As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - Same auditor for SAS70 and other Q's?
Posted: Thu May 26, 2005 2:46 am Post subject: Same auditor for SAS70 and other Q's?
Hello, first of all, great forum loads of info.
I have a couple of questions though I have not been able to have answered by the other threads:
I work for a company (in Europe) providing services such as data processing etc, we have been asked by a potential new client (in the US) to provide them with a SAS70 report for their audit, and I have been assigned to find out more about this (whohooo....)!
Initially I need to find out: If we use e.g EY as our financial auditors, can we use the same firm to prepare a SAS70 report, or do they need to be "even more" independent?
Does it have to be US auditors preparing the SAS70, can someone elaborate?
If we decide not to produce a SAS70 report, will our client's auditors be obliged to come to Europe to audit our controls? At whose expense?
General cost question: Is the cost for a SAS70 generally borne within the service organization or is it ever shared with the client(s)?
For us it may be very expensive (in relation to revenue) to have a SAS70 report produce for this client alone, are there any ways around this (I am not sure we even plan to try and sell much services in the US in the future)?
As a US-based multi-national public company, we are experiencing the pain of not having SAS 70 reports available in any of our foreign markets. This has generally been a US-only service.
There should be no issues with you using your normal auditor to perform a SAS 70 review. (Make certain that it is a SAS 70 Type II review, as a normal SAS 70 report is of little use to your clients. ) In fact, they may be able to leverage their audit work to some extent and do it for less than an outside firm could.
The auditor should not have to be a US firm, only follow the SAS 70- guidelines in preparing the review.
The service provider (you) would bear the cost of the SAS 70 work, though it becomes a part of your cost base that ultimately gets billed out to those for whom you provide services (or your operating margins go down).
You should review the terms of your service contracts to see if you are obligated in any way to provide a SAS 70 or similar type of report. Generally, if the client needs to perform any reviews of your controls to satisfy his own SOX controls requirements, he will bear the cost of performing that review. He would also bear the cost if his auditor came over to do similar test work.
If you are not going to do much work for public companies in the US, you may not want to go to the expense (yet) of having a SAS 70 type II review performed. This will become an annual expense as your client will need to have an updated report each year if he is to rely on it at all.
The reason I asked if it had to be a US based auditor was because I picked this up on www.sas70.com FAQ's:
"Yes, a SAS 70 audit can be performed outside of the United States. The audit engagement would have to be performed by a firm based in the United States that subscribes to the professional standards as promulgated by the American Institute of Certified Public Accountants (AICPA)................"
"For example, a CPA firm based in New York may provide SAS 70 audit services to a multi-national Company based in the United States............If the CPA firm had local offices in the international locations, resources from those offices could participate in the engagement as long as the engagement remained under the direction and supervision of the office based in New York. The SAS 70 guidance would still apply to procedures conducted at the international locations as long as the final report was issued by the New York based CPA firm."
Of course, SAS70.com is a vendor site trying to sell SAS 70 services. Take the FAQs with a grain of salt.
I didn't see anything in the SAS 70 wording requiring a US-based auditor to perform the work. Part of the report opinion contains the following language -
Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion.
As long as the auditor performing the SAS 70 work (or similar internal controls review and testing) is qualified to do the work, it can be relied upon.
I don't think that any official SOX language references SAS 70. This is referenced in several SOX whitepapers because of its use in the USA. I believe that any controls review and testing by a competent audit firm would meet the requirements as suggested in the various guidance that has been published.
Posted: Thu Jun 02, 2005 1:54 pm Post subject: SAS 70 not received: Material weakness
Interesting! Read the following text...if you ask for a SAS 70 and you do not take it, you have a material weakness...
MAGNA ENTERTAINMENT CORP — Leisure 2004 Sales: $731.60M Auditor: Ernst & Young, 04/28/05 - Disclosed material weaknesses in their internal controls.
A lot of companies have similar problems
Material Weakness Identified — Based on its evaluation, management of the Company has identified a material weakness in its internal control over financial reporting with regard to two companies that are currently providing totalisator services to the Company. ... During the course of management's assessment of the effectiveness of the Company's internal control over financial reporting, the Company requested a Type II Statement on Auditing Standards ("SAS") 70 report from the three companies that provide totalisator services to the Company. Despite management's timely requests, Scientific Games Racing, LLC (the parent company of Autotote) and United Tote Company, two of the three companies that provide totalisator services ("tote companies") to the Company, were unable to provide the required SAS 70 reports.
The inability of these tote companies to provide the required SAS 70 reports has caused management of the Company to conclude that there is a material weakness in the Company's internal control over financial reporting. This conclusion is based on the fact that significant financial statement balances including gross wagering revenues, purses, awards and others and settlements receivable and settlements payable, are balances which are impacted by tote information from these companies. Although management did not identify any accounting adjustments as a result of inaccurate tote information in these accounts in the Company's financial statements for the year ended December 31, 2004, the inability to obtain a Type II SAS 70 report on the applicable controls in operation at these two tote companies is considered a material weakness in the Company's internal control over financial reporting because there is a potential of a material misstatement in gross wagering revenues, purses, awards and others, and settlements receivable and settlements payable in the annual or interim financial statements that would not be prevented or detected. The Company was able to obtain a Type II SAS 70 report from its third totalisator service provider, Amtote International, Inc. ...
As a result of the material weakness described above, management of the Company has determined that the Company did not maintain effective internal control over its financial reporting as of December 31, 2004. _________________ George Lekatis
President of the Sarbanes Oxley Compliance Professionals Association (SOXCPA)
It almost sounds as if Magna is trying to shift the blame to their service providers. I wonder if Magna made any efforts to visit their service providers in an effort to document the controls themselves. If they tried and were refused access, then they are stuck with the deficiency. It will be interesting to see if other entertainment companies using these providers report similar deficiencies.
Kymike, you made a point. You described in a better way what I was trying to say.
You can blame your service providers only when they promise you a SAS 70 and they do not give it to you.
Magna said "were unable to provide the required SAS 70 reports".
They do not say if they made any efforts to visit their service providers to document the controls themselves. _________________ George Lekatis
President of the Sarbanes Oxley Compliance Professionals Association (SOXCPA)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.