Outsourced Services and the tie in to SOX 291



  • Have any of you kind folk done much work with outsourced or _and_lt;shudder_and_gt; offshore service providers?
    Are you relying on SAS 70’s (or up here in da Great White Nort, aka Canada, section 5900’s) or are you taking it further?



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • You really have three main options:

    1. SAS 70
    2. Consider controls over inputs and outputs to outsourced provider
    3. Review controls within the provider
      Which you choose really depends on the extent of outsourcing, the specifics of business processes, how easy each of the options is, how well written your contract and SLA are.
      In my current project we are mostly doing a combination of 2 and 3.


  • We are in Canada too. We are mainly relying on SAS70’s (or Canadian version for Canadian suppliers). We have tried to work with one supplier to look at their controls, only to find out that basically they didn’t have any - and consequently putting in more controls internally to compensate. One service provider refused to let us see their SAS70 and we still haven’t quite resolved that one.


Log in to reply