Outsourcing - Day 1 go live gap for SAS 70 Type 2 - Catch 22 3105

  • I could use some help as to how you typically solve for what appears to be a catch 22 related to SOX.
    If you are outsourcing processes and systems to an outsourcing that has highly customized those for you… and you can not rely on a generic SAS 70 type 2 becuase it’s not applicable… how do you possible ensure SOX compliance for the first 6 months?
    On one hand the external auditors need 6 months of production data to performance their tests of control effectiveness… but you can’t wait 6 months to get attestation…especially if it was a conversion/go live in the later 6 months of the year - how do you typically handle this to ensure you are confident in control effectiveness for the last part of that year?
    Is this where a bridge letter or AUP (agreed Upon Procedure) would be used to solve? Or could you use all the SIT and UAT testing to show confidence in the control effectiveness since you can rely on a Generic IT general controls to prove solid Change management in the environments?
    HELP. 🙂 Thanks,

  • I may not be thinking of the right example, but I’m not sure why you can’t get a SAS 70 (actually, it’s now an SSAE 16 report) from your service provider even though the service they are providing is highly customized. I don’t care how customized it is, I would expect my service provider to have controls in place on their end to make sure they are catching errors, reconciling balances, ticking and tying, etc. I don’t think being customized affects that (but again, maybe I’m not thinking of your scenario). Controls should still be there and they should be able to get you an SSAE 16. If they can’t, then you could remedy by having checks and balances on your end (mostly detective controls, but they would work). For example, if you are outsourcing disbursements and the service provider doesn’t have the right controls, then you need some check figures, balancing reports, daily cash monitoring, etc. to ensure the cash the left your account is what you were expecting.

  • Thanks… the challenge is as I’m told in order for a external provider to do the testing they need at least 6 months of live data in production… so question is how do you possibly have a valid SAS 70 on day 1 of production for systems that are customized to your org?

  • Sounds like someone doesn’t want to pay for the work. There is no minimum time frame of activity needed in order to test the effectiveness of controls. You just adjust your sample sizes for the given population. At this point in time that is probably a moot point as you don’t have time to wait on a report. I would look to alternate procedures to get comfortable with controls for the short time period.

  • yes
    thanks kymike

Log in to reply