SAS 70 process 928

  • Have any of your clients approached you about having a SAS 70 report on your controls over the services that you provide? If not, this may not be something that they consider necessary and would be an added expense for you. On the other hand, if your competitors do provide SAS 70 reports, you don’t want to be at a competitive disadvantage.
    Do you homework as to the need for this type of report - both from a client service perspective and a competition perspective to ensure that you are making the right business decision prior to committing to spending the money on this.

  • Hi All,
    Since I am in a service provider I am also looking for an answer to the same question. My understanding is :

    1. U need to contact any registered audit firm which will evaluate your controls for each client. These controls will be diff based on the services you provide to each client so a diff SAS 70 type II for each client. If your are into a generic solution like Network service provider you can have one for all ( Pls correct me here if i m wrong)
    2. The client sends or recruits an audit firm to do an audit on you for SAS 70 Type II. The firm then issues a SAS 70 Type II report for you.
      I am not sure whether simply selling hardware or packaged software requires you to get a SAS 70 type II for clients. It is basically for outsourced service providers. The onus of SAS 70 Type II is on client really with the service provider obligation limited to letting the selected auditor review their controls.
      Certification of Privacy is IMHO cant be considered as SAS70 Type II

  • Calvin,
    The SAS 70 report is paid for by you. If you provide a report to your clients that covers the controls that they care about, they will very likely not need to visit your office for anything. Generally, one SAS 70 report is completed that covers the majority of your controls related to the client services that you provide, not separate reports for each client. If you are only in the business of selling hardware and software, no SAS 70 report is necessary.
    If you provide services and do not provide a SAS 70 report, you will likely have visits by both your clients and their auditors as each party has to test enough to draw their own conclusions as to the effectiveness of controls.

  • Thanks Kymike for the reply,
    we are having different kind of client engagements ranging from Application Maintenance for some to devleopment to some to system support to some. Will one SAS 70 type II do for all the clients??? or we need to get specific for each client???
    Who bears the cost in case we refuse to do SAS 70 ourselves?? In case i am ready to get it for gaining a competitve edge i have to pay for that but what if i dont see that much value coming from it but its required from the client side for their SOX compliance. My believe is our responsibility is limited to letting their auditor evaluate us for it.
    We have our internal audit department, can they audit the engagements and issue a report which can be considered equivalent???
    Thanks CH

  • To limit your cost, do not provide a SAS 70 report and invite your clients in to do their own controls documentation. In that case, your clients bear the cost of the work performed. You will only have the inconvenience of having one or more of your clients asking to come in to document controls to meet their specific internal controls testing requirements.
    As to whether or not work performed by your internal audit department would suffice for your clients, that would be up to each client to decide for himself.
    SOX does not require you to provide a SAS 70 report as a service provider. Nor does it require you to allow your clients to come into your offices for the purposes of documenting controls. It does require each public company to document and evaluate its controls and those of its significant service providers to the extent that they are allowed access to do so. If access is denied, then the public company must document any compensating controls that it has at its place of business. If your clients cannot document your controls that they rely on, and they feel that these controls are significant to their overall controls over financial reporting, they will likely take their business elsewhere. This is a risk that you will have if you refuse to allow them to document controls or do not provide them with a SAS 70 report.
    If you don’t have many clients asking for SAS 70 reports or to come into your offices to document controls, then you probably do not need to worry much about SAS 70 or other internal controls reporting.

  • Thanks kymike…that was really helpful.

  • We want to provide certification of privacy for our customers
    … my company sells hardware and utilities on the web that provides reporting needs for our customers. We want to protect the client data (server inventory and usage data, for instance) and wanted to assure our clients that controls are in place to address this…
    SAS 70 sounds like overkill to me for this requirement, you will incur significant costs and I am not sure that you would achieve your objective. You might be better off looking at an eCommerce certification such as CPA Webtrust or TRUSTe
    WebTrust is a wider and more robust certification (like SAS70 provided by CPA firms) - but if you are solely concerned about privacy then TRUSTe is enough.

  • _at_Calvin - I’m not sure that a SAS 70 is what you’re looking for either. If you are providing application support to a client then a SAS 70 cannot replace the client’s responsibility for maintaining a well controlled SDLC and managing their service providers woul dbe part of this.
    Ditto system support, again it is the client’s responsibility to ensure that they get what they need from you and control their won environment.

  • hi Dennis,
    Are u implying that the client shouldnt ask us for the SAS70 Type II. We are into application support and systems support primarily for some clients from where the talk of SAS 70 Type II is coming.
    I need an expert opinion over here. Can I say to the client that they can do without SAS 70 Type II from our side for their SOX compliance? what do they need to have to circumvent SAS 70 from our side.
    Pls clarify.
    Thanks for your time.

  • Each client will have to make their own determination as to whether or not the services that you provide for them are material to their controls over financial reporting. Once they have determined that your services are material to their financial reporting controls, then they will likely ask for a SAS 70. Absent a SAS 70 report, they will likely then ask to come document the controls in place related to the services that you are providing.
    I was suggesting earlier that, if you have several clients asking for the same types of controls support, you may want to consider having a SAS 70 report prepared versus facing the recurring inconvenience of having multiple clients interrupting your business in order to document similar controls.

  • I should have clarified that we provide services and customers do go onto our site to download entitlement, service contract, etc…
    I am not a technical person and am not sure how it works on the business side. I know we want to be compliant somehow with the protection of the client privacy, etc. Maybe this is not the correct forum to ask but again, I don’t know how else to reach out for some input…
    Some mentioned ISO17799 and Info. Assurance vendors and trust services…
    I think we will need our vendors to provide some kind of an assertion or certification as we work with different partners and vendors and vice versa…
    One interesting thing is, what if the vendor you want to us is NOT a PUBLIC company and you want to ensure security is in place and is addressed? Additionally, if that vendor is outsourcing some of the services to other companies, do you now also want that 3rd party to provide some kind of certification, too?
    Please continue to share your input. As you can see, alot of us can use this forum to brainstorm and it certainly is a great source due to all of your expertise.
    Thank you,

  • Certification of Privacy is IMHO’
    What is IMHO??

  • Thats ‘In My Humble Opinion’. 😄
    I regret any confusion created because of it.I was trying to say that SAS70 and Certification of privacy are not related.

  • thanks for clarifying that, Calvin.
    I understood the point, so thank you for sharing your input.
    So, if SAS70 and certification of privacy is not related, has anyone out there dealt with the privacy issue? I would imagine web services and banking industry have dealt with this long ago… Anyone has any suggestions where one would start?? (I’ve sent out some feelers with a few of my contacts from the banking industry)…

  • In case you didn’t see my earlier post.
    Start with TRUSTe (which is a privacy certification) and CPA WebTrust (which included privacy in its certification)

Log in to reply