European SAS 70 equivalent 2390

  • I am trying to determine if there is an equivalent to the SAS 70 in Europe and Asia Pacific.
    If not, how do you get comfortable with internal controls for service organizations?

  • The International Auditing and Assurance Standards Board (IAASB, their website end with dot org) whose standards are used in Europe and for the audit of international companies in Asia, has issued a similar standard, which also has a type I (design and operartion) and type II (design and operating effectiveness) if I remember correctly.
    In Europe, there is less Sarbanes-Oxley phopia, so companies do not ask for SAS 70 reports that often and suppliers are not willing to pay the cost of the audit and to provide them.

  • SAS 70 Type I and II are both used in Europe however I believe some of the companies affected prefer to explore alternative methods for reliance. Clearly the level of assessment needed depends on risk so there is not such a knee jerk reaction to getting a SAS 70 for every service organisation. Also in a lot of cases when establishing a service level contract many companies include audit access which permits them to go in and audit the service company.
    I am aware that the some Partners in the Big 4 have been advising in Europe that unless more than one company requires a SAS70 on the same service company it is uneconomic for a SAS70 to be pursued and the companies are encouraged to establish closer monitoring based on SLA’s, etc to gain sufficeint assuranc for SOX.

  • Thanks for the information.

Log in to reply