A quote that stuck out to me was, “there is no shortage of guidance to explain what ERM is and how to implement it, though most of this information is written for risk and control specialists. To succeed, ERM efforts need to include people with other priorities.”

Getting buy-in from management is a top roadblock to successfully implementing an ERM program – or at least to implementing an ERM program that won’t fizzle out quickly. Fortunately, as noted above, there is a multitude of documentation on the concept and benefits of ERM…. and in a later post, I’ll identify the most relatable ways to talk about ERM with management.

In a Type I report, the service auditor will express an opinion on (a) whether the service organization’s description of its controls was accurate and (b) whether the controls were suitably designed to achieve specified control objectives.  The report will include sections 1 and 2 below, however sections 3 and 4 are optional.

In a Type II report, the service auditor will express an opinion on the same items noted above in a Type I report, and (c) whether the controls were operating effectively during the period.  The report will include sections 1, 2, and 3 below, however section 4 is optional.
Section 1: Service Auditor’s Report – completed by the Auditor and describes the scope of the audit and the includes the opinion of the auditor.

Section 2: Description of Relevant Controls – completed by the company and describes the control environment, process, and systems being audited.  Additionally, it includes the controls that the company is not responsible for and which the customer should ensure are in place in their organization.

Section 3: Information Provided by the Service Auditor – completed by the auditor and describes the results of control testing.

Section 4: Other Information Provided by the Service Organization – completed by the company and may include management responses to identified gaps, information on business continuity and disaster recovery, or a glossary of terms used in the audit report

See more posts on SAS 70

Efficiency and Cost Reduction – Your company can have one audit performed and provide one report to interested parties.  This allows your company to focus on what it does best and reduces the time required to respond to audit inquiries.

Piece of Mind – It makes good business sense to make sure you have controls in place to prevent/detect unnecessary mistakes, unauthorized transactions, unauthorized modifications to data, and fraudulent activity.  Having an independent party assess your processes and systems can provide a level of assurance that may be unattainable through self assessment.

Strengthen Existing Relationships – Customers value transparency and assurance that your processes and systems are sound.

Attract Customers – New customers want to know that they will be working with a company that has standards in place and has been reviewed by an independent party.

Differentiate from Competitors – If your company has a clean audit opinion and your competitors don’t or don’t have an audit opinion at all, you should stand out in the marketplace.

Compliance – There may be overlapping regulations that a SAS 70 may meet.  The Sarbanes Oxley Act requires your customers to have controls over financially material processes and systems. The Graham Leach Bliley Act requires financial institutions to provide security over customer information to safeguard their privacy.

Are you interested in strengthening existing relationships, attracting new customers and differentiating your company from competitors?

Do you want to reduce the time and cost of audit inquiries?

A Type I SAS 70 assesses the design of internal controls at the service organization.  A Type I is a point in time report, meaning it does not provide coverage over a period of time.

A Type II SAS 70 assesses the design, as well as tests the operating effectiveness of the internal controls at the service organization.  A Type II report covers a defined time frame – usually 6, 9, or 12 months.  These generally take more time to complete, because of the testing over the period.  That being said, because there is evidence that controls are in fact working properly, these reports hold more weight and are most often sought after by customers, auditors, and potential future customers.

SAS 70 Readiness assesses a company’s preparedness for a SAS 70 audit by identifying internal control weaknesses prior to the audit being performed.  If a company is entering the first year of completing a SAS 70, these are often performed so that the actual SAS 70 has a clean opinion.  An approach to reduce the costs of a first year SAS 70 audit is to perform a Readiness Review and a Type I audit in the first year.  Then in subsequent years, perform a Type II.

Does your organization provide an “outsourced” service to companies?  
Have your customers requested to see a SAS 70 audit report?

Consider the following scenario – Your company provides a service that may materially affect your customer’s financial statements.  Naturally, your customers, your customer’s auditors, and your potential future customers want to make sure their financial information is accurate, complete, and recorded properly.  As such, each of these parties requests to inquire or audit your processes and systems.  What a nightmare, right?

Well, that is where a SAS 70 comes in.  Since the SAS 70 audit report assesses the design and operating effectiveness of a service organization’s controls, the audit report can be provided to customers as evidence of the effectiveness of your controls.  You may not want to provide the report to potential future customers, but letting them know that you received a clean SAS 70 audit report would certainly provide them some comfort regarding your operations.

So what type of organization would need or even want a SAS 70?  Usually the following organizations would consider obtaining a SAS 70: payroll service providers, claims processors, benefits administrators, third party administrators, clearinghouses, transfer agents, trust administrators, data centers, application service providers (ASPs), and outsourced IT departments.

Here is a pretty good link that provides some more details.

Have your customers requested assurance that your processes and systems are controlled?  
Do you feel comfortable that the business processes and IT processes you have in place are controlled to prevent/detect unnecessary mistakes, unauthorized transactions, unauthorized modifications to data, and fraudulent activity?

After some quick web searching, I found this interesting article on the difference between ERM and GRC.

In it’s simplest form, the difference is simply in their names. ERM includes identifying risk appetite, assessing risk, integrating risk management in daily decisions, and monitoring risks. GRC is an umbrella philosophy that includes risk management, governance, and compliance. GRC may include ERM as the methodology of managing risk, but it may not. If an ERM program is linked to governance and risk, then it might transition into a true GRC program.

There is certainly more to ERM and GRC programs, but that is the nuts and bolts difference between the two.

Are you interested in implementing ERM or GRC programs successfully?  If you’ve already implemented these programs at your organization – what pitfalls have you faced?  What success stories do you have?”