« SOX vs JSOX vs Bill 198 vs Clerp 9: Global SOX version around the world
Sarbanes-Oxley’s Impact on IT Departments »

Impact of Third-Party Services on Sarbanes-Oxley Compliance

Controls surrounding third-party services should ensure that roles and responsibilities of third parties are clearly defined, adhered to, and continue to satisfy requirements. Control measures are aimed at reviewing and monitoring existing contracts and procedures for their effectiveness and compliance with organization policy. The dissolution of a major contract could have significant impact on financial reporting. Thus it would fall within the guidelines for disclosure by the company officers.

During an audit, company organizations often will contend that they are not responsible for a given control because either the function is outsourced or the software was purchased from and maintained by a third party. According to legislative guidelines, a company can outsource service but not the responsibility for control of that service. It is next to impossible for a company to outsource problems and expect the problems to go away.

Documentation of the third-party controls is required for attestation by the independent auditor, so an assessment must determine the effectiveness and completeness of the service organization’s internal controls. If SAS 70 or similar audit opinions do not include controls testing, results of the testing, and the third-party service auditor’s opinion on control effectiveness, the reports are not sufficient for Sarbanes-Oxley compliance. Companies should be sure to note whether the specific environment, platforms, and applications used in fulfillment of the outsourced services are covered by the SAS 70 (or similar audit) reports.

Four functional objectives for auditing third-party services and outsourcing major portions of company activities that are relevant to companies, corporation subsidiaries, and multinationals are summarized as follows:

1. Policy statements regarding data integrity, availability, and confidentiality are determined by senior management and must be maintained and contractually supported by any outsource arrangement.

2. Asset-protection requirements should be clearly defined and understood by the principals in any outsourcing agreement.

3. Data and information custodial responsibilities should be well defined and complied with.

4. Service levels should be defined, measurable, and acceptable to both parties. Failure to meet service-level agreements should have some compensatory action. Billing and invoices should be accurate and costs within budgeted amounts

Source: IT Auditing: Using Controls to Protect Information Assets by Chris Davis 2007

Popularity: 11% [?]

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • StumbleUpon
  • Digg
  • del.icio.us
  • Technorati
  • Sphinn
  • Facebook
  • Mixx
  • Google
  • blinkbits
  • BlinkList
  • NewsVine

This entry was posted on Sunday, January 18th, 2009 at 9:57 pm and is filed under implementation, methodology, policy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply