July, 2008

Data Centers & SAS70 Audits | How to Prepare for the Audit

Data centers are increasingly being called upon to be SAS70 Type I or Type II compliant. It stems primarily from the rapid growth of compliance legislation, along with the advent of many industries, particularly Software as a Service (SaaS), that require services from data centers and co-location entities. Moreover, today’s data centers provide a wide array of services, and as such, client using these very services often have to adhere to regulatory compliance mandates also. Ultimately, this has a downstream effect that places data centers on the compliance radar, with SAS70 audits commonly being the default compliance tool used for evaluating their internal control structure.

Additionally, because no two SAS70 audits are truly identical, and because a SAS70 audit should be customized to reflect specific industry needs, it’s important to note what is considered as an acceptable baseline scope for SAS70 audits on data centers. Thus, the areas of executive tone, human resources, incident management, change management, logical security, network security, physical security, environmental security, and computer operations form the basis of the audit for purposes of scope. Please keep in mind, this a generally accepted scope, which can increase or decrease based primarily on what is driving the requirements for the audit itself.

To gain a greater understanding of your organization’s SAS70 needs, it would be helpful for you to learn about what SAS70 is and also obtaining SAS70 sample reports, which are an excellent tool for learning more about this type of audit.

SAS70 Audit Guide | Section 6.0 | SAS70 Glossary of Terms

If you want to learn about SAS70 Type I & Type II audits, then it’s a good idea to gain a thorough understanding of the terminology used for the SAS70 auditing standard. There’s much technical jargon and terms to be mastered for helping truly understand SAS70 audits. Furthermore, the more you fully comprehend what these items mean, the better armed and prepared you will be for the audit.

The SAS70 glossary of terms serves to provide an understanding of the most common terms and phrases used not only by auditors, but also everyone involved in the SAS70 process. For example, do you truly understand the definition of internal controls? Do you know the difference between a service organization and a user organization? The SAS70 glossary will help define these differences.

Also, if you want to learn more about SAS70, such as pricing along with receiving SAS70 sample reports, then the official SAS70 resource guide is your one stop shop for learning all you need to know about this highly specialized auditing standard.

SAS70 Audit Guide | Section 5.0 | SAS70 Roadmap for Compliance

SAS70 Type I & Type II audits can be daunting indeed to many service organizations, but they shouldn’t be. The more you learn about what SAS70 is, the better prepared you will be for going through a SAS70 audit. Let’s start with the basics, that is, educate yourself on what a SAS70 Type I & Type II audit is, and what are the differences.

Furthermore, obtain SAS70 sample reports electronically to see what a final SAS70 service auditors report actually looks like. Additionally, learn about what it takes in the step by step process for undertaking a SAS70 audit. There are many different stages, activities, and deliverables that comprise of a SAS70 audit, so its a good idea to educate yourself on what they are, when they occur, what to expect, and what the commitment is from your organization in terms of manpower and resources.

Beginning with a SAS 70 readiness questionnaire assessment, then culminating with the delivery of the actual service auditor’s report, you need to learn firsthand what’s involved for this type of an audit.

You can also learn more by visiting the official SAS70 resource guide, where a wealth of information is available, such as white papers on SAS70 along with current industry news affecting the auditing standard itself.

SAS70 Audit Guide | Section 4.0 | SAS70 Sample Reports

You can obtain SAS70 sample reports if you are interested in learning more about the SAS70 auditing standard. Many service organizations have to go through a SAS70 audit and would like to learn more about the auditing standard. Thus, a SAS70 Type II example report, which can be obtained from the official SAS70 Resource Guide, will give readers an in-depth understanding of the inner workings of a SAS70 audit, along with providing an excellent example of what the contents of a report are.

SAS 70 sample reports can also help better educate your organization on the auditing standard, ultimately giving you more knowledge and understanding of the audit when you begin the selection process of finding a CPA provider to conduct the SAS70 Type I or Type II audit for your organization.

Additionally, current white papers along with various information on relevant industry news is also available for learning more about SAS70 audits both Type I and Type II audits. Current industries being heavily affected by the SAS70 auditing standard are financial services, information, and health care. The past decade has seen numerous federals laws and legislations implemented that have placed a large emphasis on security, privacy, and an organization’s overall control environment. What’s more, SAS70 audits have quickly become the default tool used to ensure service organizations are in compliance with these ever expanding regulatory compliance laws.

SAS70 Audit Guide | Section 3.0 | What’s in a SAS 70 Report?

A SAS70 report can be a daunting undertaking for many service organizations who have never gone through an audit of this type. Developed in 1992 by the American Institute of Certified Public Accountants (AICPA). SAS70 Type I and Type II audits are used for examining a service organization’s control environment.

Many companies often ask me what the end deliverable report looks like. Because of the loose flexibility of the auditing standard, I have to caution them that no two reports from different CPA firms for a SAS 70 audit will ever look alike. This is largely based on the fact that the presentation of the audit findings allows CPA firms to illustrate it in any number of ways. However, even with that said, there should be some fundamental topics and areas that need to be included in almost any SAS 70 Type II audit. A good reference would be to examine the SAS70 audit & overview presentation tutorial, which gives readers an excellent example of what is SAS70 and what’s in a report.

Additionally, visit the SAS70 resource guide where you can receive SAS70 sample reports for educational viewing.

SAS70 Audit Guide | Section 2.0

SAS 70 audits have become a way of life for many in today’s ever growing regulatory compliance world. From financial services to healthcare and I.T., no industry is safe from the large and expanding compliance mandates being pushed out of Congress. Notable legislation, such as HIPAA, GLBA, and Sarbanes-Oxley have had a profound impact on many of today’s businesses.

Though SAS 70 audits are a considerable time and expense proposition for many service organizations, there are many positive attributes that can be taken from these audits. Most importantly, they help you identify weaknesses within your internal control structure. Second, they are a great marketing tool for attracting new business for your organization. And third, they help satisfy the growing compliance demands set forth by industry regulations that are being pushed on your organization by your client’s auditors.

But before you can reap the benefits of SAS 70 audits, you need to learn about the auditing standard and what is SAS 70. Visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for free and read up on current industry news and how SAS 70 audits is affecting various business segments in today’s economy.

SAS70 Audit Guide | Section 1.0

The SAS70 audit guide is a series of reports that will help educate individuals on this widely used auditing standard that was developed in 1992. Section 1.0 gives readers a brief history of SAS 70 audits.

What’s important to note about the auditing standard is that it’s main purposes is to examine an organization’s internal controls or control environment. The auditing standard gained much traction within the last five years due to the passage of the Sarbanes Oxley Act, simply known as SOX to many. At the time of the passing, no one probably knew the implications that section 404 of the SOX act would have on SAS 70 audits. Needless to say, it has been extremely significant. Other regulatory legislation, such as HIPAA and GLBA, have also contributed to the rise of the auditing standard.

To learn more about SAS 70 audits, visit the official resource guide, where current white papers on the auditing standard can be read, along with sas 70 pricing and the ability to obtain SAS 70 sample reports for educational purposes.

SAS70 | Definition of the Auditing Standard No. 70

SAS70 audits can be looked upon as an examination of an entity’s control environment. In more technical terms, a SAS70 Type I audit is used to report on controls placed in operation. Thus, a SAS 70 Type II audit is used to report on controls placed in operation and the testing of operating effectiveness.

Quickly, you can see the difference between a Type I and a Type II audit. a Type II audit’s testing of operating effectiveness essentially means that a testing period is undertaken when examining a service organization’s control environment. It’s the main difference between a SAS70 Type I and Type II.

Keep in mind that Type II audits are commonly used for complying with section 404 of the Sarbanes Oxley act. Management (executives of user organizations, that is) must have assurances of their internal control environment, thus, many times a SAS70 Type II audit is required from service organizations who provide outsourcing functions for these very user organizations.

To learn more about what is SAS70, visit the official SAS70 Resource Guide.

It’s a SAS 70 Jungle out There | Tips on Preparation

From health care to financial services and I.T., SAS 70 Type I and Type II audits are having a significant impact in today’s ever growing regulatory compliance arena. Many service organizations initially struggle with SAS 70 compliance, due in part to a large number of issues. These issue traditionally revolve around audit scope, SAS 70 pricing, time commitments, along with other important issues.

What’s important to understand is that if your organization has become a SAS 70 candidate, its wise to educate yourself on this auditing standard which was put forth by the American Institute of Certified Public Accountants (AICPA) in 1992.

A quality SAS 70 CPA firm, and there are many of them out there, will be able to effectively guide you through the major issues of SAS 70 audits (pricing, scope, time commitments, etc.) along with giving you a SAS 70 roadmap for compliance for ensuring the audit is completed in a cost-effective, efficient manner.

SAS 70 Audits | Tips on Getting a Fair Fee

If your organization needs to embark on SAS 70 Type I or Type II compliance, here’s what you need to know about getting a fair, equitable fee from a CPA firm that proposes on the audit.

• Discuss what the scope of the audit will be, that is, is it a general controls audit or does the SAS 70 Type I or Type II audit proposal include provisions for examining specific business processes. This is vitally important because the organization requiring you to be SAS 70 compliant may very well have special provisions for the audit. Talk to your clients and communicate this with CPA firms giving you a proposal.
• Determine the testing time period of the audit, if a SAS 70 Type II is being conducted. Generally speaking, the longer the test period, the more testing will be done, thus the audit will be more costly. See if a six (6) month testing period will suffice for your client’s demands.
• Once you have determined scope, make sure to discuss where and when testing will take place. The more physical locations the auditors have to visit, then the more costly the audit will be. You may be able to test for the audit at one central location, so be sure to come to an agreement on this early.
• Make sure the proposal is a fixed fee. In today’s economy with rising gas, food, and transportation costs, any non-audit, out of pocket fees can become quite costly. A fixed fee will help mitigate some of these unknown, variable costs.

To learn more about SAS 70 audits or to receive SAS 70 sample reports, visit the official SAS 70 Resource Guide.