1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.

2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?

3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.

4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.

5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.

As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.

To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.

Furthermore, some firms even offer free SAS 70 Readiness Assessment questionnaires for helping your organization prepare and undertake the audit itself. What’s more, quality CPA firms can develop templates that are highly customized to your specific industry, thus adding even more value to the SAS 70 Readiness Assessment phase. As the old saying goes, you crawl before you walk, it’s wise to conduct a SAS 70 Readiness Assessment before embarking on the actual audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide, where you can obtain a wealth of information on SAS 70 audits.

Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.

Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.

Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.

And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org

The key phrase here my friends is “formal process”. What does that really mean? It means having documented policies and procedures in place for approving and testing connections/changes to these critical devices. Easier said than done as most organizations do not have the time or resources to formally write out documented policies and procedures. Beware, as this is a very large part of ensuring PCI DSS compliance. To learn more about PCI DSS and documented policies and procedures for PCI DSS compliance, visit pciassessment.org.

One of the main benefits of a PCI DSS Readiness Assessment is the ability to identify gaps, deficiencies, and core weaknesses that will be need to be strengthened and corrected before obtaining any type of PCI DSS assessment from a Qualified Security Assessor Company, commonly known as a QSAC. Learn more about a PCI DSS Readiness Assessment at pciassessment.org

It seems likely that many other states will follow in the footsteps of MN, TX, and CA. Thus, merchants and service providers should be aware that they will be soon, if not already, under the compliance radar regarding PCI DSS compliance.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit pciassessment.org

First and foremost, make sure to get a “fixed fee” for the SAS 70 engagement a fixed fee includes all out of pocket, travel, and other miscellaneous expenses that are incurred by the auditor for purposes of conducting the audit. More and more firms are moving to the fixed fee model, so take advantage of this type of pricing.

Second, scope greatly determines the price of the SAS 70 audit, so be sure to properly scope the audit. That means answering the who, what, when, where and why for the audit. Who needs the report and are there any specific requirements they are looking what. What is the audit test period. When will testing be done. Where will testing be done, such as what facilities will be part of the SAS 70 audit scope. These are all important points to cover when assessing scope for a SAS 70 Type I or SAS 70 Type II audit.

To learn more about SAS 70 audits, what is a SAS 70 and to obtain a wealth of information on the auditing standard itself, then visit the official SAS 70 Resource Guide.

Second, you will need to find a qualifed QSAC (Qualified Security Assessor Company) that can assist you with all levels of PCI compliance, regardless of what level you fall under. Third, you will need to have the QSAC conduct a PCI DSS readiness for understanding your cardholder transaction environment and what gaps, holes, and deficiencies you may have that could hinder the overall PCI DSS assessment process. Easier said than done? It sure is, as most companies are good at what they do, but are very weak in having documented policies and procedures in place for PCI DSS compliance. I stress this because it is one of the biggest and most often overlooked areas of PCI DSS compliance. While we all get carried away talking about firewalls, routers, anti-virus, DMZ, etc, many times organizations fail to recognize the importance of documented policies and procedures.

To learn more about PCI DSS compliance, visit pciassessment.org