SAS 70 Type 2 reports 114



  • Since auditors are wanting type 2 reports, what happens when your service provider only has a type 1 report, but is WORKING on getting type 2 reports. Are we forced to use agreed upon procedures this year???



  • This post is deleted!


  • This post is deleted!


  • This post is deleted!


  • one quick addition, KPMG does our audit. KPMG also does the SAS 70 work for our TPA (although different KPMG offices). Is this an issue?



  • What you want to see is a report what tells you that there are functioning procedures, processes and controls at the TPA’s site that insures you that everything is done to minimize the risks of a financial misstatement.
    A SAS70 I only says that there has an audit been performed and what issues came out of that. You want more. You want to see if the controls in place have been tested. Therefore you need a SAS70 II.
    Up to now it still is considered a conflict of intresst if the issuer of a SAS70 and the reciepents auditor is the same CPA firm.
    The Big Four are lobbying about that.



  • As a software company that does not provide application hosting or data centre type functionality, do we need this?



  • As a software company that does not provide application hosting or data centre type functionality, do we need this?
    Likely not, if you are just a software developer. It would be in your best interest, however, do be able to provide your customers with a list of the built-in controls related to data integrity and security in case they need to rely on them as internal controls.


Log in to reply