The relationship between SAS70 and Sarbanes-Oxley 1955



  • Hello all… I’m new to the board and spend the past 30 minutes reading some posts and enjoying your insights.
    My question:
    Our company was recently SAS70 Type 2 certified. It was our first audit, and a real educational experience.
    We’ve been told by a client that a SAS70 Type 2 certified company compliments those that COMPLY with their own Sarbanes-Oxley compliance.
    I believe that I understand the thought there… but can anyone elaborate on the relationship between SAS70 and Sarbanes-Oxley, as it applies to the statement our client said?
    Many thanks.



  • Welcome to the board.
    Basically, SOX requires companies to test and report on the effectiveness of their internal controls over financial reporting (ICOFR).
    Guidance that has been issued states that when a company outsources processes that impact or feed financial reporting, the company is still responsible for the controls over those processes - even though the company does not execute the processes. A type II SAS 70 report provides the company with assurance that the controls being executed by the service provider on behalf of the company are effective. This allows the company to rely on the SAS 70 report versus having to perform its own test of internal controls. It also precludes having multiple clients of a service provider come in to test the service provider’s controls.



  • Hi and welcome 🙂
    Yes, there are indeed overlaps between these two key IT compliancy standards. Although both standards have slightly differing major themes and compliancy goals. SAS 70 is more on certification of data center physical and network security controls, where as SOX 404 focuses on the IT risks and controls pertinent to automated financial systems.
    In our company, we have to adhere to both and we treat each one individually from the standpoint of fully knowing all requirements and where there is commonality we can use a single control or standard approach. The key is map out both requirements fully and look for both the intersections plus any unique things you need to adhere to both.
    These past threads might also help, along with using the search button above and entering either SAS70 or SAS 70 as keywords. Good luck 🙂
    SAS 70 and SOX compliancy
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1504
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1862
    SOX as it relates to other standards
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1584



  • Thanks harrywaldron.
    I did some searching earlier, but your specific threads did have some GREAT information. So I’m really glad you pointed them out.


Log in to reply