Small Business Review

Support | Contact Us | Advertise

Subscribe to our FREE Newsletter

About Us

Small Business Review is published by Penton Media for successful small business owners and executives.

For information
click here.

Resources from our Partners

A Fix for Health Care? More Americans are opening tax-free health savings accounts to hedge against soaring medical costs. Find out more in a Special Advertising Supplement from Fortune/Money Group Custom Projects.

Finding growth strategies for small businesses. Click here to learn more.

Newsletter

Click here for the latest issue.

Subscribe here to our FREE bi-weekly newsletter.

Sarbanes-Oxley Hits Small Business, Too

By Ann Meyer

Suppliers to publicly held companies that fall under the Sarbanes-Oxley accounting rules have to show they have adequate controls.

When John Bostick, chief executive of dbaDirect in Florence, Ky., first learned one of his customers was sending auditors from PriceWaterhouseCoopers to investigate his company’s processes and controls last year, it rubbed him the wrong way. It was, he says, like an unexpected visitor, arriving with a white glove to see how clean your house is. “It’s uncomfortable,” he says.

But more such calls came from Fortune 1000 clients and Bostick soon realized that this is the new reality for many small businesses: As publicly-traded companies scramble to comply with the Sarbanes-Oxley Act, the 2002 law aimed at preventing corporate accounting meltdowns ŕ la Worldcom, service organizations that contract with them are getting caught up in the rules, too. Specifically, big corporate customers who buy dbaDirect’s information-technology services have to file annual Section 404 reports, in which they attest that their companies — and certain suppliers—have effective internal controls and processes to ensure the integrity of financial reporting.

While auditors for public and private corporations have been requesting SAS 70s from service organizations since the 1990s, “Interest has definitely increased because of Sarbanes-Oxley Section 404,” says Chuck Landes, vice president of the professional standards group at the American Institute of Certified Public Accountants in Washington, D.C. It’s not just companies like dbaDirect, which has hooks into client databases, that are affected. A whole range of small companies, from payroll processors to real estate services companies that handle rent transactions, are called on to prove they are up to snuff—often at their own expense. Indeed, dbaDirect is among a growing number of small businesses trying to gain control of the process by paying for their own SAS 70 Type II audits (more formally known as a Statement on Auditing Standards No. 70), which provide its large clients with an independent auditor’s opinion on the effectiveness of dbaDirect’s processes and controls.

The investment of time and money is considerable—anywhere from $40,000 to $1 million, says Jim Pajakowski, a managing director of Protiviti, a unit of Menlo Park, Calif-based Robert Half International that specializes in internal audits and compliance. But paying for a SAS 70 audit has several benefits, he says. “Instead of having every single client come in and look at their controls, they have an independent party come in and do a report,” he says. And, for certain industries, he adds, SAS 70 “is almost always part of contract negotiations.” In businesses such as IT outsourcing, not having a SAS 70 can keep suppliers from getting new contracts.

Under the SAS 70 Microscope

What is it?
SAS 70 (Statement on Auditing Standards No. 70) is an audit report that discloses a service organization’s internal controls and processes relevant to the financial reporting of a client organization. A SAS 70 Type I report describes the controls in use and includes an auditor’s opinion of their suitability. Most publicly held firms prefer a Type II report, which adds testing and an evaluation of the controls over a period of at least six months. In a Type II report, the auditor will give an opinion on whether the controls were operating sufficiently.

Who Needs It?
Many service businesses decide to get a SAS 70 after numerous clients ask for it. Businesses that manage financial transactions or data processing for publicly held companies are most likely to get requests for a SAS 70. Suppliers of hard goods or services that don’t affect their clients’ financial controls are less likely to receive SAS 70 requests.

Who Does it?
SAS 70s must be issued by an independent Certified Public Accountant, but not all CPAs are well suited to the task. Look for those with auditing experience and backgrounds in IT processes and controls. To find a SAS 70 auditor, start with your accountanting firm; if it doesn’t perform the service, ask for a referral. Also ask for recommendations from other small business owners who have gone through the process.

What Does It Cost?
Most auditing firms charge by the hour. Depending on the scope of the audit, a SAS 70 Type II can cost as little as $20,000. More typically, expect to spend at least $40,000. Some complex audits can cost $1 million.

For more information on SAS 70 audits, contact the American Institute of Certified Public Accountants at www.aicpa.org or see the Web site, www.sas70.com

Bostick quickly realized his business required the audit. “We proactively said we’re going to do whatever it takes to work with the Fortune 1000 companies,” he says. The company already had documented its processes. So it began organizing and centralizing them, then looked for holes. Then the auditors came in to inspect the processes and controls.

The exercise was no cakewalk. “It’s not very fun. It’s very tedious. It’s distracting to a business you’re already busy with,” Bostick says. “But you’ve got to do what you’ve got to do. It’s become a mandatory part to get in the game.”

The audit cost dbaDirect about $20,000 and took about 12 weeks to complete from preparation to final report. Bostick says he got a good deal on the auditor’s fee, due to his firm’s initial prep work and the scope of the project. He also shopped around and got multiple bids for the work.

Beyond retaining clients, the SAS 70 process can help a company land new business and discover ways to be more efficient. “It’s absolutely made us better,” Bostick says. “These processes protect you, shore you up and help you achieve sustainability in business” by pointing out holes in your systems.

For Chicago-based Fieldglass, a provider of Web-based platforms for managing contingent labor services, completing the SAS 70 audit streamlined the sales cycle. Previously, with each new prospect, “I’d have to show them what we do, and do the dog-and-pony show for them,” says Dan Bell, vice president of client assurance. “Although I made a compelling presentation, there really wasn’t any proof. Now with the SAS 70 in hand, I feel I don’t have to do that any more.”

Fieldglass spent six to eight months preparing for its SAS 70 audit by documenting every process, then looked for holes and redundancies. “It really helps make a more bulletproof process,” Bell says.

An unexpected benefit, Bell says, was opening communication among the firm’s 70 employees as they prepared for the audit. “People tend to work in silos. They know everything about their job but nothing about their colleagues’ jobs,” he says. “Now we know a tremendous amount more about what everyone does than before.”

Still, some small businesses find that they can furnish proof of adequate controls without the expense of an audit. For example, CVM Solutions, a supplier of vendor management systems, weighed the cost of a SAS 70 audit and decided it would be cheaper to answer client inquiries as they arise, says Rajesh Voddiraju, president and chief executive. So far, the strategy is working for the Oak Brook Terrace, Ill.-based company, which counts 120 of the Fortune 500 among its clients. “We haven’t lost any business because we don’t have a SAS 70,” Voddiraju says.

But, he notes, most requests for bids ask for the SAS 70 and “if you don’t have it, you have to go through a more thorough interrogation.” In fact, clients typically spend two to six months querying CVM about its controls and testing its security. Though the client is performing the audit, Voddiraju estimates the process commands between 20 and 200 hours of labor for CVM per client. (OK? Yes) “It’s a significant upfront investment for us to go through such a process,” he says. In addition, he concedes that the process can be a big distraction for the boss. “If the CEO is involved in the due diligence, it’s time they’re not doing anything else,” he says.

How long will CVM hold out? “I don’t know what the tipping point would be,” Voddiraju says. Probably when CVM concludes—as other small businesses have—that, like Sarbanes-Oxley is for big corporations, SAS 70 is becoming part of the cost of doing business.




Resources

Finance»
An objective site for your personal financial needs, including advice, calculators and rate comparisons. Small business section includes calculators to determine debt to asset ratios, gross profit margins, operating profit percentages.
Accounting»
Everything you need to account for every dollar—CPAs, software, etc.
Taxes»
Want to save on taxes? Find the best resources for small business tax management here.  
Legal and Regulatory Info»
Protect your business and your intellectual property. Learn where you stand on government regulation.
Government»
How can government help your business? We help you count the ways.
Technology»
Need a shortcut out of a tech jam? Are you confused about how to use technology to boost productivity? You’ll find all the experts here.
Travel»
Looking for trade shows and industry meetings to help your business grow? Need great deals on business travel. This is the destination.
Estate Planning»
Worried about holding on to your assets and taking care of your family? Estate planning experts can help.

Back to Top