SAS 70 Client Control considerations 2590



  • We have recevied a SAS 70 type 2 report that includes a Client Control Considerations section. This section includes things which the user rather than the service organization would be responsible for such as ‘Client management is responsible for determining that only authorized and properly trained client personnel are granted logical access to XX input/output system’. Our auditor is all excited about this and would like a letter addressing these considerations. From my perspective, they are cover your ass considerations. They are obviously controls we as the user organization would be responsible for. Is this a ‘new’ concern for auditors? How are people handling this request for documentation?



  • When we receive our SAS 70 II reports we prepare a matrix mapping the Client Controls noted in the report to our SOx controls matrix.
    This is pretty simple, takes little time and is a process we would want to do anyway to make sure we have covered all the risks related to the process.
    I don’t know how to post a spreadsheet here, but if you send me an IM I will forward an example matrix to you which also includes our matrix evaluating which Financial Reporting Objectives are covered by the various controls reported on in the SAS 70 report.



  • Mapping of user control considerations is one that seems to vary by auditor, even within a firm. The prior Sr Manager leading our audit was not too concerned about this. The current Sr manager is and we will need to do this mapping for our 2009 controls review. Hopefully once we have done the initial mapping ongoing updating will not be very time-consuming.



  • BAKOSOX,
    Thanks for the offer. We have spoken to the auditors and they will be satisfied with a memo to the file indicating we have reviewed the SAS 70 and we feel we have adequate controls over the areas listed as client controls.
    More documentation is the SOX mantra.



  • On a related note, our auditor told us that we will need to include any deficiencies from the SAS70 report onto our own year-end deficiency summary. If our internal controls mitigate it, then we note as such. It makes sense, and seems to be one of the things that the auditors/companies started to realize as a gap in previous years.



  • Hi…I am new to the forum, but I thought I would put in my two cents worth. What has worked on SOX audit projects I have been on in the past, with respect to SAS70 documentation, is an evaluation form for each required and reviewed SAS70. It is in the form of a questionnaire and, by virtue of some of the questions asked, it is apparent whether or not the reviewer has actually read the SAS70 document provided by the service provider. Included in the evaluation is an enumeration of the Client Control Considerations.


Log in to reply