At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
QUESTION
If a vendor’s SAS 70 audit report identifies significant deficiencies in that vendor’s control environment relevant to systems that support the client’s material transactions, how should these be treated (that is, reported or mediated) by the client if the client is subject to Sarbanes-Oxley and Section 404? For example, say the vendor’s SAS 70 Type II report identifies issues with the vendors’ user-access to its own key systems and data. What should the client do?
ANSWER
Les Stone, John McCormick—For purposes of this discussion, we’ll assume that the client has outsourced its applications (which may contain critical controls as defined by the client for SOX compliance purposes) to an outside service provider. The original intent of the SAS 70 audit was to report on a provider’s controls, when a client had outsourced some function to the client and controls over it might be relevant to a financial-statement audit. The introduction of SOX seemingly brought forth new uses for SAS 70 audits, primarily so the service provider could demonstrate it had designed controls well and that they were operating effectively for a period of time to help their clients with SOX compliance efforts. SAS 70 audits only cover the controls that the service provider performs; they do not contemplate what the client still performs, and often that can be significant.
The client should understand the corrective action that took place, when it took place or is scheduled to take place and again determine whether additional action on the client’s part is required.
As differentiated from the client’s controls, the provider’s controls may include (but not be limited to) building security, network security and access, IT controls over introducing new hardware, scheduling of employees, and employee hiring and training.
To the extent that there is a testing exception or that a control objective is not achieved in the SAS 70 audit, the client must consider the effect and would likely consult its auditor. A control objective not being achieved may be relevant to a client, the client may have mitigating controls in place, or the event causing the qualification may not even be relevant to the service provided to the client. In any of those cases, the client will need to consider if additional action is necessary or not.
Many SAS 70 reports will contain a “management response” to the testing exception or the event causing the qualification. The client should understand the corrective action that took place, when it took place or is scheduled to take place and again determine whether additional action on the client’s part is required.
Therefore, regardless of what the SAS 70 indicates, the client and its auditor need to work in a collaborative manner with the provider, and ascertain the true impact. There is no “one size fits all” interpretation; a great deal of judgment is required.
No comments yet