Compliance

SAS70 and SAS70 Type II Audits

The Sarbanes-Oxley Act (SOX) now requires publicly traded companies (SEC registrants) to certify the design and operational effectiveness of their internal controls environment. Under SOX Sec.302 and 404, a public company's external auditor must now provide annual opinions about the reliability of the control representations, including IT controls, made by a company's CEO and CFO. Those public companies that use outsourced service providers (formally called Third Party Administrators or TPA's) are not relieved of their requirements for control assurance. The Public Company Accounting Oversight Board (PCAOB) has been very clear on this topic, issuing a statement on March 9, 2003 clarifying the fact that the use of service providers doesn't reduce the responsibility of corporate executives for maintaining effective internal controls. Thus, the service provider's internal controls must meet a similar level of assurance as the public companies they serve.

SAS70 as it Applies to 3rd Parties
These developments are increasingly causing public companies to require of their TPAs independent verification that their controls environments meet SOX requirements. A SAS 70 report is the most commonly used vehicle for certification by a CPA firm that the internal controls as asserted by the TPA are designed and operating effectively. External auditors of public companies are very likely to require a SAS 70 from each of the company's TPAs. Similarly, TPA's that serve multiple public companies are likely to have to meet SAS 70 requests from each of their clients. It should be noted that in the absence of a SAS 70, a public company's external auditor may need to conduct direct verification of the TPA's controls.

As more and more companies fall either directly or indirectly under its influence, SOX Section 404 is becoming a de facto standard for IT internal control assurance within businesses and throughout business relationships. Moreover SAS 70s are increasingly valuable for private firms planning on going public or preparing to be acquired by a public firm. Quite simply, a SAS 70 bespeaks management's thoughtfulness, and can contribute to speedy due diligence when that becomes necessary.

Because they have become standards, SAS 70s are also used by service providers and ASPs as market differentiators that demonstrate a company's commitment to IT-Security. "Building a trusted online environment should be a significant part of an ASP's business plan," says Jeff Sopshin, a CPA and Partner with Ernst & Young. "A SAS 70 certification can help build this trust." Clients need to be continuously reassured that the service is operated in a safe and secure manner. The SAS 70 can provide such comfort. There are other benefits, too. According to Sopshin, many organizations that undergo a SAS 70 audit are able to discover opportunities to strengthen their internal control processes and to find meaningful efficiencies.

What's involved in a SAS 70? A SAS 70 audit or service auditor's examination includes:

• Service Auditor's Reports
• Description of Controls and Operations
• Control Objectives, Control Activities, and Service Auditor's Tests of Operating Effectiveness
• Optional Information

Scope: In considering the scope of a SAS 70 report it is important to recognize that the SAS 70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. Most often the audit report is provided to the service organization's customers ("user organizations") and their respective auditors ("user auditors"). To be effective, the SAS 70 must address the control objectives, the control activities, and the supporting IT systems that impact the user organizations in the view of the user organizations' auditors. In the case of SOX, the areas that most often need to be addressed are the controls and supporting IT systems that could impact the user organizations' financial reporting.

As more and more companies fall either directly or indirectly under its influence, SOX Section 404 is becoming a de facto standard for IT internal control assurance within businesses, and throughout business relationships. Moreover, as they become standards, SAS 70s are increasingly valuable for private firms planning on going public or preparing to be acquired by a public firm. Quite simply, a SAS 70 bespeaks management's thoughtfulness and can contribute to speedy due diligence when that becomes necessary.

Because they have become standards, SAS 70s are also used by service providers and ASPs as market differentiators that demonstrate a company's commitment to IT-Security. "Building a trusted online environment should be a significant part of an ASP's business plan," says Jeff Sopshin, a CPA and Partner with Ernst & Young. "A SAS 70 certification can help build this trust.'" Clients need to be continuously reassured that the service is operated in a safe and secure manner. The SAS 70 can provide such comfort. There are other benefits, too. According to Sopshin, many organizations that undergo a SAS 70 audit are able to discover opportunities to strengthen their internal control processes and to find meaningful efficiencies.

OffsiteDataSync Ensures SAS70 and SAS70 Type II Compliance by:

• Maintaining Tier3 data centers in geographically diverse areas of the United States with full “N+1” redundancies
• Documenting, logging, and controlling access to customer information and ensuring that unauthorized individuals and 3rd party entities (including OffsiteDataSync employees) cannot access backed up or archived information.
• Offering three methods of certified data destruction; simple file overwrite; three-pass binary overwrite and random inverse binary overwrite.
• Providing complete disaster recovery services for customers in an emergency and / or system-down scenario.