IT general controls should be followed for any better managed IT organization irrespective of regulatory requirements like SOX. (period) When it comes to verification of IT general controls for SOX audits (internal or external), it is not the question of best practice nor nice to have, but, it is a must have requirements. Generally in an organization, the testing/verification of IT general control by an external auditors are not performed for all the systems for all the controls. It is tested against a set of applications that are directly or closely related to financial statements. It is common for an organization to classify their systems as SOX systems and non SOX systems. IT controls are strictly followed for the SOX systems (it should be!!)
SaaS (Software as a Service) model will be widely used in the future and will play a significant role in any future IT landscape. How the SOX requirements can be fulfilled with the SaaS model? How internal and external IT auditors will be able to test the IT general controls if an IT service is provided by an external service provider?
What is SAS 70 and Type I & Type II report?
SAS (aka Statement on Auditing Standards) 70 is an auditing standards for the service providers (service organization) to enable the auditors to valuate the service organization’s IT general control and write a report on effectiveness testing of the IT general controls. The audit report of service organization’s can be used by the user organization and user organization auditors.
Type I Report
Focuses on the service provider’s IT relevant controls and their objective. Auditors validates the controls and express an opinion on if the controls are fairly presented and suitable to meet the stated objectives.
Type II Report
Type I report + assessment of effectiveness of the control over a period of time (not less than 6 months) and report can be provided as a evidence of the effectiveness testing of the IT general controls to the stated objectives.
Should an IT organization mandate SAS 70 Type II certification from all SaaS service provider?
American Institute of CPA (AICPA.org) published an applicability document
The way I understand the document is that the SAS 70 Type II certification is required if the service organization provides a service or transactional operations which are significant to the financial statement. With this understanding, let us say if an organization is sourcing financial controlling and reporting to a service provider (as a SaaS model) then the service organization is required to have SAS 70 Type II certification. If an organization is souring a marketing web site to a service provider (SaaS or ASP model), then the service organization is NOT required to have SAS 70 Type II certification.