Compliance requirements for e-commerce, private companies 154

  • Thanks Rick, I actually have a question to pose about the SAS 70. Who is required to perform one, or is this an option for a service company?

  • Take this with a grain of salt, as I’m no expert… but that’s never stopped me before. 8O Hopefully, I’m getting at the answer your seeking.
    It is my understanding that SAS 70 applies when an auditor works on the financial statements of an organization that employs the services of another organization as part of its day-to-day operations, like an outsourced data center or call center. I’m not clear that the service provider’s status (public or private) comes into play. I do know that it’s not a standardized set of requirements. It seems to be a little more objective than that.
    Hope that helps,

  • Hi Folks,
    I think that the discussion touched upon various topics. To clarify few issues raised in the discussion:

    1. Sarbanes-OXley is applicable to only PUBLICLY TRADING Companies with USD75M and above market Cap. So as in the first question - if you are a small SW Development shop - supporting small clients - who are also privately held - then you do not have to worry and neither you clidents need to worry about your company’s development work - WRT - to SOX
    2. SAS 70 does not apply to you. As Rick pointed out, WRT- to Sarbanes
      If your organization is a publicly trading company that has a market cap of USD75M above - if you use vendors services in the areas - where in those services are directly /indirectly contributing to your Financial reporting - then your auditors- want to ensure that the vendors do have good internal controls in place. Obviously neither your company NOR the external Auditors would go and audit your vendors. Rather you would request a proof of an audit report - which is SAS -70.
      For Example XYZ company - (say Health Insurance Company) is USD500M in revenues and is publicy traded on NYSE. Let us assume that that the Claims Processing for this company is outlourced to a vendor based out of Singapore. Then XYZ in addition to getting compliant with Sarbanes- it has to request and obtain SAS70 - Type-2 from the Saingapore Vendor ( or where ever they are at) to satisfy XYZ’s internal control assessment and Sarbanes Compliance.
      As usuall, if any of you have questions, please feel free to get in touch with me.
      Madhav Vedula CISA*
      Sr.Internal Audit Consltant

  • I see a similar situation with an non-US hosting company that does not have or need a SAS-70. The justification/resolution for not obtaining a SAS-70 from them has been the following:

    • the relationship with the hosting co. is pretty old and hence extensive SLAs and SOPs have been documented with them
    • we participate on a daily basis in some aspects of the operations and have reporting activities on a daily basis
    • we’ve identified the specific areas in the relationship that may still carry relevant risks and addressed those separately by requesting their controls documents surrounding those particular areas.
      Not as clean as a SAS-70, but seems to be acceptable to the auditor.

Log in to reply