Compliance requirements for e-commerce, private companies 154



  • This is not a SOX issue, but I can help a little. There are significant government and state regulations concerning records retention which vary from state to state. The storing of a customers credit card in full is typically a violation of their merchant contract with that particular CC company (i.e. visa, mc, disc, amex), not SOX. http://www.mastercardmerchant.com/images/industry_letter.pdf. SOX does not impact privately held companies, yet. Hope this has been of some help.



  • Thanks for clearing that up. Are there other forbidden items for storage? Such as billing address, 3 digit verification numbers, etc.?



  • Depends on each individual’s merchant contract, but typically you would not want to keep the full CC number with the expiration date or 3 digit verification numbers to assist in the prevention of CC fraud.



  • Hi Cassandra,
    Cassandra, in this instance I would disagree with you. If the software company store/process/transact any financial information FOR OR ON BEHALF of a listed company then the private company may be subject to one of hte following:

    1. Being audited by their clients
    2. They need to go and get a SAS 70 for their operations.
      I am currently on a client that has the same problem of outsourcing some of their IT functions to privately owned companies. Since they do not have SAS70 I am auditing their operations as well.
      i’d be interested in hearing your thoughts.
      Tristan.


  • Tristen,
    I was only going on the basis of a privately held company, but a SAS 70 only applies for companies who are publicly traded too. Most privately held companies do not even have the equivalent of the sas 70 since they are not required. You can ask them for some documentation as to their controls over procedures, and always pull your business if you don’t like their policies, but still, privately held companies are not governed by SOX which can be frustrating when you are trying to document controls. In the instances I have dealt with, predominately records retention sites such as Iron Mountain or safe site, I have personally documented their procedures as well as requested a letter from their management attesting to their controls in place.



  • Coincidentally, I just stumbled upon this today. This article from CFO is a little dated, but it seemed cogent to the discussion. It might provide some insight that helps clarify some of the SAS 70 implications.

    Hope that helps,
    Rick



  • Thanks Rick, I actually have a question to pose about the SAS 70. Who is required to perform one, or is this an option for a service company?



  • Take this with a grain of salt, as I’m no expert… but that’s never stopped me before. 8O Hopefully, I’m getting at the answer your seeking.
    It is my understanding that SAS 70 applies when an auditor works on the financial statements of an organization that employs the services of another organization as part of its day-to-day operations, like an outsourced data center or call center. I’m not clear that the service provider’s status (public or private) comes into play. I do know that it’s not a standardized set of requirements. It seems to be a little more objective than that.
    Hope that helps,
    Rick



  • Hi Folks,
    I think that the discussion touched upon various topics. To clarify few issues raised in the discussion:

    1. Sarbanes-OXley is applicable to only PUBLICLY TRADING Companies with USD75M and above market Cap. So as in the first question - if you are a small SW Development shop - supporting small clients - who are also privately held - then you do not have to worry and neither you clidents need to worry about your company’s development work - WRT - to SOX
    2. SAS 70 does not apply to you. As Rick pointed out, WRT- to Sarbanes
      If your organization is a publicly trading company that has a market cap of USD75M above - if you use vendors services in the areas - where in those services are directly /indirectly contributing to your Financial reporting - then your auditors- want to ensure that the vendors do have good internal controls in place. Obviously neither your company NOR the external Auditors would go and audit your vendors. Rather you would request a proof of an audit report - which is SAS -70.
      For Example XYZ company - (say Health Insurance Company) is USD500M in revenues and is publicy traded on NYSE. Let us assume that that the Claims Processing for this company is outlourced to a vendor based out of Singapore. Then XYZ in addition to getting compliant with Sarbanes- it has to request and obtain SAS70 - Type-2 from the Saingapore Vendor ( or where ever they are at) to satisfy XYZ’s internal control assessment and Sarbanes Compliance.
      As usuall, if any of you have questions, please feel free to get in touch with me.
      Madhav Vedula CISA*
      Sr.Internal Audit Consltant
      mvedula_at_go.com


  • I see a similar situation with an non-US hosting company that does not have or need a SAS-70. The justification/resolution for not obtaining a SAS-70 from them has been the following:

    • the relationship with the hosting co. is pretty old and hence extensive SLAs and SOPs have been documented with them
    • we participate on a daily basis in some aspects of the operations and have reporting activities on a daily basis
    • we’ve identified the specific areas in the relationship that may still carry relevant risks and addressed those separately by requesting their controls documents surrounding those particular areas.
      Not as clean as a SAS-70, but seems to be acceptable to the auditor.
      Hadi

Log in to reply