PCI DSS & SAS70 Audits | If you need both, then read on…

PCI DSS and SAS70 audits are two of the most common regulatory compliance initiatives currently facing many service organizations in today’s current business climate. Add to the mix of some unique similarities that both PCI DSS and SAS70 possess, and you can have some marginal to meaningful efficiencies of scale when one firm conducts both the PCI DSS assessment and the SAS70 audit.

Here’s how it works. When you look at the 12 core standards as put forth for PCI DSS, some of those functional areas can very well be part of a SAS70 audit, if scoped properly. That’s not to say that a PCI DSS and a SAS70 audit are a one for one match-by no means are they at all, but some items are examined and tested for in both the PCI DSS assessment and the SAS70 audit.

In short, there are only a handful of firms that are currently conducting both PCI DSS and SAS70 compliance. If you can find one, and they are out there, and they are willing to work on both the PCI DSS assessment and the SAS70 audit for purposes of document collection, analysis, discovery, and a host of other activities, then you have found a WIN WIN. Though the PCI DSS is much more technology driven than a SAS70 audit (and again for the thousandth time, a SAS70 is NOT an I.T. audit), there will be much learned from the PCI DSS assessment that will create great value and savings for purposes of the SAS70 audit.

If you want to learn more about this along with creating a Gap analysis, then contact NDB, Accountants and Consultants

SAS70 Frequently Asked Questions | A guide to the “Hot Topics”

SAS70 Auditing has become a staple in today’s growing regulatory compliance world. As such, I have put together a list of questions and answers for SAS70 issues that are commonly asked to me:

1. How much does a SAS70 audit cost?
That depends on a number of issues, such as the scope of the audit, are you required to be SAS70 Type I or Type II compliant. Have you ever had a SAS70 audit conducted before on your organization. However, do remember this. Get a FIXED FEE for the audit, that is, make sure all out of pocket, travel expenses are included in the FIXED FEE.

2. We have never had a SAS70 audit done before, what and where is the best place to start?
Start with a SAS70 Readiness Assessment-A series of highly customized questionnaires that help guide and facilitate the overall SAS70 audit process for your organization. You don’t go from first to third without a pit stop at second. The same theory holds true for SAS70 audits-don’t jump right into a SAS70 Type I or Type II without conducting preliminary work and analysis on your controls, your manpower, and the overall audit process. Get a SAS70 Readiness Assessment done-it will prove invaluable. You can even obtain free SAS70 Readiness Assessment questionnaires from the official SAS70 Resource Guide, developed by NDB Accountants and Consultants.

3. Can you fail a SAS70 audit? Technically, you can be given a “qualified” or adverse opinion on the audit. However, if you go through a SAS70 Readiness Assessment, learn from the deficiencies you have found, your organization should be able to successfully get a clean, “unqualified” SAS70 opinion.

Want to learn more about SAS70 audits, then ask for a complimentary SAS70 Type II audit report. You will learn much about the auditing standard from this report.

SAS70 Audit Reports for Data Centers |Important Facts to Know

SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.

And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.

1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.

2. It greatly helps with business development and marketing for data centers.

3. It helps unearth any weaknesses or deficiencies you may have within your control environment.

To learn more about SAS70 audits and data centers and to receive a complimentary SAS70 Type II audit report, visit the official SAS70 Resource Guide.

SAS70 Pricing for Type I & Type II Audits | Important Facts

SAS70 pricing for Type I and Type II audits is still a hot topic for regulatory compliance these days, and for good reason. The huge rise in SAS70 audits over the past five years has created a true need for accountants and auditors to perform these specialized audits. As a SAS70 auditor for many years now, i have noticed some interesting trends regarding SAS70 pricing along with my thoughts on where they will be going.

First and foremost, SAS70 pricing has gradually moved towards a “Fixed Fee”, that is, a SAS70 audit price that also includes travel and any out of pocket miscellaneous expenses. If you’re organization is looking to become SAS70 compliant, then get a fixed fee for all the proposals you receive.

Prices are coming down-Five years ago, only a handful of accounting firms conducted SAS70 audits. Taken a look at Google lately to search for the term “SAS70″ and WOW, CPA firms are everywhere! Well, that’s good news for service organizations looking to become SAS70 Type I or Type II compliant.

Pricing will probably stabilize. For a good quality reputable SAS70 firm, SAS70 Type I and Type II fees are becoming very reasonable. What’s more, good firms have also figured out a way to do more and more work remotely, thus minimizing business interruption for their clients.

To learn more about SAS70 pricing or to receive a complimentary SAS70 Type II audit report, then visit the official SAS70 resource guide at www.sas70.us.com

SAS70 Glossary of Audit Terms | Learn Important Terms & Phrases

Want to think and talk like a SAS70 auditor? Well, if you are a service organization that will soon be undergoing a SAS70 audit, then it’s a good idea to gain an understanding of some of the most commonly used term for Statement on Auditing Standards No. 70. Do you know the difference between the term “service organization” and “user organization”? How about Statement on Auditing Standards No. 55 and it’s importance on SAS70 Type I and SAS 70 Type II audits. The more of these key phrases and terms you know, the better prepared you will be in assisting your company in going through a SAS70 audit.

What’s more, if you are currently in the proposal phase and looking to find a qualified SAS70 CPA firm to conduct the audit, then your understanding of these key terms and phrases will ultimately help you better scope the audit, giving way to a fair and equitable fee for your company.

Learn about key SAS70 phrases and become a knowledge base for you and your organization regarding SAS70 audits.

SAS70 Audits | A Great Way to Grow your Business

SAS70 audits can be seen as expensive, time consuming, and arduous, to say the least. What’s important to note though is that a SAS70 audit can be seen as a great tool for helping promote and grow your business. Just take a look at the heightened regulatory compliance and corporate governance arena we know live in. Need further proof? How you noticed how many request for proposals (RFP) that are put out to service organizations now require a SAS70 Type II audit report if you want to even be CONSIDERED a viable outsourcing entity.

Sure, they can be time consuming and expensive, but if they help your business grow, and they have done just that for many service organizations, then it should be looked upon as an effective value proposition for your business.

From an operational standpoint, SAS70 Type I and SAS70 Type II audits help you greatly understand your system of internal controls, where you are weak, where your controls are strong, and what has been unearthed during the SAS70 process to help your organization in becoming an entity that truly values controls at all levels throughout your organization.

Want to learn more about SAS70 audits, such as what a SAS70 really is? Then visit the official SAS70 resource guide.

SAS70 Control Objectives | Here’s What You Need to Know

As a SAS70 auditor, organizations often ask me how are control objectives developed. Technically, it is the service organization’s responsibility to develop SAS70 control objectives. However, in reality, it’s looked upon as a collaborative effort by a number of parties involved in the overall SAS70 audit process.

Here’s how it works in theory.

If you are new to the SAS70 audit process, then service organizations will generally seek guidance and assistance from a CPA firm that will ultimately be conducting the SAS70 audit. This is common because the CPA firm has years of experience in conducting SAS70 Type I or Type II audits and will thus be able to give a service organization a set of industry accepted SAS70 control objectives to use as a starting point. The service organization can them customize these if they desire, use them as they are in an off the shelf mode, or design their own control objectives. Generally, most service organizations tend to “adopt” the control objectives put forth by the CPA firm along with making slight modifications or adding some specific control objectives based on audit scope and/or certain requirements from clients and/or use organizations who are ultimately requesting the SAS70 audit.

To learn more about SAS70 audits, visit the official SAS70 resource guide where you can obtain an actual SAS70 Type II audit report for gaining a greater understanding of what a SAS70 actually is.

SAS70 Audits & Business Continuity Disaster Recovery (BCDR)

SAS70-I’m often asked about Business Continuity & Disaster Recovery (BCDR) when preparing a new client for a SAS70 Type I or Type II audit that. Specifically, they ask me if it is a requirement for a SAS70 audit and what should they be doing in order to adequately prepare and document a BCDR strategy and plan.

Technically, NO, BCDR or any variation thereof (also commonly known as BCM, etc.) is NOT a requirement for testing for a SAS70 audit, based purely on the amended SAS70 publication of 2005 and 2007 that states a “plan is not a control objective”, thus BCDR and BCM Plans are not included in the scope of the SAS70. That’s the technical NO answer.

In theory, many auditors would say that YES, a BCDR or BCM plan should be in scope and should have a control objective in place for testing for the plan.

Regardless of which decision the auditor makes, its paramount that service organization’s have a working and documented BCDR or BCM plan in place. It just makes good business sense.

To learn more about what is SAS70, visit the official SAS70 resource guide where you can receive a complimentary SAS70 Type II audit report.

SAS70 Checklist | How to Prepare for a SAS70 Audit

As a SAS70 auditor, I’m often asked about how organizations should prepare for a SAS70 audit. In fact, companies and organizations alike commonly ask me for a SAS70 checklist. I simply reply by asking a checklist for what-on how to prepare for the audit, on what the audit scope is, etc? You see, the phrase SAS70 checklist is just too broad and vague.

What organizations really need to do for preparing for a SAS70 audit is to conduct a SAS70 Readiness Assessment, which essentially covers a broad range of topics and subject matter for a SAS70 Type I or SAS70 Type II audit. In fact, a SAS70 Readiness Assessment will help your organization truly understand what a SAS70 audit is, how an organization actually undertakes this type of audit, along with other essential activities. Here’s an example of the core functional areas that a SAS70 Readiness Assessment would cover within an organization. Please keep in mind that this is a general reference and scope can change based on the SAS70 audit itself. But by and large, any reputable CPA firm helping you with a SAS70 Readiness Assessment will almost surely include these areas:

* Organization and Administration-Executive Tone & Human Resources
* Incident Management
* Change Management
* Logical Security
* Network Security
* Physical Security
* Environmental Security
* Computer Operations
* Business Continuity and Disaster Recovery Planning (BCDRP)

To learn more about SAS70 audits, visit the official SAS70 Resource Guide, where you can receive a sample SAS70 audit report.

SAS70 Reports | Know the Difference Between Type I & Type II

If your company is needing to be SAS70 compliant, then a good start is to learn about what a SAS70 audit is and what the difference is between a SAS70 Type I & SAS70 Type II audit report.

In short, a SAS70 Type I is simply an audit that is a snapshot in time; an audit for a particular day. For example, a Type I report would be given a date of August 31, 2008.

A SAS70 Type II audit report is a report that will test the operating effectiveness of those controls over a time period, traditionally six (6) months. For example, a SAS70 Type II report would cover a period from January 1, 2008 to June 30, 2008.

It is important to note that a SAS70 Type II is what the market is calling for, that is, it suffices for Sarbanes Oxley compliance and is looked upon as a much superior audit than a SAS70 Type I report.

A good example of learning more about SAS70 audits is to obtain a SAS70 sample report, whereby you can read and understand what the major components and parts are of a final report.