Reliance on a SAS70 report 1388



  • Hello all,
    For our SOX project, I have been tasked with writting a memo to state that we can rely on the ADP SAS70 report for the IT services they provide.
    In my memo I state that the report is done by a reputable firm, and in the correct time frame, and it covers the ADP services we are using.
    My questions:

    1. my thoughts are then, that in my detailed control objective documentation, I would just refer to the Control Objective listed in the SAS70 report, and that the control is working and to refer to the memo and SAS70 report for further information.
    2. or, do I create a really detailed reliance memo that lists all the SAS70 control objectives I am relying on?
      Any thoughts or advice will be appreciated.


  • The following example might be helpful. You will need to edit it to suit your company and a review of the SAS-70 Type II Report.
    Company X SAS 70 Review (Insert Year)
    SAS 70 Review Report on Assessment of Controls
    Background
    COMPANY X uses Company Y to …
    The company is responsible for providing Company Y with complete and accurate information regarding … The company is also responsible for providing complete and accurate information regarding … Company X relies in part on Company Y to completely and accurately process payroll activity based on … The company also relies on Company Y to accurately report the activity. In both cases, the company also maintains adequate input and output controls to reconcile transaction activity and reports.
    The company obtained and reviewed Company Y’s SAS 70 Type II report to:
    (1) Determine if there was an unqualified opinion and whether the controls that exist at Company Y and relied in part by the company were addressed and tested without exception by Company Y’s external auditors. (See Company Y SAS 70 Review Matrix)
    (2) Review the suggested Client Control Considerations provided in the report (pages #-#) as part of the company’s annual control to self-assess against those suggestions. The X Company Job Title self-assessment is evidenced by the checks notated against each item.
    Upon review of the SAS 70, the company noted in the Independent Service Auditor’s opinion … The opinion stated that controls at Company Y were … achieve the following control objectives with respect to System Z.
    Company X concludes that these deficiencies do not pose significant risk to the company’s ability to completely and accurately record …, as sufficient mitigating controls were tested as operating effectively at both Company X and … . Specifically at Company Y, other controls were deemed as sufficient and effective to meet the following two control objectives, which are the primary points of reliance …
    SAS 70 Review
    In addition to completing the Company Y SAS 70 Review Matrix, COMPANY Z reviewed the reports to confirm all major areas of General IT controls were addressed:

    Conclusion
    Based on our review of Company Y’s SAS 70 Type II report, the controls upon which we rely in part were appropriately addressed without exception to which we believe sufficient mitigating controls exist at both Company X.



  • Thanks for the response.
    So that will definitely help me with the memo.
    Now in my detailed control objectives templates, will I refer each of our control objectives to the control objectives listed in the SAS70 report?
    Thanks again



  • It might be helpful to the external auditor and improve the quality of your process documentation to map the control objectives in your Section 404 work to the control objectives that you relied upon in the SAS-70 to assess the impact over the internal controls over financial reporting.
    Since the SAS-70 might also address areas that are above and beyond areas considered within scope for SOX, you will not need to address all of the control objectives that were evaluated in the SAS-70 Report.
    Hope this helps,
    Milan



  • Agree with you on the mapping.
    we mapped the client side controls to our internal controls. this is a good exercise to insure adequate coverage. then we referenced where this control was tested. we did identify some gaps that had to be addressed. we evaluated whether it was a key control or not. also, if there was a mitigating control.



  • Nice. Thanks for sharing.
    Its great to hear about other’s experiiences and to confirm that we are on the right track.
    Cheers,
    Milan
    btw…dig your user name. 🙂



  • In majority of cases, deficiencies identified in SAS 70 reports are at MAX significant deficiencies not reportable in 10K Our auditors were concerned with deficiencies in SAS 70 reports which were without the service company’s management remediation plan. As long as service companies have the management remediation plan for deficiencies, they were okay. We mapped our SAS 70 reference at the relevant controls in the RACM.
    The review of SAS 70 reports has been considered an Entity Level Control by Ernst and Young, our Auditors.



  • It might be helpful to the external auditor and improve the quality of your process documentation to map the control objectives in your Section 404 work to the control objectives that you relied upon in the SAS-70 to assess the impact over the internal controls over financial reporting.
    Thanks, this paragraph was most helpful. :.:



  • you’re quite welcome and thanks for being specific…i strive to consistently provide specific feedback with actionable recommendations in all responses…but i gotta admit, on occasion, i am tempted to join a pointless debate about nothing, or to add to the thread, a meaningless confirmation of my agreement to an earlier posting. this was not intended to be one of them. 🙂 --milan


Log in to reply