Legal implications for not complying with SAS70 1165



  • Hi
    Is there any legal implication if the company is not complying and not audited against SAS70?
    Vikas Garg
    BS7799 Lead Auditor



  • Hi Vikas,
    Well if company A is getting some services done by some other service providing company B (outsourcing), company A has to include SAS70 report in the final IT audit report. As sas70 is nothing but a certification that some of the processes (critical) taken care of some other organization has assured itself that their IT department has complied with the SOX 404 requirments. If this report is missing, it is as good as non disclouser of meterial information and depending on the criticality of the processes may amount to material weakness. And implications are ‘non complaince with SOX’


Log in to reply