SAS 70 Article 1862

  • Thought this article might be of some significance for the members…enjoy.
    Please paste this in your internet browser and add www. in front as links are not to be used on the forum.

  • Thanks Jason for sharing this 🙂 I found the following excerpts from the article interesting:
    To be sure, it’s clear that SAS 70 calls for a comprehensive report detailing the design, assessment, and effectiveness of a vendor’s internal controls and how they affect financial reporting for clients of the outsourcing services vendor .
    But there are widespread misperceptions about the standard’s purpose , particularly about what an audit covers in terms of technology activities, some say. ‘A SAS 70 is intended to be a service-auditor-to-client auditor communication tool. But some ,’ says Everett Johnson, president of the Information Systems Audit and Control Association
    The article reflects that while SAS 70 provides great infrastructure controls, it most likely won’t be granular enough to provide the privacy and data security protections needed. While various standards overlap sometimes, each individual one must be individually assessed for proper regulatory compliance. Thus, in that context SAS 70 can never be a subsitute for SOX 404 or vise-versa.

  • In the EU, there can often be a lack of service providers with SAS 70 reports (often they will agree to certification, only if the customer will pay for the audit).
    As a result we do not place great reliance on them. Our US subsidiaries have been able to obtain them, but we still feel more comfortable implementing additional checks on their transactions in- house.

  • My company definitely relies on SAS 70s as a part of our 404 process. This has been approved by our externals, but the article definitely brings up some concerns.
    The problem is, as a part of our contracts with these service organizations, we agree not to send in auditors because they produce SAS 70s. If we can’t rely on the SAS 70, then how do we verify that they have sufficient controls in place???

  • Not Sure what you mean Jason?
    The SAS 70 audits are always performed by the provider’s own auditors.
    I wouldn’t have though that it would be permitted for a client to bring in thier auditors - is there an exception to this?

  • My question is, if we can’t rely on the SAS 70 reports we are given, then how can we say for 404 purposes that there are sufficient controls surrounding the process that is done by the service organization? We test our own controls in-house, but we can’t test the service organization’s.
    Does that clarify at all?

  • Hi Jason - We also have to meet SAS 70 and SOX 404 compliancies (and I think ISO 9000 as well). There’s quite a bit of common overlap between these 2 sets of standards encouraging best practices in security, great physical security, IT financial controls, etc. Thus, your company is probably okay, given existing approvals by your auditors, etc.
    The key point I took from the article is that even with the overlapping standards, you can’t rely on SAS 70 meeting SOX 404 compliancy needs completely (and vise-versa) . Additionally, companies that take Information Security seriously shouldn’t have too much difficulty with SOX 404. Most likely you’re satisifying both sufficiently where there are unique items that aren’t in common with both.

  • Thanks for all your input.

Log in to reply