SAS70 use for Model Audit Rule/SOX 2600



  • I work for a company that is getting ready to comply with the NAIC’s Model Audit Rule (aka, SOX). We are an insurance company that has a SAS70 conducted on our claim application. Since this SAS70 already tests the operational effectiveness of those controls (including application and general controls), can we exempt ourselves from documenting and testing those same controls for Model Audit Rule/SOX purposes?



  • Hi Povo - Being in a similar situation (e.g., SAS 70 SOX for an insurance services firm), I would answer this as possibly ‘NO’. Unfortunately, while they have plenty of similar control points, there are also differences.
    However, having a SAS 70 rating may help you with the NAIC requirements in gaining acceptance. It may also be beneficial to contact someone at NAIC to ask as well, as you might save time in referencing applicable SAS 70 control standards that are in place.
    Some of these links might help also

    http-and-#58;//www.google.com/search?hl=en-and-q=NAIC Model Audit Rule
    http-and-#58;//www.deloitte.com/dtt/cda/doc/content/us_lshc_naic_model_audit_1007.pdf
    http-and-#58;//www.google.com/search?hl=en-and-q=sas 70



  • Much appreciated on this end. Thanks for your input…by the way, you are all over this SOX Forum…great insight you have given to the rest of us…


Log in to reply