Health Care Organizations or Consulting Firms SAS 70 1157
Juli last edited by
Just wondering how others are handling the SAS 70 requirements when it comes to the Health Insurance Organizations? Wellmark BC/BS doesn’t issue one, but it comes from EDS who maintains their network. Consulting firms that do eligibility work for many other organizations, do not believe that activities related to enrollment to be a required control for financial reporting and therefore refuse to have a SAS 70 Report done.
How do others handle this issue?
Thanks in advance,
ugogirl last edited by
we discussed a similar situation with the external auditors. If there is not a SAS 70 for a service organization and it is considered in scope for SOX, then the external auditor recommended identifying the controls we have in place with that service organization, writing test scripts, and testing those controls just like we do for all the other internal controls.
We had a SAS 70 from a different service organization and reviewed the user control considerations section which gives you some idea of the minimum set of controls that should be in place if there was a SAS 70 from the other service organization. We started with that section and identified other controls that we had in place. Then we did a mapping to application and IT general computing controls. Our belief was that these were probably already tested somewhere and we didn’t want to duplicate effort. we wrote a test script to prove that the controls for the service org was tested then we referenced the supporting documentation (narratives, flow charts, policy/procedures, etc…) and the test scripts where these controls were tested. This saved us from duplicating effort where it was already tested previously.
some of the controls mapped very easily to IT general computing controls. Others may map to application or other internal controls in place.
mvedula last edited by
From Sarbanes Audit perspective the onus of getting the SAS-70 or a Thrid Party Assessment is on the client that is being audited.
If your auditors believe that key controls within your environment were part of an Outsourced environment, it is imperative that these controls within the Service Provider have to be tested.
SAS-70 Type-2 (Service Auditor Report) is most recognized document -specific to IT General Controls that support Financial Reporting. If the Vendor Organization does not have one done - it is understood and your audit team along with the business team should explain the requirement to the vendor and help them to get one ASAP. If your vendor is doing business with other Sarbanes Clients - it is imperative that they would get the heat either way.
It is counter productive on the vendor not to engage /provide SAS-70 - as auditors from each of their Sarbanes Client base - would start sending Auditors to this Vendor to understand the control environment and then to TEST them in the fashion most suitable to their own Sarbanes Testing methodology.
To avoid the army of auditors from various Sarbanes Clients and to please their clients, most Vendors prefer to have one Audit Group that they hire/pay to complete the SAS-70 or less painful - a TPA 9 Third party Audit Assessment) completed. It is true that Vendors are scared not of the SAS-70 Auditors, but their fees.
Bottom line- if a TPA/ SAS-70 not available from the Vendor - External Auditors would mandate that your Internal Auditors first conduct the testing on the Vendor and then External Auditors may re-perform their own testing on the vendor once more.