Currency of SAS 70 Attestation of Outsourcer 300



  • I have been told by our auditors performing our SOX audit that for any company that we outsource IT services to the outsorucers SAS 70 compliance must me no older than 90 days. I can’t find this specific requirement anywhere. Is this a specific requirement? Or is it an interpretation? 8O



  • This post is deleted!


  • The relevant standard is here:
    pcaobus.org/Rules_of_the_Board/Documents/Rules_of_the_Board/Auditing_Standard_2.pdf
    Look at Appendix B para B18 onwards - Use of Service Organisations
    Basically it says that ‘When a significant period of time has elapsed between the time period covered by the tests of controls in the service auditors report and the date of management’s assessment, additional procedures should be performed.’
    It doesn’t define a significant period of time and it doesn’t define additional procedures.



  • We are looking to obtain SAS70 from several suppliers. Since the appropriate term of currency is not specifically stated has anyone else had problems with SAS70 currency with their auditors? Has anyone had problems in getting a more up to date SAS70 from their suppliers?
    Thanks



  • Unfortunately, a SAS 70 cannot be produced on short notice. We have not been successful in obtaining updated reports. Our auditors are allowing us to consider anything less than 6 months old to be ‘current’. We are requesting that SAS 70 providers provide us a representation that controls as documented in the SAS 70 have not changed significantly from the date of the report through our year end.



  • Outsourcing agreements - here we have a problem. Be careful, they must describe the responsibilities of each party related to operations and maintenance
    The use of service organizations does not reduce management’s responsibility to maintain effective internal control over financial reporting. The outsourcer must provide a SAS 70 report OR your company must perform an independent testing.
    I dislike these SAS 70 reports, because:

    1. They are considered auditor-to-auditor communication and not assurance for management, IF there is not a proper outsourcing agreement in place.
      Ask the lawyers.
    2. The scope of SAS 70 may not cover SOX requirements. It has happened many times.
    3. You must address the issue of changes in the service organization’s controls.

Log in to reply