RSM Resources

When Venture Encoding began printing checks in 1972, there wasn’t much risk of losing customer data. But as computers became ubiquitous,that risk increased.

Venture Encoding, a $30 million company based in Fort Worth, Texas, now regularly handles confidential customer data as it processes auto- and home-loan statements, late-payment notices, and e-payments, and manages online customer-care tools.

"Ten years ago, if there was a breach in security or privacy, you could receive forgiveness and continue business as usual," says Kenny Hargis, Venture Encoding president and chief executive officer. "Today it just doesn’t work that way. Our customers take privacy and security very seriously."

In an effort to show clients that airtight internal controls are in place, many companies are asking accountants to conduct a Statement on Auditing Standards No. 70 (SAS 70) review. The American Institute of Certified Public Accountants (AICPA) created the internationally recognized SAS 70 to show that an organization has been through an in-depth audit of its control activities, which generally include controls over information technology.

SAS 70 is rising in popularity for several reasons. Companies want to be certain their contractors are as vigilant in protecting customer data as they are.Michael Gioja, chief information officer at Workstream, a workforce management solutions firm, started seeing SAS 70 requirements pop up in requests for proposals in the past couple of years.

"Clients want to be able to rely on you," Gioja says. At Workstream, those clients include Chevron, Gap, Kaiser Permanente, Motorola, Nordstrom, Samsung and Sony of Canada.

Laws are increasingly requiring stricter protection of personal data. The Gramm-Leach-Bliley Act of1999 demands financial institutions (and, by extension, their service providers, such as Venture Encoding) provide superior protection of client information.

While Gramm-Leach-Bliley is specific to financial institutions, Section 404 of the Sarbanes-Oxley Act of 2002 holds publicly held companies accountable for securing off-site data storage and confidential customer information.

Not just for the Fortune 500

Both laws are resulting in more small and midsized companies turning to SAS70 audits as a way to prove that their financial and information security controls work.

"We’re being held to the same privacy and security requirements as the big banks and financial institutions," Hargis says.

Venture Encoding recently received its SAS 70 Type II after a four-month examination. The SAS 70 Type II is more stringent than the Type I,which includes only a report on controls placed in operation at a specific time. In a Type II review, accountants actually test the controls to ensure those controls are in place over the entire audit period.

At Venture Encoding, auditors checked to see whether the company had proper procedures in place in areas including control of access to customer data, encryption of customer data, change management, physical security of the building and intrusion testing.Auditors found no exceptions; otherwise, the final SAS 70 report would have noted if Venture Encoding had failed any of the tests.

Before beginning a SAS 70 review, consider the following recommendations:

Choose an auditor with industry-specific expertise. Like other professionals, accountants develop in-depth knowledge of various industries. Hargis of Venture Encoding was careful to choose an accounting firm with experience in the print-mail industry to conduct the company’s review.

Take control of the SAS 70 process. In completing a SAS 70 Type II audit, accountants review general and information systems controls that surround the processing of financial and customer data. These controls are specific and comprehensive. But auditors might ask companies to include other controls in the audit as well. These may include information-security issues, such as access,user authentication and intrusion detection. It’s important that the audit include all the information-security areas necessary to protect confidential information.

First time for a SAS 70? Consider adding a preliminary diagnostic audit. Workstream, a publicly traded company with about $32 million in annual sales, went through its first SAS 70 in 2006. Before embarking on the Type I and Type II audits, Gioja asked auditors to determine what such reviews would cover.

Talk to your clients before embarking on a SAS 70. The financial institutions that hire Venture Encoding conduct regular security audits of the firm. Venture Encoding leaders hope the SAS 70 audit will answer many of the questions raised by security audits conducted by each of the company’s clients.

"That’s the intent," Hargis says. "We’re pretty sure [the SAS 70] won’t replace the need for those security audits. But it should increase our clients’ comfort level with us."

To make sure that happens, experts recommend talking to clients about specific control areas they’d like to see included in a SAS 70 audit. That’s likely to save time on future security audits and reassure potential future clients.

Patience is a virtue

Don’t expect overnight results. SAS 70 reviews take time. At Workstream,auditors spent three months on the preliminary diagnostic review, three months on the Type I review and two months on the Type II review (after operating for six months after completion of the Type I review). And that’s just the beginning. Workstream is planning annual SAS 70reviews, because current clients expect it, and future clients may require it.

Venture Encoding will also be inviting auditors to return to Fort Worth annually to conduct SAS 70 reviews.

"In coming years, you’re going to have to have it to do business with the big guys," Hargis says.