Policy/procedure SAS 70? 768

  • Has anyone seen either company wide or IT department level policy/procedure related to contracts with vendors and SAS 70s?
    if so, what other topics were addressed in this policy/procedure?
    what criteria was used to make a SAS 70 a requirement of the contract of the vendor? some vendors won’t provide and some contracts may not warrant it.
    what evidence or audit trail is available to provide that client side requirements are being carried out?
    Have you seen any SOX test scripts to test controls in SAS 70s?
    what types of controls are tested around SAS 70s? any examples?
    our external auditor points us to the PCAOB document and we have been trying to make sense out of it. it seems we need a policy/procedure, proof that client side responsibilities being carried out, and testing of controls on the client side. if anyone knows a better resource to review that would provide additional detail that would be very helpful.

Log in to reply