Stumped and confused by what may have/not have to do... 390



  • To all SOXers out there - Cassandra, Mvdeula, Holger - help…
    I volunteered to help a friend of mine to figure out the sas 70 type 1 requirements (no, I had no idea what I was getting into LOL):
    Here’s the scenario:
    –a small company with a web-based product that is being used by companies that must be SOX compliant (banks, etc)
    –The data is stored on the servers that belong to the ISP (another huge company that must have SOX compliance)
    When a client company wants to know whether this vendor is sas 70 certified, the answer has been ‘no’
    When potential clients ask same question, it appears to be much better to have the answer be ‘yes’
    But, what would be the documents needed in this case to at least get a type 1 certification? Obviously, doing a type 2 is not only cost-prohibitive, it would be suicidal for a 3-person company, where there is 1 developer, 1 part time graphics person, and 1 part time marketing person.
    Also, the products is constantly changing with user-requested enhancements, it would be impossible to have ‘proper’ testing over a 6 months period.
    What’s a reasonable expectation from my friend, the vendor, in this case? What kind of documents would he have to be able to provide to his clients to make this headache go away?
    What about the ISP storing the files - if they are SOX compliant, does that let my friend off the hook in any way?
    I appreciate anyone’s/everyone’s input. I’ve spent a couple of days looking up this stuff on the web, and my head is spinning.



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • SAS 70 reviews of either type are expensive as you’ll probably need to get a Big 4 auditor to do it.
    However, based on the brief information you provided this would appear to be a waste of time and money as you probably wouldn’t ‘pass’ the SAS 70 audit.
    An alternative approach would be to come up with a marketing pitch that sells you as being well-controlled and plays up your lack of size as a reason for SAS70 being prohibitive.



  • First, a SAS 70 Type 1 won’t help for SOX purposes. That’s because it doesn’t say anything about the effectivness of the tested controlls.
    I agree that getting a SAS 70 is a quite expensive thing for a small company. Especially realizing that it may needs several from different Auditors. PCAOB is likley not to accept a SAS 70 if the ext. Audit Firm at the requiring and the providing side is the same (there is still an indepencene issue).
    So it could be a solution to have very specific service level aggreements with your customers so that they could control the quality of your services on their side. This could be considered a key control on your customers side.
    A second possible solution to that could be to allow them to perform their own audits on your side with respect to their on data. That could be performed by the internal audit function of your customers.



  • So it could be a solution to have very specific service level aggreements with your customers so that they could control the quality of your services on their side. This could be considered a key control on your customers side.
    A second possible solution to that could be to allow them to perform their own audits on your side with respect to their on data. That could be performed by the internal audit function of your customers.
    Not sure this would work in the circumstances described. It sounds like the Company would have issues with Programme Change Control and Segregation of Duties - and probably a few other areas as well. They really want to avoind any sort of audit type situation.



  • _at_Denis: If that’s the case I agree with you.
    They need to have effective general IT controls in place (and of course documented) to pass a whatever structurered audit.


Log in to reply