The Business Controls Caddy

Permalink Sarbanes-Oxley FUD In InfoWorld




In my presentations on compliance, I talk about myths and traps people fall into, including "I read somewhere that...". In the May 1, 2006 issue of InfoWorld, Ephraim Schwartz provides one of these wonderful references in his editorial entitled "Are Your Services Compliant?". What fear, uncertainty and doubt (FUD) is he spreading? He states the "Under Section 404 of Sox, most companies are REQUIRED (emphasis added) to have received SAS 70 (Statement on Auditing Standards No. 70) Type II Service Auditors' Report from their service providers to evaluate controls, operations, data-centers, security, back-up, and system availability."

My response is simple, as always: NO, NO, NO! There is no requirement under Section 404 to receive these reports. Section 404, all 168 words of it, requires a report on the effectiveness of a reporting company's internal controls. There is no requirement for the receipt of a SAS 70 report, and the Public Company Accounting Oversight Board (PCAOB) says that companies MAY want to obtain such a certification from service providers (note that it would be prudent for companies to get the certification, depending on risk assessments).

It is incumbent on Mr. Schwartz and the editors of publications to get the information right, and not continue to spread FUD about what is and what is not required.

Related Links

Ephraim Schwartz: Are Your Services Compliant?



Comments
05/05/2006 11:46:17 AM

Comment posted by Ephraim Schwartz05/05/2006 11:26:29 AM
Homepage: http://www.infoworld.com


You are obviously referring to this sentence:
"Under Section 404 of Sox, most companies are required to have an SAS 70 report from their service providers to evaluate controls, operations, datacenters, security, backup, and system availability."

I did not intend to spread fear, uncertainty and doubt and in fact I don't think I did. Warning readers that they must be sure their service providers are compliant is an intelligent thing to do not a way of spreading FUD.

Nevertheless, I am wrong and you are correct. Unfortunately it is not what I meant to say which was that SAS 70 is the accepted stamp of approval for a SaaS provider that their systems are compliant. As far as I know it is not a requirement. However, the two lawyers with a regulatory practice that I spoke with both said if you have SAS 70 that's good enough. A third said no, you need even more.

Are you suggesting companies should be macho about this topic and tough it out?
All the best,
Ephraim

05/08/2006 09:29:17 PM

Comment posted by Christopher Byrne05/08/2006 09:03:17 PM


Not suggesting they tough it out at all. In the original post, I make it clear that "it would be prudent for companies to get the certification, depending on risk assessments". What I am saying is that we should not label something as "required", when it is not.

My concern arises from the "I read it somewhere" syndrome, where one line or section is taken as gospel and passed along as such. That is the FUD that needs to be avoided.

Add Your Comments



Email addresses provided are not made available on this site.





You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links


:angry: :-( :-p :lips: :laugh: :-o :rolleyes: :huh: :-D :grin: :cool: :cry: :-) :-\ ;-) :-x :emb:






Remember me    

Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This may take up to 10 minutes.

Site Name

Permanent URL of TrackBack Post

Title of Post ( If Any )

Excerpt of Post ( Max 250 Chars )



free html hit counter