SAS 70 2168

  • Hi there.
    I work for a private company in their IA dept. and we are currently in the process of reviewing all of our outside service organization SAS 70’s in relation to our SOX testing. Our cash manager posed an interesting question and I had no idea what the answer was. He wanted to know if we needed to obtain SAS 70’s for our banks? I worked for a public accounting firm for 4 years and I can’t remember one time when we ever requested a SAS 70 from a bank. I’m assuming banks have SAS 70 reviews performed, but I couldn’t find any guidance or information on this topic. Any thoughts on this? Has anyone requested / reviewed bank SAS 70’s?
    Any input would be greatly appreciated…

  • Banks generally do not have SAS 70 reviews performed (per a bank service center employee). They are subject to pretty tight regulatory oversight on their internal controls which, I believe, is the reason for not paying to have SAS 70 reviews.

  • Hi - This link from ‘wiki’ might also be helpful:
    paste to browser - no www needed
    As kymike shares, SAS 70 is most applicable to service provider organizations , as noted in the 1st paragraph of the above link:
    Statement on Auditing Standards No. 70: Service Organizations
    SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor’s report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses .

  • It seems to me that there’s a more fundamental reason why banks don’t provide a SAS 70 report to their depositor clients (assuming that’s the case in the original question). And that’s simply because a bank’s deposit liabilities are covered within the audited financial statements; and within the bank CEO and CFO certification about adequacy of ICFR.
    In comparison, the financial statements for service organizations often have little to do (no direct association) with what the customer is interested in getting assurance about. For example, the financial statements for a payroll service bureau don’t include much of anything regarding the processing of payroll for clients. Hence the need for a SAS 70 or equivalent.
    On a loosely related note, it very much surprised me when I became aware that financial statements for investment dealers in Canada don’t require inclusion of securities held in trust for clients on the body of their balance sheets (as a restricted asset with offsetting liability). If that was done, readers would see how little equity there really is that backstops the potential obligations of an investment dealer.

  • I have seen some banks provide SAS70 for specific banking software used.
    For example, if your company uses a bank’s software to transmit payments and then you use their transaction information to post to your general ledger then a SAS70 is useful to understand the types of controls and ‘user considerations’ that exist for that banking software.

Log in to reply