Sister CISA CISSP

Jul 15 2008   6:34PM GMT

SAS 70 Reports – Reading What You’re Getting – From The First Page On



Posted by: Arian Eigen Heald
Tags:
Admins and Auditors
IT audit
SAS 70
Security

So you have this report from the company you’ve outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care?

First, determine that the company performing the report is a certified public accounting firm. This is the only legal entity permitted to perform a SAS 70 type audit, regardless of whether it is a Type 1 or a Type 2. Other firms can perform SAS 70 “readiness assessments,” but not the SAS 70 exam itself.

The first page can tell you whether it is a Type 1 or Type 2 audit. The subtitle:

Report on Controls Placed in Operation
and Tests of Operating Effectiveness
Prepared in Accordance with
Statement on Auditing Standards No. 70

indicates a Type 2 by virtue of the statement “Tests of Operating Effectiveness.” If you’ve read a previous column, you know that a Type 2 looks at controls and tests those controls. That’s a Good Thing.

The next thing you should see on the first page is an indicator of when the controls were tested. The date range is commonly a year, but it can also cover a six or nine-month period.
This means the auditors have tested controls over that time period to see if they were actually in place and effective.

Consider how long ago that date range was. Some organizations will attempt to use a SAS 70 report that is two or three years old. Regretably, some auditors will take 4-6 months to issue a report – which can mean that what you’re looking at has limited value. The longer the period from the actual test of controls, the less value the report has, because it cannot report on the current state of controls.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: