Sidebar: SAS 70 Standard Helps Bankers Evaluate Outsourcers

Computerworld - MEMPHIS -- Corporate IT organizations are increasingly turning to the SAS 70 auditing standard to ensure that outsourcers comply with various government IT regulations.
SAS 70, or the Statement on Auditing Standards No. 70, was developed by the New York-based American Institute of Certified Public Accountants. It can be used to ensure internal compliance and that vendors abide by the rules, executives said.
Chicago-based Northern Trust Corp. uses the SAS 70 format to evaluate whether large outsourcing vendors are compliant with various government regulations, such as the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act, said Katy Hurst, global disaster recovery director at the bank.
Northern Trust has beefed up its effort to scrutinize current and potential outsourcing partners because regulators have made it clear that "outsourcing relationships are subject to the same risk management practices" as those used in-house, Hurst said at the American Bankers Association's Bank Outsourcing Forum here last week.
First Horizon Bank also spends "considerable time" performing internal audits and using the SAS 70 certification standard to ensure that the IT operations of its outsourcers are compliant with privacy laws, said Patrick Ruckh, First Horizon's chief technology officer.
William Henley, an examination specialist at the Federal Deposit Insurance Corp., urged the banking executives to go beyond using SAS 70 as a checklist for outsourcers and called on IT units to undertake their own vigorous due-diligence processes.