Policy/procedure SAS 70? 768

  • Has anyone seen either company wide or IT department level policy/procedure related to contracts with vendors and SAS 70s?
    if so, what other topics were addressed in this policy/procedure?
    what criteria was used to make a SAS 70 a requirement of the contract of the vendor? some vendors won’t provide and some contracts may not warrant it.
    what evidence or audit trail is available to provide that client side requirements are being carried out?
    Have you seen any SOX test scripts to test controls in SAS 70s?
    what types of controls are tested around SAS 70s? any examples?
    our external auditor points us to the PCAOB document and we have been trying to make sense out of it. it seems we need a policy/procedure, proof that client side responsibilities being carried out, and testing of controls on the client side. if anyone knows a better resource to review that would provide additional detail that would be very helpful.

  • There is no blanket answer for this. Everything will depend on the services that the contractor is providing to you. You need to take a look at the process as if you were running it in-house and identify the controls that help you cover off on your financial statement asertions. To the extent that those controls exist in processes that the contractor provides, then you need to get assurance that the controls are effective. A type II SAS 70 may or may not cover the controls that are important to you. If it does, then this will help you gain assurance that the controls are effective. If it doesn’t, then you need to design test procedures, possibly regarding your contractor’s systems and processes, that provide that assurance.

  • Outsourced IT is an issue for us as well. We want our 3rd party provider to assure us they have their processes under control. We ask them to tell us what controls are in place for the risks we identified (actually they are the COBIT objectives rephrased in risks). Then if we know what they do, we will determine if it is enough to sustain SOx compliant. For the Test of effective operation we are looking for SAS70 statement with all identified controls in scope.
    Sas70 though is generally effective for 6 months and is expensive. So you can imagine a discussion on who will pay is going to be the next phase. :twisted:
    Wondering if this approach is similar to other companies and what experiences there are regarding SOx and outsourced IT at this moment.

  • For anyone interested in Outsourcing and IT General Controls.
    I have finally come up with an approach. I am working first with the Service Provider to determine who performs what control based on the COBIT Objectives we as a company has the meet. We then ask our IT and Control staff what they want (do we outsource or controls and become more dependant). Then we will discus the objectives and applicable controls with our Accountant.
    Next our Service Provider will implement these controls (if not yet there) and we might come up with some process redesign. And in the meantime we discuss the approach on evidencing the effective operation of the controls (Right to audit in SLA, Agreed on procedures (TPM) or SAS70). And that should be it.
    Has anybody have comments, experiences with this approach?

  • Until reading this [searchdatacenter.techtarget.com/originalContent/0,289142,sid80_gci1090931,00.html?bucket=NEWS] article - SAS 70: Compliance shortcut SAS 70 was ‘greek-and-latin’ but now i am having a sanity of understanding 😎

  • _at_AJ
    The article talks about outsourced Data center operations only. which is just one of the service an organization can outsource as far as IT related services are concerned. SAS 70 can be applied to host of other services.

Log in to reply