SAS70 timing issues 1216
Would someone be so kind as to tell me what other companies do in situations when the timing of their year-end reporting is not in sync with the timing of SAS70 report?
E.g. we have a Dec. 31, 2006 year end. We need to certify on effectiveness of our internal controls no later than Feb. 28, 2006. Our external service provider tells us that they will provide their SAS70 for Jan. 1 - Dec. 31, 2006 in April 2007. What do we do in this case?
I tried to find an answer on some SOX-related websites and forums, but they all simply state that ‘timing might be a problem’ and do not go beyond that to explain how to address this problem.
Any ideas how to approach this? Also, if CEO/CFO have to certify quarterly that ‘there were no significant changes in internal control’ and our service provider gives us their SAS70 only once a year - how is this supposed to work?
Thank you in advance for your help.
I would inquire whether or not a SAS 70 exists from the prior year end. If it does, you can place some reliance on that. If it doesn’t, then you may be required to perform some controls testing at the service center site.
As far as timing goes, you may want to request a representation letter from the service provider giving you assurance that there have been no significant changes in their internal controls covered under the SAS 70 since the prior SAS 70 was completed.
Several of our service providers have gone to having SAS 70 reports completed every six months.
Thanks for your help, I really appreciate it.
Another quick question: If my service provider tells me that they would only issue a six-month report each year (covering the period Apr. 1 - Sep. 30), is that acceptable? I.e. they will have a SAS70 Type II done for Apr. 1 - Sep. 30, but nothing for Oct. 1 - Mar. 31. I thought that the SAS70 certification process has to be continuous… If it is really so, is there an official document that I can point my service provider to? (i.e. something that clearly states that SAS70 reporting must be a continuous process)
Hopefully they are planning on doing them every six months starting with the April-September period. I would be real surprised if they were not doing that. You may want to ask just for clarification.
That’s what I did - asked them for clarification. They confirmed that they were ‘committed to doing one six month audit each year’ and that they might review this decision in the future ‘if it proves necessary for the clients’.
Well, that means that you need to get comfortable with their controls for the other six months of the year.
I think that instead of testing during the other six months, I would ask for a representation letter from them covering the period from September 30 through the end of the year (assuming that you are a calendar year filer) that there have been no changes in their controls tested as part of the SAS 70. This covers you through December (you wouldn’t have the Oct-Mar report until after you filed your 2005 financials anyway) and then wait again for the next report to provide coverage from Apr-Sep and start the cycle over again.
The alternative would be to do some of your own testing at their office, but I think that you could probably do without this.
I just hope that they will change their plans, under pressure from other clients. If I were the service provider, it wouldn’t make much sense for me to have an annual six-month SAS 70 for Apr-Sep and then let my clients figure out how to obtain comfort over my controls for Oct-Mar.