 |
Business is risky. This is the time to play it safe.
Read the following FAQ on the Vcommerce SAS 70 Type II Certification to learn more about why it’s important to choose
certified service providers for your ecommerce operations.
FAQ - the Vcommerce SAS 70 Type II Certification
Vcommerce achieved a SAS 70 Type II Certification based on review by KPMG LLP as our independent service auditor.
Please read further to understand what this certification means and how it benefits our clients.
Forrester Research ranks upgrading security and supporting changes in corporate governance
(e.g., Sarbanes-Oxley) in the top 4 of the top eight initiatives for North American IT organizations
in 2006 (Market Overview - "Making Sense of Hosted Commerce Platforms", March 17, 2006).
AMR Research says more than 80% of the companies they surveyed plan to add or improve their SOX compliance
in the next 12 months ("SOX Spending for 2006 to Exceed $6B", November 29, 2005).
|
What is the SAS 70 auditing standard, and why should I care?
The SAS 70 ("Statement on Auditing Standards No. 70") is an internationally recognized auditing standard
developed by the American Institute of Certified Public Accountants (AICPA). Audit reports issued in accordance
with SAS 70 provide a means for our clients who are subject to Sarbanes-Oxley (Section 404) to evaluate the
effectiveness and significance of their service provider’s controls. Additionally, SAS 70 has been designated by
the SEC as an acceptable method for the management at such companies to obtain assurance about a service
organization’s internal controls without conducting separate assessments. This results in significant audit
cost savings for both parties.
SAS 70s are the de facto standard for companies who use third party service providers and who are subject to
Sarbanes-Oxley Section 404 for IT internal control assurance. For the same reasons, they are also valuable to
private companies who use such service providers and who are planning on going public, preparing to be acquired
or who wish to adopt best-practice principles.
Why did Vcommerce seek a SAS 70 Type II Certification?
A SAS 70 Type II Certification is a market differentiator. Many companies make the availability of a SAS
70 report a prerequisite for engaging a service provider. This certification also represents our commitment
to providing the next level of service and IT security for our clients and includes significant audit cost savings
for them. With this certification, our clients can be confident that Vcommerce services operate under reasonable
controls, and that our systems are secure, reliable and compliant with evolving regulatory mandates.
Additionally, we believe that our clients can leverage the increased control and visibility gained from adherence
to these operational standards, to help improve the efficiencies of their e-commerce operations.
What are the benefits of the Vcommerce SAS 70 Type II Certification to our retail clients?
- Required by law: SAS 70 supports Sarbanes-Oxley Section 404 requirements and is designated by the SEC as an acceptable method to obtain assurance about a service organization’s internal controls.
- Reduces audit costs and speeds due diligence: a SAS 70 Type II report may be accepted in lieu of conducting a separate audit of a service provider.
- Provides control and assurances: a SAS 70 audit represents that a service provider has been through an in-depth audit of their control activities, which generally includes controls over information technology and related processes.
- Added value from compliance: clients can leverage the increased control and visibility from adherence to SAS 70 standards to help improve efficiencies of their e-commerce operations and relationships with their service providers.
What is the difference between a Type I and a Type II report?
SAS 70 service auditor reports vary in content based on whether the report is a Type I or Type II Report.
The Type II report is the most stringent and is the one that Vcommerce completed. It includes rigorous tests of
specified controls and provides a measure of assurance that related control objectives were achieved. As a result,
Vcommerce client auditors are allowed to rely more extensively on a Type II report which can result in lower client
audit costs.
Type I – Report on Controls Placed in Operation includes:
- A description of detailed controls
- Whether the specified controls are suitably designed to achieve broader control objectives
- Whether the specified controls had been placed in operation as of a specific date
- An auditor’s opinion attesting to the information in the report, but includes a specific disclaimer of opinion on the operating effectiveness of the controls
Type II – Report on Controls Placed in Operation and Tests of Operating Effectiveness includes the items in the Type I report, plus:
- A description of specific tests applied to controls and those test results
- Whether the specified controls that were tested were operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during the period specified
- An auditor’s opinion attesting to the information in the report (which excludes the Type I disclaimer noted above)
Why did Vcommerce use KPMG to conduct our SAS 70 audit?
A SAS 70 audit can only be performed by a CPA firm or a certified public accountant who must be certified
and who must adhere to specific professional standards established by the American Institute of Certified
Public Accountants (AICPA). KPMG, as one of accounting's Big Four and a firm with extensive SAS 70 expertise,
meets these standards.
Where can I find additional information about Vcommerce and this announcement?
Updates may be posted periodically to the Vcommerce Web site located at www.vcommerce.com.
You may also send an email to info@vcommerce.com.
|
|
SAS-70 Type II Certification
