SAS 70 & Sarbanes Oxley (SOX) | What You Need to Know

The relationship between Sarbanes-Oxley and SAS 70 begins with Section 404 of the 2002 Sarbanes Oxley Act (SOX). Because management must report annually on it’s effectiveness of internal controls, it then has a fiduciary responsibility and a requirement to inspect on controls considered critical to the organization as a whole, but more importantly, to it’s financial reporting process. Because a large number of publicly traded companies outsource a host of services, these outsourcing providers, known simply as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” What’s just as important is that this relationship between SAS 70 and Section 404 of the SOX Act has kicked off a regulatory compliance push that quite frankly, there is no end in sight.

To learn more about SAS 70 audit or to receive a sample SAS 70 Type II report, visit the official SAS 70 Resource Guide.