SOX requirements for applications which are outsourced 740



  • Hi all,
    We have outsourced our complete Treasury System. This means, the complete Server and Application Hosting will be done by an external company.
    Thus, since we are currently doing ‘our’ Sarbanes work I am wondering if we have to care about the controls which will be done by the external comnpany or if we can limit our focus on the controls regarding the SLA’s.
    The external company can not provide any SAS70 Type II or similar report.
    So, how much documentation is required and how would you proceede with your internal testing ect.
    Any advise would be highly appreciated.
    Best Regards,
    SOXi



  • The external company can not provide any SAS70 Type II or similar report.
    So, how much documentation is required and how would you proceede with your internal testing ect.
    Document it as it was one of your own processes



  • If the external company can not provide any SAS70 Type II or similar report, you might work with an Agreed On Procedures and have your company (internal audit department) or an external auditor test the effective operation of the Key controls?
    You need at least the procedures and Key Controls described in my opinion.



  • I believe that the seriving org has to provide you the SAS70. Does the org fall under the perview of SOX? If yes, it has to come up with IT Audit report and SAS70. If not, still it has to provide audit report certified by a public account mentioning that internal controls exist and effective pertaining to the activities they are liable to your org.



  • There is no legal requirement for a service organization to provide a SAS 70 or similar type of report. It is the registrant’s responsibility to ensure that all significant controls over financial reporting are effective. Absent a SAS 70, this means that you either identify controls on your end that get you comfortable with the financial reporting risks or you visit the service provider and test their controls that are important to you.



  • I have a client with an interesting situation. They outsource all of their IT support to CenterBeam which does have a SAS 70 II. However, there is very little documentation or controls between the client and Centerbeam Sox wise, only a contract copy. The internal contact person is a secretary who coordinates support issues with CB.
    The client does not feel they have to document much in the way of SOX because of the SAS 70. There auditor is KPMG and this is their 2nd year annual certification (they passed with no comments from auditor last year). They have no narrative, flowcharts or CM’s for IT other than 4 pages of description of the contract situation. Note: they have 3 operating locations, two of which are in Europe.
    Should they expect to get slammed this year on the KPMG testing for lack of adequate documentation and controls between the client and Centerbeam?



  • You did not provide enough information to allow anyone to give a definitive answer, but I will provide the following comments -
    IF the client has identified the IT controls that should be in place if the client had the IT work performed in-house; and IF those controls are addressed in the SAS 70 report with no exceptions; THEN there probably will be no significant issues that KPMG could raise.
    Occasionally there is confusion as to who ‘ownes’ a control - Finance or IT. An example that we have come across related to application security. While IT makes changes based on user directives, the users generally are the ones who should be regularly reviewing reports generated by IT to ensure that everyone with access should have access and that the access is at the appropriate security level. All too often, staff transitions roles from one departmetn to another and theie system access related to their old role is not removed.
    Hopefully, others will chime in here with their POV as well.



  • For any outsourced app you should have strong controls to tie the information sent out to the information that is received back or other related information. For example, payroll is a commonly soutsourced app. You need to make sure that what you tell the payroll company to pay out actually ties in to the money you pass over to make the payments. I would look for some form of payment report coming back from the payroll company stating what they have paid too, and make sure this agrees to your instructions. I am sure you can all think of other relevant control checks.
    If the supplier cannot or will not give you a SAS70, then you should ask them to co-operate with you in identifying and testing relevant controls they operate.
    If you deal with a supplier that does not provide a SAS70 and does not co-operate with providing access to review their controls, then you should ask if it is a company you wnat to continue dealing with.


Log in to reply