Audit Serve, Inc.

 

Technical Articles
Conferences
Audit Programs
Audit Serve Seminars
Consulting Services
Audit Vision Email Newsletter Free!
What's New
Contact Us

 

The Worldwide Connection for Audit, Security, Control and SOX Professionals

Hidden Secrets:  Reliance on a SAS 70 
for SOX Testing   (Part 2 of 2)
By: Mitchell H. Levine, CISA
Audit Serve, Inc.

   


HP NonStop Server Security and Encryption Solutions
www.xypro.com

    Reliance on a SAS 70 review is not an approach that most companies would prefer in ensure that SOX controls are effective within an outsourced service.  However, there are no alternatives for most companies and therefore they have to make the best of the situation which at times requires an adjustment of the controls they expect to be in place.

   This is the second part of the article which focuses on the testing of the controls which are presented by the service organization to the service auditor to test.  In order to determine whether the testing within the SAS 70 review can be relied upon for a SOX project, one must determine whether the sample size and sample period used within the SAS 70 meets the requirements for SOX.  The sample size requirements for SOX are based on the control frequency.  Guidance has been provided by the CPA firms of the sample size requirements which need to be compared to the sample sizes used within the SAS 70 report (i.e., 20 for daily, 10 for weekly and 2 for quarterly controls).  Some of the traditional testing methods used in SAS 70 reviews such as collaborative inquiry and observation cannot be used since these test approaches do not meet the types of required SOX testing in order to meet sample size requirements.  In addition, most SAS 70 reports do not identify the control frequency and therefore the service auditor would need to be contacted to obtain this information.

   The second question is whether subsequent SAS 70 reviews have been linked together to cover the sample period for the entire year.  SAS 70 reviews are structured to cover a specific period in which testing was performed to ensure that controls were effective for the entire period.  However, many service organizations do not schedule continuous SAS 70 reports to cover the each year and therefore they may be gap which relates to the period in which controls need to be effective for SOX.  It should be noted that SOX only requires control to be effective as of the end of the fiscal year.  Therefore, as long as the SAS 70 test period covers the end of the fiscal year of the user organization, reliance can be placed on the SAS 70 review from a test period standpoint.

   If an organization outsources their computer operations to a vendor, it should be understood that the systems included in the testing of controls within the SAS 70 review may not be the actual systems in which the user organization’s data resides on.  However, SOX has been emphasizing the concept of management level controls in which assurance is obtained that all units have adopted and follow the same controls structure.  Therefore, testing of sample number of units would provide assurance that all units follow the same control structure.

 

Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs al types of integrated and IT Audits, SOX testing and SAS 70 reviews.  Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss alternate project approaches for your next SAS 70 review.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

 

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.