August, 2008

SAS 70 Audits for Data Centers & Managed Services

If you are a data center or manged services provider and need a SAS 70 audit, then here are some helpful tips and strategies for finding the right firm, getting a fair and equitable fee, and for ensuring you have the proper scope for the audit.

Today’s data center are complex entities, providing customers with a broad array of services, thus it’s important your SAS 70 report meets and exceeds the objectives of the audit for you and your customers.

1. First and foremost, find a CPA firm that specializes in not only SAS 70 audits, but one that has a strong understanding of the services offered by your organization. From ping, power, and pipe to highly complex managed services, it’s important to remember to keep all critical services within the scope of the audit.

2. Get a fixed fee for your audit. With the rising cost of expenses, such as gas, travel and other ancillary services ,getting a “fixed fee” for your SAS 70 audit ensures that costs are contained, and you have an exact idea of what you will be paying for the audit. SAS 70 audits that do not include expenses will ending costing data centers approximately an additional 20% or more over the original agreed fee. Hourly rates for auditing data centers should be considered a thing of the past-work hard to get a fixed. fee.

3. Scope the audit correctly by making sure the CPA firm conducting the SAS 70 audit includes the following areas for examination and testing:

• Executive Tone
• Human Resources
• Customer Contract Process
• Customer Provisioning Process
• Incident Management
• Change Management
• Logical Security
• Network Security
• Physical Security
• Environmental Security
• Computer Operations

There also a number of Data Center best practices that should be in place for helping facilitate the overall success of the SAS 70 audit.

To learn more about SAS 70 audits or to receive a SAS 70 sample report, visit the official SAS 70 Resource Guide.

SAS 70 Audit Checklist | Preparing your Organization

The tremendous growth of SAS 70 audits has been felt in many industries, requiring service providers (commonly known as service organizations in the SAS 70 world) to undergo an annual SAS 70 Type II audit. If your organization is new to the SAS 70 audit process, here are some helpful tips for ensuring you find the right firm, a fair fee, along with other important considerations and factors regarding statement on auditing standards no. 70.

1. Find a firm that specializes in SAS 70 audits. This is not too terribly difficult as there are many firms out there providing this services for this specialized audit.

2. Make sure the firm has industry experience, not just general SAS 70 experience. Sounds easy, but it would be wise to pick a firm that has conducted SAS 70 audits in your industry, thus a have a working knowledge of your operations and what to expect

3. Define the scope EARLY. Make sure your organization and the CPA firm conducting the SAS 70 audit come to an understanding very early on regarding the scope of the audit. Too small a scope and the SAS 70 audit may have little value. Too large a scope and you may be spending more time, money, and effort than is needed.

4. Get a fixed fee for the audit. That’s right, make sure the proposal you receive is fixed, meaning it include all out of pocket, travel related expenses. A non-fixed fee proposal will likely tack on an additional 20% for out of pocket fees.

5. Ask for templates and questionnaires so you can conduct your own SAS 70 Readiness Assessment. Many CPA firm charge for this service, but some firms are willing to give you the templates free of charge. It’s a great tool for audit preparedness in regards to completing the SAS 70 audit in a successful manner.

To learn more about statement on auditing standards no. 70 or to receive a sample SAS 70 report, visit the official SAS 70 Resource Guide.

SAS 70 Audits & Software as a Service (SaaS) | Helpful Audit Tips

The Software as a Service (SaaS) industry and SAS 70 audits actually have quite a bit in common. First and foremost, both the SAS 70 auditing standard and the SaaS industry have seen explosive growth in the past five years, thanks in large part to regulatory compliance and the advent of technology. Second, from a compliance standpoint, SaaS providers are increasingly being required to be SAS 70 Type II compliant.

The sheer nature of the SaaS industry has forced the SAS 70 auditing standard’s requirement onto many SaaS providers. What’s more, what may have been perceived as a market edge, a compliance luxury, the SAS 70 audit is now a must have for SaaS providers, or lose potential clients and future prospects.

If you are an organization falling under the SaaS industry label, there are a few helpful things you can do to get ready for a SAS 70 audit:

1. Find a firm that truly understands the SaaS industry-it can be complicated due to the nature of the industry itself.
2. Fina a firm that will give you a fixed fee for the audits. That’s right, no need to pay additional out of pocket expenses to the auditor. Most reputable firms are now moving towards the fixed fee mentality, so your checkbook should too.
3. Make sure you define the scope early with the CPA firm doing the audit. The SaaS industry has many providers and outsourcing entities that could potentially be in scope for the audit of your company. From data centers to external, third party managed providers of security, you and the CPA firm need to nail down who and what is included in the scope. This will have a sizable impact on the time, fees, and man hours needed to complete the audit.

To learn more about SAS 70 audit, visit the official SAS 70 Resource guide where you can receive sample SAS 70 reports for view.

Gramm Leach Bliley Act (GLBA) Compliance & SAS 70

The Gramm Leach Bliley Act, commonly known as GLBA, has certain provisions that require organizations, such as financial institutions (bank, online trading entities) to protect confidential consumer information. Unfortunately, like much of the legislation that ushers out of the halls of Congress, it can be quite vague, allowing users of these very legislative laws to implement them as they see fit. Just look at HIPAA, more than a decade later, it still is looked upon as a large, encompassing, and bureaucratic law that is still being defined.

GLBA has gained some clarity in the past few years, thanks in part to the rise of the SAS 70 auditing standard along with the advent of the Sarbanes-Oxley Act of 2002. In short, SAS 70 audits are compliance audits conducted on organizations (known simply as “service organizations”) for ensuring they have a strong system of internal controls. These very financial institutions that sell and offer services to consumers that are “financial” in nature, must be in compliance with the GLBA provisions.

One of the best ways for testing for GLBA compliance is to have a SAS 70 Type II audit conducted on the financial organization that is offering financial products or services to the consumer. To learn more about GLBA and SAS 70, learn about the Privacy Rule of GLBA and SAS 70 and learn about the Safeguards rule of GLBA and SAS 70.

SAS 70 & Sarbanes Oxley (SOX) | What You Need to Know

The relationship between Sarbanes-Oxley and SAS 70 begins with Section 404 of the 2002 Sarbanes Oxley Act (SOX). Because management must report annually on it’s effectiveness of internal controls, it then has a fiduciary responsibility and a requirement to inspect on controls considered critical to the organization as a whole, but more importantly, to it’s financial reporting process. Because a large number of publicly traded companies outsource a host of services, these outsourcing providers, known simply as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” What’s just as important is that this relationship between SAS 70 and Section 404 of the SOX Act has kicked off a regulatory compliance push that quite frankly, there is no end in sight.

To learn more about SAS 70 audit or to receive a sample SAS 70 Type II report, visit the official SAS 70 Resource Guide.

PCI & SAS 70 Audits | Cost Savings Initiatives

If your organization is required to be SAS 70 compliant along with obtaining a PCI DSS assessment, then it’s time to think about creating efficiencies of scale when conducting both the audit for SAS 70 and the assessment for PCI compliance.

By no means are there perfect synergies, rather, both the SAS 70 and the PCI DSS can be looked upon for assisting each other in regards to preparing deliverables for auditors. Here’s how it works. Auditors create “prepared by client” (PBC) lists, which are in essence a wide assortment of documents, materials, and other deliverables needed for an audit and that must be prepared by the client. My advice is why not schedule the PCI DSS assessment before the SAS 70 audit, thus using many of the samples pulled for the PCI DSS audit for the SAS 70 audit, provided the time periods are applicable. Better yet, fieldwork could be conduced in close proximity or even overlapping both the SAS 70 and th PCI DSS assessment. The point to make is this. Compliance audits or assessments (as we’ve been told to call the PCI DSS during training-an “assessment”, not an audit!) generally ask for similar information in some shape or form. Working with an auditor that truly knows both the PCI DSS and the SAS 70 auditing standard will save you alot of time, headaches and money. Though it’s not a 2 for 1, it does create a high level of efficiency which any organization requiring both a SAS 70 and PCI DSS should consider.

To learn more about SAS 70 audit or to receive a sample SAS 70 report, visit the official SAS 70 Resource Center.

To learn more about PCI DSS assessments, visit the official PCI resource center.

SAS 70 Audits | Tips on Preparing Your Organization

SAS 70 audits are being performed on many service organizations in today’s growing regulatory compliance economy. From federal legislation, such as Sarbanes-Oxley to HIPAA, the SAS 70 auditing standard has been pushed to the forefront of the business arena. It’s becoming such a big requirement now that many request for proposals (RFP) are demanding that a service organization be SAS 70 compliant for even bidding on work or submitting a proposal.

So let’s erase some myths and misconceptions about the SAS 70 auditing standard. First and foremost, the audit can be done in an efficient, cost effective manner, provided you find a firm that has a good working knowledge of the SAS 70 auditing standard AND your industry. Put both of those variables together, and you should get a good fee from a quality auditor who truly knows what they are doing.

Secondly, you don’t have to do a SAS 70 Type I first if you need a SAS 70 Type II. Why waste thousands of dollars on a Type I when it’s not really what you needed? Some CPA firms will try and sell you the full package, often including a Type I by stating its needed to begin the audit process. What you need to start with instead is a SAS 70 Readiness Assessment, which will get your organization up to speed and ready for the actual SAS 70 Type II audit.

Lastly, SAS 70 audits can be a reasonable financial proposition, if you use a firm with experience that has a working, scalable model, resulting in efficiency and cost-effectiveness.

If you want to learn more about SAS 70 audits, visit the official SAS 70 resource center where you can receive SAS 70 sample reports for review.

SAS 70 Audits and Third Party Administrators (TPA)

As a SAS 70 auditor for many years, i’ve seen a huge increase in the number of third party administrators (TPA) that are required to go through a SAS 70 Type I or SAS 70 Type II audit. Man of these TPA organizations are considered small, with limited budgets, thus they voice a great deal of frustration about the time and costs of this highly specialized audit process. What’s worse, many feel the value of the audit is simply lacking, as many CPA firms do not have the knowledge or background sufficient for auditing a Third Party Administrator (TPA).

With that said, it’s important you properly assess the value of the CPA firm for their overall expertise and knowledge for a TPA. The term TPA is a broad and much overused term, based on the fact that many organizations “administer” some kind of business function of claim, ranging from property and casualty to self funded health and benefits claims.

When assessing a CPA firm, ask them how many SAS 70 audits they have conducted on a TPA and also ask them if they can provide you with a SAS 70 sample report, whereby you can actually see and visualize their expertise.

Also, ask them for a fixed fee, as SAS 70 pricing is now becoming a very important issue for budget minded Third Party Administrators (TPA).

To learn more about SAS 70 audits, visit the official SAS 70 Resource guide, where helpful information awaits any interested reader.

SAS70 Audits and PCI Assessments | GAP Analysis

Many organizations are now being required to be SAS70 and PCI DSS compliant. With that said, I am often asked where the synergies or overlaps are for a SAS70 audit, which can only be done by a CPA firm and a PCI DSS assessment, which can only be done by a qualified PCI QSA individual.

My answer to this is yes, IF and only IF, you obtain services from an individual or a firm who is both a CPA and one that is a qualified PCI QSA individual, AND that they produce both high quality SAS70 audits and PCI DSS assessments. The SAS70 auditing standard is rather loose, so its incumbent upon the firm issuing the SAS70 report to produce a report that is high quality. High quality means it is a report that covers all essential baseline elements considered for a SAS70 audit, which should include substantial testing for network security and logical access. If done correctly, you will see an overlap with other areas within the PCI DSS assessment. So, this is the yes answer. If you engage in two different firms, one to do the SAS70 audit, the other to do the PCI DSS assessment, then you can have conflicting views on what each report should contain. In short, the synergies occur when you use a firm to do both the SAS70 and PCI assessment.

For more information on Payment Card Industry compliance, visit the official PCI website.

For more information on SAS70 audits, visit the official SAS70 Resource Guide website.

I have also created a SAS70 and PCI DSS Gap analysis, which shows the overlapping areas

SAS70 & PCI Compliance | Creating Audit Efficiencies

SAS70 audits have grown tremendously in the past five years, largely due in part to the explosive growth of federal regulatory compliance laws and legislation. Interestingly also, Payment Card Industry (PCI) compliance has also received much attention as of recent, particularly with the recent breaches of security in a number of well publicized cases.

I’m often asked by organizations that have to be SAS70 & PCI compliant if these two audits can be a 2 for 1, that is, can I conduct SAS70 fieldwork and also hopefully piggyback off of that work to help augment a marginal part of the PCI compliance examination for QSA?

There are synergies that can be created, allowing an experienced auditor to use his or her best judgment for creating these synergies. If you look at the 12 core areas of the PCI compliance, you can extract elements from these very requirements that would most surely be included in a good, quality comprehensive SAS70 audit. I stress “good, quality” audit because the looseness of the SAS70 standard allows auditors to employ vastly different methodologies.

For example, PCI Requirement #9, “Restricting Physical Access to Cardholder Data” could be argued that this is very much in line with a common SAS70 control objective for “Physical Security”. Remember this, there are only so many regulatory compliance and governance laws that can be pushed forward before they start to become overlapping and redundant to a certain degree.

If you can find a quality firm that does both SAS70 auditing and PCI QSA compliance, then it would be most beneficial to create these synergies for the audit.

One of the most valuable tools I recently created was a SAS70 & PCI Gap analysis, showing you the overlapping features of both audits, allowing any firm to create these very efficiencies for these compliance examinations.

For more information on SAS70 audits, or to receive SAS70 sample reports, please visit the official SAS70 resource center