SAS 70 - Multi level Service Provider 2669

  • How far should the Internal Audit of a User Organization drill down for SAS 70 related to a Service that is provided across multiple tiers.
    Scenario : A is the user Organization using B as a Service provider for on line - on demand web service.
    B is responsible for SDLC controls related to Software development.
    B outsources the web hosting to C who is responsible for IT General controls in Production .
    C uses Data Center facility of D who will be responsible for Physical security control.

  • Hi - I suggest auditing all the way down the chain (from A to D), where there are SAS 70 related concerns. SAS 70 standards must be met, whether a company supports the critical function internally or outsources it. You can stop earlier than ‘D’ if the concern is outside the scope of a SAS 70 audit control

  • From a SOX perspective, you only need to be concerned about processes that could impact your reported financials. Make certain you identify how the service provided impacts your financial records and only focus on those areas. If a control failure at your service provider could never lead to a misstatement of your financials, you generally don’t care about the control failure.

  • I guess only controls relevant to services provided to to A by B( or C and D indirectly) need to be considered. Defining control objectives applicable for each of the service providers and pushing for a SAS70 to the direct vendor(B) would be a good approach. Of course, while drafting the agreement with B, The audit clause needs to be clear with respect to the level of access to information and facility of the service provider(B) and all such person/organizations who may either directly or indirectly impact B’s service to A.
    Hope this helps

Log in to reply