SAS 70 not available. what to do? 703

  • Hi guys,
    Our Third party provider is unable to provide us with a SAS 70 audit report. What are the avenues open in such a scenario?
    a) Can the third party provider refuse to give a SAS 70 report?
    b) Is the third party provider open to specific requests from our auditors for documentation?
    c) What are the documentation/ certified reports that can be obtained by my company to achieve a reasonable comfort level? Is it sufficient that the third party provider accepts the documentation of the processes performed by them, which has been prepared by my company?
    d) Can preventive controls performed by the third party provider, be a preventive control in my companies control matrix?
    Any answers? 😮

  • There is no requirement for a third party provider to have a SAS 70 report prepared. Generally, this is a US-only concept. None of our non-US service providers have SAS 70 work completed.
    What type of work does your third-party provider perform? You will need to review your contract with your provider to see whether or not you have the right to go in and audit or review their processes and controls. If not, ask as they may still let you come in for a review.
    I would look hard at controls that you have on your end to determine whether or not you really need to do any work to document processes and controls at the provider. You may have adequate controls that would override any controls performed by the provider.
    To the extent that you need to rely on controls performed by the provider, you can rely on them if they have been documented and tested. If you do the documentation and testwork early in the year, you may want to consider obtaining a representation letter from them at the end of the year stating that all of the identified controls are still in place and effective.

Log in to reply