The question is, however, do treasurers need them? And the answer–as it has often been during the first year of Section 404 SOX compliance: Maybe yes, maybe no.

Most major lockbox providers have asked their auditors to prepare such statements, after a few cautious treasurers began to make inquiries. While banks say this represents a substantial expense, it is not one that is generally being passed on to customers. The audits are comprised of two types–Type 1, which validates bank procedures and Type 2, a more extensive review that audits how those procedures are followed. "There are two schools of thought among treasurers about SAS 70 forms," PNC's Stone observes. "Some think the lockbox is a critical part of their financial performance and must be documented. Others think they monitor lockbox operations so closely that they have a handle on the process and controls."

So let's go to the audit experts. According to Anne Marchetti, practice director for governance and risk management at Parson Consulting, nearly every public company should request a SAS 70 Type 2 letter from its lockbox bank. "You're outsourcing parts of your cash application or processing on which cash application depends, and cash application definitely has a material impact on your financial statements," she says. "You should have documentation of the bank's processes and controls. There may be a few exceptions, but there won't be many."

Jennifer Meiselman, director of BridgeMark Risk Consulting, a division of BDO Seidman, couldn't disagree more. "If the bank was coding transactions straight to general ledger accounts, that might make a SAS 70 statement useful, but that's not what most lockbox services do," she says. "It would be useful only in exceptional situations."

The bottom line of the debate: SAS 70s on your lockbox may be overkill, but since they're free, it may not hurt to ask.