16 February 2011

SAS 70 Being Replaced

Technology people can ignore this post. This is for the accountants in the room. Companies that outsource service portions of their of their business (think Payroll to ADP) have requirements around ensuring the controls in place at those organizations. Previously a SAS 70 Audit was used to report on internal control at service providers but there were lots of problems with that. Companies misrepresented the value of a SAS 70 audit in sales literature calling themselves SAS 70 compliant when there was really no standard to comply to. As a result of problems and the growth of new outsourcing options like cloud computing the AICPA is replacing SAS 70 with Service Organization Control Reports.

What does this mean to you as a GP user? It means that as you look at ISV outsourced solutions and other outsourcing options that may plug into Dynamics GP it’s time to start looking for SOC not SAS 70. If your vendor gives you a blank stare when you say SOC send them to http://www.aicpa.org/InterestAreas/AccountingAndAuditing/Resources/SOC/Pages/SORHome.aspx and then maybe get a little nervous about the vendor.