HOME
LATEST NEWS
SAS 70 DETAILS
Steps and flow
Risk & Value
Sarbane-Oxley
ABOUT US
COMMENT JOURNAL
 




There are many aspects of a SAS 70 that are similar to the requirements of the Sarbanes-Oxley Act.  In order to understand the relationship, the similarities and the differences, it is important to understand both the Sarbanes-Oxley Act and a SAS 70 Audit.  The SAS 70 Audit is defined and explained on this site's web page "SAS 70 Details" and the Sarbanes-Oxley Act is explained below.

The Sarbanes-Oxley Act (SOX) or "The Act" passed into law by the United States Congress on July 2002 .  The purpose of the act was to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and the independent auditors under heavy scrutiny.  The Act is applicable to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC).

The Act is comprised of many provision, called sections, and specifies several requirements such as management's quarterly certification of disclosure controls (Section 302) and management's annual assertion of internal controls over financial reporting and their effectiveness (Section 404).  In the case of Section 404, the independent auditor of the organization is required to opine on management's assertion over internal control in addition to the auditor's opinion on the fair presentation of the organization's financial statements.  This additional testing of management's assertion is referred to an attestation.  The rules, guides, and standards are now under the aspices of the newly created Public Company Accounting Oversight Board (PCAOB), which in itself is stems from SOX requirements.

Section 404 concentrates on the significant processes that comprise financial reporting for an organization.  In order for management to make its annual assertion on the effectiveness of its internal control, management is required to document and evaluate all controls that are deemed significant to financial reporting.  If the organization uses a service provider to process transactions, host data, or other significant services, management will look to the service organization for information on the design and operating effectiveness of the service organization's controls. The PCAOB is still in the definition stages in its exposure draft as to the reliance that will be placed on service provider.  However the outcome, the PCAOB has stated that management is ultimately responsible for their controls even when outsourced to a service provider.


Wording from the PCAOB, as of December 2003, is still unclear as to how much if any reliance can be placed on SAS 70 Audits.  In the past, before SOX, auditors could rely on SAS 70 Audits for the purpose of internal control attestations.  As guidance is still not clear, auditors continue to work under previous assumptions. 

The PCAOB's publications appear to introduce conflict in its attempts to prevent conflicts of interest for financial reporting internal controls.


Management will either need to conduct an evaluation of the service organization's controls, or management may obtain a SAS No. 70 service auditor's report from the service organization, if a service auditor has been engaged, to gain an understanding of the service organization's controls.  The relevant audit guidance for SAS No. 70 already requires that a service auditor's report contain information on the five components of internal control as it relates to the service organization.

Service organizations that have customers who are publically registered companies should prepare immediately for the anticipated increase in demand for information on the service organization's controls.  Service organizations should consider the following: What are the fiscal year ends of the service organization's customers? When will the management of the service organization's customers conduct their evaluation? If the service organization currently receives a SAS 70 audit, is the scope adequate to meet the needs of customer management and the auditors of the customers? If the service organization does not currently receive a SAS 70 audit, does the service organization have the bandwidth from a resource standpoint to handle the additional requests that may result from Section 404 of the Act? The SEC recently published its final rules related to the adoption of Section 404, which can be viewed at the SEC website.  Public companies that meet the definition of an "accelerated" filer must comply with the internal control reporting requirements as of the end of its first fiscal year ending after June 15, 2004.  Public companies that are not accelerated filers as of the end of its first fiscal year ending on or after June 15, 2004, including a foreign private issuer, must begin to comply with the annual internal control report for its first fiscal year ending on or after April 15, 2005.

The PCAOB will be responsible for finalizing the attestation guidance that practitioners must follow when examining management's assertion on the effectiveness of controls over financial reporting.

The AICPA maintains a web page dedicated to the latest developments surrounding the Sarbanes-Oxley Act http://www.aicpa.org/sarbanes/index.asp

The PCAOB web site http://www.pcaobus.org 

For further information send an e-mail to SAS70Audits.com or use our on-line Comment Journal

We are "Leading professionals" in the field of SAS 70 and Sarbanes.� If you have questions, feel free to write in our Journal or drop us an email.