Accounting scandals such as Enron or Worldcom have forced US lawmakers into action. In accordance with Section 404 of the Sarbanes Oxley Act (SOX), all companies listed on the US stock exchange are now required to set up an internal monitoring system for financial reporting by the end of 2006 and to document its effectiveness. Since electronic information systems nowadays form the basis of correct financial reporting, these checks also affect the IT environment. If companies contravene the SOX guidelines, those in charge may face a fine or, in the worst case, a jail sentence.
But what happens if the company works with an external IT provider? In this case, the provider shares the responsibility. An SAS 70 Type II report enables the service provider to demonstrate that it is complying with its SOX obligations. The provider can thus offer its customers both the basis for legally compliant annual statements and also better service.
Globally recognized standard
The SAS 70 Type II report is the global de facto standard for audit-based checks at IT service organizations. A provider must demonstrate to customers that it reliably monitors the processes outsourced to it. To do so, an independent auditor performs what is known as an SAS 70 Type II audit at least once or twice per year.
However, many European IT service providers have so far not heeded the consequences of Sarbanes Oxley or even an SAS 70 Type II audit, as a number of studies demonstrate. But time is running out. Alongside the US guidelines, further European regulations on corporate compliance will come into force by 2007 in the shape of Basel II and the 8th EU audit directive.
The IT service provider SAP Hosting thus grasped the initiative as early as 2004 and successfully completed the certification process by mid-2005. Since then, the SAP subsidiary has performed regular checks in accordance with the SAS 70 standard. The subsidiary’s management view the process not merely as an instrument for financial monitoring, but also as a welcome means of quality management. “SAS 70 is a certification of security and at the same time a quality seal for the standard of the provider’s service. This will cause all customers to take notice, not just those companies that are affected directly by SOX,” says project manager Nicole Fuchs.
“Consistent service quality”
The requirements of the SAS 70-Type II audit are extensive. For instance, the audit at SAP Hosting − conducted by KPMG − covered system maintenance, problem and change management, logical and physical security, business environment, and computer operations. With the SAS 70 Type II report, KPMG ultimately certified that the IT provider ran efficient and above all secure processes in all areas. “An SAS 70 audit is a global procedure. Our processes are standard across the company. They are precisely harmonized with one another and clearly structured. This guarantees a consistently high quality of service to our customers around the world,” says Dagmar Oeldemann, IT Service Manager at SAP Hosting. The checks enabled SAP Hosting to improve its customer service in three areas in particular.
Secure approval procedures in change management
In the change management field, the provider introduced an even more secure approval procedure. If customers want to adapt their hosted solutions or processes, SAP Hosting divides these changes into three categories depending on their possible effects on system availability and data integrity – from minor changes through significant changes to complex, major changes. Changes in the first two categories involve low risk in terms of system performance and availability. Such changes include for instance reallocation of hard drive storage space, loading UNIX service packs (minor), or performing database or SAP patches (significant). The highest category, on the other hand, includes system changes that can considerably affect the integrity, availability, and transport of data. This could take the form of a comprehensive solution upgrade, such as an SAP R/3 release change, or large database restores.
While minor and significant changes require no or only a “passive” authorization, that is, simply appropriate notice to the customer from SAP Hosting, major changes require specific, active approval procedures. “Major changes can only be performed with explicit customer authorization. Further, approved operations are first tried out in a test environment before the live system itself is modified,” explains Dagmar Oeldemann. The corresponding change request must explicitly refer to an approval. This can later be tracked at any time in the action log for a particular procedure. This guarantees that the party responsible for the system evaluates and approves all changes before they are carried out. The procedure means that the responsibilities for changes are clearly demarcated. Both customer and provider are on the safe side.
Comprehensive monitoring system in problem management
The management at SAP Hosting also personally ensures correct compliance with clearly defined service procedures in the field of problem management. All problem records refer the responsible party directly to the corresponding specialists in charge. These then examine what has caused the problem. All unresolved problems are subject to ongoing review. The management checks in detail whether fault causes have been properly identified and problems remedied correctly and in a timely manner.
Proactive incident management
Additionally, SAP Hosting has introduced proactive incident management. Regular system performance checks ensure that the customers are informed continuously and proactively about unforeseen system incidents, such as temporary unavailability of applications and system downtimes. This procedure ensures that the customer is notified about each single incident and cuts down the work in remedying problems.
Motor for continuous improvement
The fact that SAP Hosting has prepared early for the strict legal requirements has already paid dividends for the company and in particular for its customers. After all, considerations of security and process efficiency play a key role when deciding on an IT provider. Both are regularly evaluated by an independent entity in the scope of SAS 70. “Overall this gives rise to a constant process of improvement, to which we give further impetus by means of voluntary internal audits,” says Nicole Fuchs. For companies who want to outsource IT services to external IT providers, or have already done so, the SAS 70 quality seal serves as an important pointer, even if there is no legal obligation to comply with Sarbanes Oxley guidelines.