While SAS 70 is technically obsolete, understanding its legacy is crucial for investment advisors navigating modern compliance landscapes. SAS 70, or Statement on Auditing Standards No. 70, was an auditing standard issued by the American Institute of Certified Public Accountants (AICPA) that governed how service organizations, including investment advisors managing assets for clients, reported on their internal controls. It provided a framework for assessing and reporting on the design and operational effectiveness of these controls, particularly those relevant to financial reporting.
Investment advisors, who often manage significant client assets and handle sensitive financial data, relied on SAS 70 reports to demonstrate their commitment to data security and sound operational practices. The report, generated by an independent auditor, provided assurance to clients and potential investors that the advisor had implemented and was effectively operating controls related to areas such as portfolio management, trade execution, custody of assets, and client reporting.
The SAS 70 audit process involved a detailed examination of the advisor’s control environment, risk assessment processes, information systems, control activities, and monitoring processes. Auditors would test the design of these controls to determine if they were suitably designed to prevent or detect errors or fraud. Furthermore, they would test the operating effectiveness of the controls over a period of time, typically six months or a year, to ensure that they were consistently applied as intended.
The benefit for investment advisors in obtaining a SAS 70 report was multifaceted. First, it provided a competitive advantage. Advisors with a clean SAS 70 report could demonstrate their commitment to best practices, instilling confidence in clients and attracting new business. Second, it helped to mitigate risks. The audit process itself often identified weaknesses in internal controls, allowing the advisor to address them proactively, minimizing the potential for errors, fraud, or regulatory violations. Third, it streamlined due diligence. Institutional investors and other clients often required vendors, including investment advisors, to provide evidence of strong internal controls. A SAS 70 report satisfied this requirement, saving time and resources for both the advisor and the client.
However, SAS 70 has been superseded by the SSAE 16 (Statement on Standards for Attestation Engagements No. 16) and, subsequently, SSAE 18. SSAE 18 is the current standard. While the fundamental principles remain the same, SSAE 18 offers a more comprehensive and flexible framework for reporting on internal controls. It introduced the concept of Service Organization Control (SOC) reports, including SOC 1, SOC 2, and SOC 3 reports, each designed to address specific reporting needs.
Today, investment advisors are more likely to seek SOC reports, particularly SOC 1 or SOC 2, to demonstrate their commitment to strong internal controls. SOC 1 reports focus on controls relevant to the client’s financial reporting, while SOC 2 reports address controls related to security, availability, processing integrity, confidentiality, and privacy. Nonetheless, understanding the foundation that SAS 70 provided is crucial for interpreting modern SOC reports and appreciating the ongoing importance of internal controls in the investment advisory industry. The evolution from SAS 70 to SSAE 18 and SOC reports underscores the ever-increasing demand for transparency and accountability in financial services.
1405×945 sas finalcalltravel from finalcall.travel 
393×327 sas ssae audit reports complete guide kirkpatrickprice from kirkpatrickprice.com 
390×150 sas certification update sas ssae from www.colocationamerica.com 
860×594 sas project report ssae studio guggino from sas70.it 
1667×1249 securities association singapore sas asifma from www.asifma.org 
960×720 sa investment conference from tebogomogashoa.co.za