Just when corporate America thought it had met all of the reporting and auditing demands resulting from the Sarbanes Oxley Act, another piece of Senate legislation is pending that would assess huge fines for financial service companies and other data managers that fail to adequately protect personal data.
The Personal Data Privacy and Security Act (S1332) is aimed at ensuring data brokers utilize adequate data privacy and security systems. The Act provides for fines of up to a maximum of $35,000 per day for violations of certain sections of the act.
“This legislation underscores the need for companies outsourcing their business processing services to make sure their vendors have the necessary safeguards in place,” said A. Mitchell Poole Jr., managing partner of the Atlanta office of Tidwell DeWitt, an accounting and business advisory firm. “The Statement of Auditing Standards No. 70 audit, commonly referred to as the SAS 70, is the industry standard for making such determinations.”
Poole said that companies outsourcing their business processing services – such as claims management, credit card processing, information technology and other processes – should insist their service vendors undergo a rigorous SAS 70 audit.
The SAS 70 is an auditing tool that outsourced financial service providers can also use to demonstrate to their clients the integrity of their processes. “It has reached the point that the SAS 70 is no longer optional for outside vendors providing financial and I/T services to clients,” said Poole. “Given the stakes now, companies just can’t run the risk of assuming that an outside service provider is doing all of the right things. The SAS 70 audit, which we specialize in, is one way they can be certain.”
SAS 70 was first developed by the American Institute of Certified Public Accountants in 1992. Following implementation of the Sarbanes Oxley Act in 2002, SAS 70 audit reports became essential to full compliance with the act’s external service control requirements.
“If you haven’t asked if your service provider is SAS 70 compliant, you should do so right away,” advised Poole.
Tidwell DeWitt (www.tidwelldewitt.com), with offices in Atlanta and Birmingham, is one of the fastest growing regional accounting and business advisory firms in the Southeast.