Gone through both as well as a couple of Systrust categories. SAS70, in general, was not as strict as SOX. Ours did a review of access, as indicated by kc, but remediation was left up to our organization. This is unlike SOX where the review was done and specific remediation steps were proposed.