Regulatory Compliance, Governance and Security

Dec 31 2008   11:14PM GMT

Sarbanes Oxley (SOX) and SAS 70 | Understanding the relationship



Many people often ask me what exactly is the relationship between SOX and SAS 70. The relationship between SOX and SAS 70 begins with Section 404. Because management must report annually on it’s effectiveness of internal controls, it then has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. Since a large number of publicly traded companies outsource a host of critical services, these outsourcer providers, commonly referred to as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” So, there you have it. If you want to learn more about SAS 70, visit the most in-depth web site available on Statement on Auditing Standards No. 70, at

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: