’s overall system of internal control, both for financial and compliance reporting.

BPO companies need to exhibit and communicate to potential and existing client customers that they have in place a sound system of governance and internal control procedures to match their requirements. Some of these requirements revolve around confidentiality and integrity of data, information security, and reliability and availability of services. It goes without saying that, in order to attract and retain their customers, BPO firms must demonstrate their value as a trusted service provider.

An SAS 70 report also ensures that client customers and their auditors have access to the same information about the BPO company. This would translate to less time spent by the BPO in entertaining multiple audit requests from its client customers and their respective auditors.

An SAS 70 report has become a de facto requirement prior to engaging the services of a BPO company.

Unfortunately, an SAS 70 audit is not something that can be done overnight. It requires proper planning and preparation.

BPO companies must bear in mind that an SAS 70 audit is not about their organization, but is focused on things that would raise their client customers’ confidence and trust in terms of the services they provide.

Thus, to ensure an efficient audit, the BPO company must define the scope of the SAS 70 audit by evaluating which technologies and processes should be included and secure inputs from their client customers.

When done with this phase, the next hurdle is actually passing the SAS 70 audit.

To ensure that they pass the audit, BPOs doing the exercise for the first time would engage the services of independent consultants to do a readiness assessment activity before the audit. These consultants make a preliminary assessment of the areas defined beforehand to determine which one needs improvement and identify the controls, or lack of them, that would require remediation in terms of design or documentation.

Most often, the preliminary assessment is useful in terms of improving controls in preparation for the actual SAS 70 audit.

To the BPO firms that, via this article, are learning about SAS 70 and have to comply, this is one way of avoiding unpleasant surprises. In this uncertain times, businesswise or otherwise, being forewarned is being forearmed.