New Standards for Assessing Risks

As more companies continue to look to external service organizations to provide non-core operational support, auditors have recognized a need for better internal control auditing standards. In the past, the primary audit standard for these external service providers was the Statement on Audit Standards No. 70, better known as SAS 70. In the absence of another internal control audit standard, SAS 70 became the de facto standard for companies seeking assurance that their service provider was secure and well-controlled. Service providers also touted their SAS 70 reports from auditors as though it were a “Good Housekeeping” seal of approval. The main problem was the fact that SAS 70 reports focused only on internal control over financial reporting. They did not provide any assurance on items such as information security, operational control or regulatory compliance.

To fill this vacuum, the American Institute of Certified Public Accountants has developed new standards to replace the outdated SAS 70. Now known as Service Organization Control (”SOC”) reporting standards, these new guidelines provide for three separate and unique reports to address the full complement of internal controls at an external service provider.

The first standard report, SOC 1, essentially replaces the SAS 70 report that focused solely on financial controls. However, SOC 2 and SOC 3 are new reports that will provide opinions on the effectiveness of controls related to operations and compliance. SOC 2 is a restricted use report intended for use between auditors of the service provider and their clients. SOC 3 is a general use report that can be used by the service providers in providing assurance to potential clients as a “seal of approval”.

These new reporting standards become effective June 15, 2011, so the ubiquitous SAS 70 will soon become a relic of the past. More importantly, companies will soon gain a better understanding of how well their service providers are managing their risks.


Growing Web of Risks in Today’s Business World

As many companies look to better understand the complex risks within their organization, recent events are pointing to the increasing need to understand the even more complex risks posed by partner organizations. Richard Thaler, professor of economics and behavioral science at the University of Chicago, provided his view in the New York Times this week.

AS the oil spill in the Gulf of Mexico follows on the heels of the financial crisis, we can discern a toxic recipe for catastrophe. The ingredients include risks that are erroneously thought to be vanishingly small, complex technology that isn’t fully grasped by either top management or regulators, and tricky relationships among companies that are not sure how much they can count on their partners.

For the financial crisis, it has become clear that many chief executives and corporate directors were not aware of the risks taken by their trading desks and partners. Recent accusations against Goldman Sachs suggest the potential for conflicts of interest among banks, investors, hedge funds and rating agencies. And it is clear that regulators like the Securities and Exchange Commission, an agency staffed primarily with lawyers, are not well positioned to monitor the arcane trading strategies that helped produce the crisis.

The story of the oil crisis is still being written, but it seems clear that BP underestimated the risk of an accident. Tony Hayward, its C.E.O., called this kind of event a “one-in-a-million chance.” And while there is no way to know for sure, of course, whether BP was just extraordinarily unlucky, there is much evidence that people in general are not good at estimating the true chances of rare events, especially when human error may be involved. There was another major blow-out in the gulf 31 years ago by the Mexican rig Ixtoc I. So was this really a one-in-a-million risk?

In the current spill, the problems of assessing risk were complicated by the teamwork required among BP; Transocean, which owned the rig; and Halliburton, which had provided services like concrete work. “Of the 126 people present on the day of the explosion, only eight were employees of BP,”reported Ian Urbina in The New York Times. “The interests of the workers did not always align.”

Certainly, before a company can fully understand the growing web of internal and external risks inherent in their business activities, the company must have a disciplined approach to risk management. A strong enterprise risk management program can help in this regard. If your company is looking to implement or improve its enterprise risk management program, Wheelhouse Advisors can help. Visit to learn more.

What You Don’t Know Can Hurt You

More and more attention is focused on the potential risks of outsourcing and offshoring due to high profile cases such as the massive accounting fraud at Satyam Computer Services in India.  Companies looking to accelerate expense reduction in the face of dwindling revenue are increasing their exposure to a variety of risks through business process outsourcing (“BPO”).  Here is a related observation from a recent article in CFO magazine.

Experts predict that recent events will spur more-comprehensive scenario planning regarding potential offshoring vulnerabilities, including performance problems, power outages, terrorism, and fraud. “It’s causing a lot of people to pause for a second and say, ‘Oh my God, there are more unknowns and risk than I thought,'” says Robert E. Kennedy, executive director at the University of Michigan’s William Davidson Institute, and author of a book about offshoring called The Services Shift.

How well do you know your BPO partner and the potential risks associated with your relationship?  Wheelhouse Advisors can help build a risk assessment framework to provide the necessary insight to manage a successful relationship.  Visit to learn more.