How DevAlign Can Help With SOX and SAS70 Compliance


Statement on Auditing Standards Number 70 (SAS70) is an accounting standard set up by the American Institute of Certified Public Accountants in 1993 that spells out how an external auditor should assess and report upon the internal controls of an outsourcing service provider.  In 2002 Sarbanes-Oxley (SOX) added impetus for SAS70.  SOX Section 404 requires public companies outsourcing certain processes to audit service organizations to ensure their control objectives relate to any activities that are critical and vital to an outsourcers well being.  Such processes may include financial, payroll, benefits, 401(k) administration, medical/dental, Workers’ Comp, Claims administration, and related IT.  


SAS70 does not follow a required format or utilize specific technical standards.  Service companies can disclose control objectives and activities in a variety of ways using variety of technical standards[i]


While the DevAligntm System will not address all requirements of SAS70/SOX, it can significantly help companies towards that goal in the following ways:


SAS70 Requirement

How the DevAligntm System Can Help

Describe your vital operations

The DevAligntm system provides a tool for documenting and maintaining your processes in a clear, structured manner.


Describe your internal control objectives

Internal control objectives can be defined within the operational policies/quality standards that are linked to each process.  They can also be clearly identified via icons in the process flow diagrams.  Also, the rigors of implementing the DevAligntm system in an organization (i.e., documenting processes along with inputs, outputs, controls & resources) helps to define and identify opportunities to strengthen your internal control processes.


Control objectives must mirror actual daily activities

The DevAligntm system is a tool for monitoring and managing processes and controls on an ongoing basis as described in the Continuous Improvement process.  Reviews are conducted on a regular basis to ensure personnel understand and are performing according to defined standards and controls.  When changes are required, they are made in a structured manner using the Change Manager.  Changes are automatically communicated to impacted personnel to ensure work activities continue to reflect defined control objectives.  Training is dynamically generated directly from the processes so content always reflects current work activities.  Likewise, job activities with related, knowledge, skills and performance standards are also generated directly from the processes to ensure employee performance meets defined standards. 


Annual Audits must provide a description of controls and operations. 

Providing the necessary documentation and resources for an audit in a timely manner can significantly reduce time and costs spent on audit activities, as well as increase the likelihood of a high quality and successful review.  The DevAligntm system provides much of the required information in a central, Intranet based location; and the Continuous Improvement process and tools ensure this documentation is maintained so that it always reflects current operations.


Detailed testing of controls (in Type II audit)

To help monitor controls, where possible, process measures/indicators may be defined and linked to each process within the DevAligntm system.


Potential Clients may require SAS 70

With the DevAligntm system, you can quickly demonstrate your operational controls and quality management processes to potential clients who may have this requirement.


Among other, auditors look for 5 Key components of internal control:

1.      Control Environment

2.      Risk Assessment

3.      Control Activities

4.      Information and Communication

5.      Monitoring

1. The DevAligntm Continuous Improvement process and tools provide discipline and structure that fosters an environment of constant awareness of process control and quality management.    In addition, the resources associated with each process provide links directly to current regulations that may impact those processes.


2. Though not specifically addressing the Risk Assessment component, embedded Disaster Recovery procedures can be used to show how an organization identifies and manages risks associated with potential disasters.


3. The embedded policies, procedures and quality standards help to ensure management directives relative to control are communicated and followed. 


4. The automatic notifications generated through the Change Management system ensure that all related staff members are kept informed of issues and changes as needed.


5. Links to Indicators/Measures can be embedded to monitor process activity and ensure the processes are performing as expected.



For more information, contact Deva Industries, Inc. at 239-540-0388.


Copyright 2007 Deva Industries, Inc.


[i] “SAS 70 Overview and Planning Guide”, Philip M. Cronin, CISSP, and Bruce Eissner,