In recent years, companies large and small have ceded their day to day activities to third party service providers. Such tasks normally include payroll, administration, accounting etc. Outsourcing daily activities has
now become a major practice amongst all companies. In case such outsourcing activities affect the financials of the company, then the contracting company must assess the effectiveness of internal controls over financial reporting at the contractor's company.

This is not a easy task. A lot of time and resources are required for third party internal control assurance normally called SAS 70 reviews. I have discussed some concepts about SAS 70 Type I and SAS 70 Type II reviews earlier. You can also find some terminologies related to SAS 70 here. It is better to hire a consulting firm which has expertise in SAS 70 reviews. I am of the view that internal audit can play a lead role by validating the SAS 70 reports for completeness and accuracy. Internal audit can also go a step further by completing audits at third party locations. A company's internal audit department has the right resources who can understand the risk and control relationship, and can therfore identify specific monetary and non-monetary risks associated with third party relationships. IA can also help by creating a risk mitigation plan. I personally believe IA will play a much bigger role in controls compliance in years to come.

Related Posts

CPA's Role in Sarbanes Oxley Auditing
Computer Assisted Auditing Techniques for SOX
Using Control Matrix to Document Risks and Controls
Key Benefits of Section 404 Implementation