We received a letter from our core processor telling us that they have a SAS70 report available for us to purchase that deals with controls for EFT switches.

They mention that the FFIEC in its Interagency Supervisory Statement, establishes control objectives for EFT switches and network service providers.

Does anyone know what interagency statement they may be referring to? I checked FFIEC's website but was unsuccessful.

Go to the FFIEC web site and look under Handbooks and Catalogues for the FFIEC IT Handbook. Under the Navigating this Infobase heading is a link to the IT booklets. Read the booklet titled "Supervision of Technology Service Providers."

By the way, I have never heard of a provider offering their SAS70 report "for purchase." They should be obligated under the terms of your contract to provide you with evidence of the security and adequacy of their system. That's what the SAS70 is for. It is an audit report by an external CPA firm of the company's systems.

I agree with Paul, that is pretty crafty that your service provider is charging for an audit report they should be obligated to provide your bank. The examiners will want to know whether your bank sufficiently reviewed the SAS70.

Thank you very much.

For the record, our processor is Fiserv. They state that PriceWaterhouseCoopers LLP conducted an exam and have issued the Service Auditors Report. They will charge $245 per copy to our invoice.

Are we required to have a copy of this on file?

You beat me to my question.

It looks like we should have this on file.

You will want to review the IT Handbook on Service Providers, but, in general, the guidelines imply that your bank will obtain and review the SAS70 and make sure that findings are monitored and corrective action implemented. I would object to the charge.

Before you pay, check your contract and make sure that they aren't required to provide you with any and all SAS70's that are conducted. You should also have on general IT controls.

If the requirement to provide SAS70's isn't in you contract, when it's up for negotiation - GET IT IN THERE!! But it's worth paying for from an exam perspective.