I thought I'd start a thread on a topic that I beleive many companies still bear some risk - outsourcing. ..
Question: How many companies are solely relying on the SAS70 Type II report to mitigate their risk and/or pass their SOX audit?
Question: How many companies are aware of this guidance by the IIA:
“client-company management may need to arrange additional testing at the service provider that is not addressed by the SAS70 type II reports.” – Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners - IIA
Question: Does a SAS 70 Type II report really mitigate your risk or does it just make you and your company feel good? How many companies actually know the procedures that the auditors in the SAS70 audit are performing? How many companies that have reviewed these audit procedures feel they are complete?
Question: How many companies have built into their contracts with outsourcing providers the ability to perform audit procedures beyond what was done in the SAS70?
Question: How many companies have penalties in place for companies that violate their security policies?
I am open to hear both the good and the bad. My sense is this is an area that companies still have wide exposure, but I could be wrong...
Regards,
