section 404 sox

SAS 70 Type II Audit Reports | Why SAS 70 is Here to Stay

We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.

Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.

Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.

Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 & Sarbanes Oxley (SOX) | What You Need to Know

The relationship between Sarbanes-Oxley and SAS 70 begins with Section 404 of the 2002 Sarbanes Oxley Act (SOX). Because management must report annually on it’s effectiveness of internal controls, it then has a fiduciary responsibility and a requirement to inspect on controls considered critical to the organization as a whole, but more importantly, to it’s financial reporting process. Because a large number of publicly traded companies outsource a host of services, these outsourcing providers, known simply as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” What’s just as important is that this relationship between SAS 70 and Section 404 of the SOX Act has kicked off a regulatory compliance push that quite frankly, there is no end in sight.

To learn more about SAS 70 audit or to receive a sample SAS 70 Type II report, visit the official SAS 70 Resource Guide.