In the wake of Section 404 of Sarbanes-Oxley, Compliance Week has written extensively about SAS 70 Type II audits. (see coverage below, right.) The audits have become increasingly important for some public companies; management has to assess the effectiveness of the company’s internal control over financial reporting, and critical outsourced services that might materially impact those controls—like payroll, for example—are included. As a result, many companies are insisting that certain vendors undergo “SAS 70 Type IIs.” The audits refer to an AICPA standard that sets forth the practice for evaluating the performance of outside service organizations (a “Type I” audit describes the business’ controls, noting if they are suitably designed and in place; a “Type II” audit tests those controls and reports if they are working adequately). This week we speak with the CEO of a database company that has recently undergone such an audit.
You began SAS 70 Level II audits annually in 2004. Why?
