In October 2008, ACA International, The Association of Credit and Collection Professionals, will unfold a newly-enhanced Professional Practices Management System (PPMS) program and a brand new 18th element focusing on physical and data security. The changes to the program will affect all agencies currently working toward certification, and all certified and subscribed agencies.
Changes to PPMS – ACA’s voluntary quality assurance certification program – were implemented to address client-driven demands for agencies to implement additional data security measures in their organizations. With data and identity theft on the rise, many of ACA members’ clients are requiring their agencies obtain a Statement of Auditing Standards No. 70 (SAS 70) audit, which is a test of the existence of internal controls within a service organization. The internationally-recognized auditing standard was historically a test for publicly-traded companies until 2002, when the Sarbanes-Oxley Act (SOX) introduced additional outsourcing (i.e. collection services) and control requirements. The Act clearly states that outsourcing a business process does not mean the organization is not responsible for ensuring adequate controls over the processes. Thus, the Act mandates that organizations make sure their service providers (i.e. collection agencies) have appropriate controls over business processes and information technology.
Non-publicly traded companies also require collection agencies to obtain the audit because of its usefulness in determining quality assurance standards. SAS 70 audits allow the those businesses to get a detailed description of the agency’s controls, making sure they are effective, suitably designed and currently operating. The audit also alleviates the pressure on the business to perform its own audit on the collection agency.
To help members meet the needs of their clients, ACA began working with Minneapolis-based CPA firm LarsonAllen and the PPMS committee to enhance the physical and IT security aspects of the PPMS elements. The goal was to enhance PPMS in such a way that it would serve as a cost-effective method of preparation for the SAS 70 audits. ACA’s PPMS and Executive committees approved changes to the program in June 2008.
“The new information will never replace a SAS 70 audit as Element 18 and PPMS are not recognized as an independent audit performed by an outside organization,” said Tina Hanson, PPMS committee member and vice president of State Collection Service Inc. in Madison, Wis. “However, the new information sure helps you prepare for a SAS 70, lowering the costs for the assessment that occurs during a SAS 70 as the procedures and documentation are in place,” she said.
Therese Yakel, PPMS committee chair and executive vice president of General Service Bureau (GSB) Inc. and Early Out Services (EOS) in Omaha, Neb., agreed the new 18th element will prepare her agency for a SAS 70 audit, but also provide immediate benefits to her agency as well.
“Element 18 will assist our agency in protecting its assets by increasing employees’ awareness of their information security responsibilities,” Yakel said. “Additionally, we will eliminate a tremendous amount of rework in fixing problems as they arise because controls will already be in place with the new enhancements.”
GSB Manager of Organizational and Process Development Rod Jastorff said the new enhancements will also demonstrate to its clients that GSB and EOS are committed to securing information resources. “Element 18 shows GSB and EOS care about protecting its information as well as their consumer’s information,” he said.
Yakel and Jastorff added the new enhancements will reduce their agency’s vulnerability and the extent of information security breaches if they arise. “The sooner a breach is identified, the lower the cost of addressing it will be,” Jastorff said.
For more information about changes to the PPMS program, please contact ACA’s PPMS staff at +1 (952) 926-6547 or ppms@acainternational.org.