Fall 2009 issue of Horizons

Raise Your Expectations CERTIFIED PUBLIC ACCOUNTANTS AND BUSINESS CONSULTANTS

organizations may be able to eliminate the multiple audit requests from clients and their auditors, reducing time with auditors. • Enhanced Company Reputation — The SAS 70 report helps ensure the organization’s clients and their auditors are provided a clear overview of the environment upon which they rely. 1 Meet with an experienced, PCAOB-registered accounting firm. 2 Understand my client’s needs and timeline. 3 Have a “gap analysis” performed. 4 Allow time for remediation. 5 Schedule the SAS 70. A SAS 70 report, issued by an independent accounting firm, will differentiate a service organization from its competitors by identifying and evaluating the design and operating effectiveness of internal controls. A report, with an unqualified opinion, will build trust with the service organization’s customers. Completely satisfied customers will tell other businesses about their satisfaction with the service organization. How do I prepare for a SAS 70? Competitive Advantage The SAS 70 guidance is not based on a checklist of pre-determined controls to test but rather is based on the AICPA’s standards of fieldwork, quality control and reporting. Therefore, the choice of an auditor for your SAS 70 is critical. As a PCAOB-registered accounting firm, RubinBrown has an experienced team that has led and performed many SAS 70 examinations. RubinBrown’s SAS 70 team will ensure wise and timely use of resources and will provide accurate guidance on the subject of financial and information technology controls. RubinBrown Guidance

Questions? Contact:

Audrey Katcher, CPA, CISA Partner Internal Audit Services Group 314.290.3420 audrey.katcher@rubinbrown.com

Is there an option other than SAS 70? Clients often request a SAS 70 as part of their vendor due diligence. Depending on the requirements the client needs to meet, other options may be viable in lieu of a SAS 70. Those options are: • An Agreed Upon Procedures engagement. This engagement will provide client(s) tailored controls feedback related to, for example, specified service level agreement/contract compliance areas. • A SysTrust engagement. A SysTrust engagement is based on these pre-defined principles and criteria: security, online privacy, availability, confidentiality and processing integrity.

16 u fall 2009 issue