As Sarbanes-Oxley Section 404 meets up with an obscure auditing standard, many companies are thinking hard about offshoring their business processes.<\/p>\n","protected":false},"excerpt":{"rendered":"
A little-known and perhaps largely outdated auditing standard for outsourcers could be the next big hurdle for Sarbanes-Oxley compliance. The standard in question is Statement on Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations.” Set up by the American Institute of Certified Public Accountants in 1993, SAS 70 spells out how an external auditor should assess the internal controls of an outsourcing service provider and issue an attestation report to outside parties or to a client.<\/p>\n
Auditors and other critics of the standard say SAS 70 is in need of a major overhaul, especially considering the June deadline for Section 404 compliance facing many public companies.<\/p>\n
Stan Lepeak, vice president of the research firm Meta Group, believes that incompatibilities between SAS 70 and Sarbanes-Oxley will “dampen outsourcing, at least in the short run, until outsourcers can show that they have both the adequate controls in place [and] evidence to prove that.” Tom Eubanks, of IBM business consulting services, isn’t so sure. “On first blush,” he says, “one might think, ‘Why would you outsource in a world where Sarbox is in place…and the magnifying glass is on the finance function?’ ” But what Eubanks and his colleagues are finding, he adds, is that “companies are looking at outsourcing as a valid way to address some [Sarbanes-Oxley] issues.”<\/p>\n
All in the Timing Under SAS 70, an outsourcing-service provider undergoes an annual audit, performed either by its own independent auditor or by the auditors of its outsourcing clients. There are two types of service-auditor reports.<\/p>\n
Type I includes the service auditor’s opinion on the fairness of the presentation of the provider’s description of its controls and how well they’re designed to meet specified control objectives.<\/p>\n
Type II reports, generally preferred for their greater depth, include the same data as Type I as well as the auditor’s opinion on the effectiveness of the controls during the period under review.<\/p>\n
More info: http:\/\/www.cfo.com\/article\/1,5309,12161|0|C|1|,00.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-527","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=527"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/527\/revisions"}],"predecessor-version":[{"id":3014,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/527\/revisions\/3014"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}