March 3, 2012 2 Comments
This is the message from Financial Institutions (FIs) and Small Businesses burdened with Sarbanes-Oxley, Dodd-Frank and Obamacare.
Although the Sarbanes Oxley has been in effect since 1992, bank regulators have turned up the heat on FIs and small businesses that support them in recent years. Regulators have tasked FIs with obtaining extensive background on their 3rd party vendors, not the least of which is a Statement on Auditing Standards (SAS) 70 Type I or Type II. Type II is much more comprehensive and is required if a 3rd party vendor has access to sensitive FI data. Many small businesses have to deal with PCI compliance and regulatory uncertainties placed upon them by Dodd-Frank and Obamacare, as well.
The “short link” to this narrative is community banks, credit unions and small businesses have to dedicate at least one full-time employees (FTE), plus high level management’s time to manage these regulatory requirements.
FI’s are comprised mainly of community banks and credit unions with assets of 50 million to 10 Billion. Many of them are small businesses too, employing 25-50 employees on the lower end to hundreds on the higher end. Therefore FIs employ FTEs and/or outside consultants to manage the burden. The SAS 70 requires a great deal of technical expertise. In addition small businesses have had to hire their own 3rd party accounting, legal, security and compliance experts to test regs tied to intrusion detection, audited financial statements and site inspections. Vendors have had to install and keep up-to-date hardware, including an array of security cameras and a “boat load” of security and encryption hardware and software, as well.
Consider these FIs manage 20-30 3rd party vendors . Add to this the cost to each vendor, small community banks and credit unions, who have to manage the same regs. Consider the changes vendors have needed to make to the software they provide to FIs. The costs could be well into the billions.
Add to this hundreds of businesses, call it a “cottage” industry, that have sprung up to aid 3rd party vendors and FIs who can’t afford to deal with all these new government regs and compliance. Small business vendors can easily spend $10,000 or more per month to provide compliance to customers and the security they need under ever increasing government regulations. Ironic isn’t it? New businesses are spawned by increases in government regualtions.
Added regulatory burden is a tax on small business. Businesses, especially small businesses have to pass that cost to our customers and so on to the end result, the consumer.
One final consideration. Community banks, credit unions and small businesses are not going to get the media attention of Occupy Wall Street. We are occupied with raising our families, growing our businesses and gainfully employing people who want to work for a living. We generate over 60% of the new jobs in this country. If our government continues to go down the path of increased regulatory burden and continues to place the burden on small business, legislators will have fewer laws to pass, fewer regulations to enforce and fewer job creators to tax. You will put us and more of my fellow job creators out of work.
Here’s our message to our representatives in government…
“If you continue to put small businesses, the real job creators out of business, we will turn the full force of our entrepreneurial spirit into making those of you, who over-burden us with excessive regulatory burden, out of business, too!”
Background: SAS 70 was issued in 1992 and there have been no changes in it until now. Now effective for accounting periods beginning on or after June 15, 2011 a new standard, Standards for Attestation Engagements (SSAE) 16 will be in effect. Do not expect any immediate changes. Most companies have fiscal years that correspond to the calendar year. For those the new standard will not be effective until January 1, 2012 and the reporting under the new standard will not be available until the company’s financial results for 2012 are published in 2013. Many people misinterpreted the SAS 70 report as a means to obtain assurance regarding a vendor’s controls over compliance and operations. It was not. It was only a report of the vendor’s controls over financial reporting matters. The new SSAE16 reports will be much more comprehensive.
Under the new reporting regime there will be three varieties of reports, SOC 1, 2 and 3. The SOC 1 report will be similar to the existing SAS 70 report in that it will report on the company’s controls relative to its financial reporting. A SOC 2 report may address one or more of the following five key system attributes:
* Security – The system is protected against unauthorized access (both physical and logical).
* Availability – The system is available for operation and use as committed or agreed.
* Processing integrity – System processing is complete, accurate, timely and authorized.
* Confidentiality – Information designated as confidential is protected as committed or agreed.
* Privacy- Personal information is collected, used, retained disclosed and disposed of in conformity with the commitments in the entity’s privacy notice, and with criteria set forth in Generally Accepted Privacy Principles (GAPP) issued by the AICPA.
The new auditing framework places additional demands on the management of the organization being audited. Management must make a representation of the controls in place and a criteria for the description of the system, design and operating effectiveness of the controls. It must also evaluate the risks that threaten the achievement of the control objectives and any changes that were made in the system during the period.