As a SAS70 auditor, organizations often ask me how are control objectives developed. Technically, it is the service organization’s responsibility to develop SAS70 control objectives. However, in reality, it’s looked upon as a collaborative effort by a number of parties involved in the overall SAS70 audit process.
Here’s how it works in theory.
If you are new to the SAS70 audit process, then service organizations will generally seek guidance and assistance from a CPA firm that will ultimately be conducting the SAS70 audit. This is common because the CPA firm has years of experience in conducting SAS70 Type I or Type II audits and will thus be able to give a service organization a set of industry accepted SAS70 control objectives to use as a starting point. The service organization can them customize these if they desire, use them as they are in an off the shelf mode, or design their own control objectives. Generally, most service organizations tend to “adopt” the control objectives put forth by the CPA firm along with making slight modifications or adding some specific control objectives based on audit scope and/or certain requirements from clients and/or use organizations who are ultimately requesting the SAS70 audit.
To learn more about SAS70 audits, visit the official SAS70 resource guide where you can obtain an actual SAS70 Type II audit report for gaining a greater understanding of what a SAS70 actually is.
SAS70-I’m often asked about Business Continuity & Disaster Recovery (BCDR) when preparing a new client for a SAS70 Type I or Type II audit that. Specifically, they ask me if it is a requirement for a SAS70 audit and what should they be doing in order to adequately prepare and document a BCDR strategy and plan.
Technically, NO, BCDR or any variation thereof (also commonly known as BCM, etc.) is NOT a requirement for testing for a SAS70 audit, based purely on the amended SAS70 publication of 2005 and 2007 that states a “plan is not a control objective”, thus BCDR and BCM Plans are not included in the scope of the SAS70. That’s the technical NO answer.
In theory, many auditors would say that YES, a BCDR or BCM plan should be in scope and should have a control objective in place for testing for the plan.
Regardless of which decision the auditor makes, its paramount that service organization’s have a working and documented BCDR or BCM plan in place. It just makes good business sense.
To learn more about what is SAS70, visit the official SAS70 resource guide where you can receive a complimentary SAS70 Type II audit report.
As a SAS70 auditor, I’m often asked about how organizations should prepare for a SAS70 audit. In fact, companies and organizations alike commonly ask me for a SAS70 checklist. I simply reply by asking a checklist for what-on how to prepare for the audit, on what the audit scope is, etc? You see, the phrase SAS70 checklist is just too broad and vague.
What organizations really need to do for preparing for a SAS70 audit is to conduct a SAS70 Readiness Assessment, which essentially covers a broad range of topics and subject matter for a SAS70 Type I or SAS70 Type II audit. In fact, a SAS70 Readiness Assessment will help your organization truly understand what a SAS70 audit is, how an organization actually undertakes this type of audit, along with other essential activities. Here’s an example of the core functional areas that a SAS70 Readiness Assessment would cover within an organization. Please keep in mind that this is a general reference and scope can change based on the SAS70 audit itself. But by and large, any reputable CPA firm helping you with a SAS70 Readiness Assessment will almost surely include these areas:
* Organization and Administration-Executive Tone & Human Resources
* Incident Management
* Change Management
* Logical Security
* Network Security
* Physical Security
* Environmental Security
* Computer Operations
* Business Continuity and Disaster Recovery Planning (BCDRP)
To learn more about SAS70 audits, visit the official SAS70 Resource Guide, where you can receive a sample SAS70 audit report.
If your company is needing to be SAS70 compliant, then a good start is to learn about what a SAS70 audit is and what the difference is between a SAS70 Type I & SAS70 Type II audit report.
In short, a SAS70 Type I is simply an audit that is a snapshot in time; an audit for a particular day. For example, a Type I report would be given a date of August 31, 2008.
A SAS70 Type II audit report is a report that will test the operating effectiveness of those controls over a time period, traditionally six (6) months. For example, a SAS70 Type II report would cover a period from January 1, 2008 to June 30, 2008.
It is important to note that a SAS70 Type II is what the market is calling for, that is, it suffices for Sarbanes Oxley compliance and is looked upon as a much superior audit than a SAS70 Type I report.
A good example of learning more about SAS70 audits is to obtain a SAS70 sample report, whereby you can read and understand what the major components and parts are of a final report.
If you are a data center or manged services provider and need a SAS 70 audit, then here are some helpful tips and strategies for finding the right firm, getting a fair and equitable fee, and for ensuring you have the proper scope for the audit.
Today’s data center are complex entities, providing customers with a broad array of services, thus it’s important your SAS 70 report meets and exceeds the objectives of the audit for you and your customers.
1. First and foremost, find a CPA firm that specializes in not only SAS 70 audits, but one that has a strong understanding of the services offered by your organization. From ping, power, and pipe to highly complex managed services, it’s important to remember to keep all critical services within the scope of the audit.
2. Get a fixed fee for your audit. With the rising cost of expenses, such as gas, travel and other ancillary services ,getting a “fixed fee” for your SAS 70 audit ensures that costs are contained, and you have an exact idea of what you will be paying for the audit. SAS 70 audits that do not include expenses will ending costing data centers approximately an additional 20% or more over the original agreed fee. Hourly rates for auditing data centers should be considered a thing of the past-work hard to get a fixed. fee.
3. Scope the audit correctly by making sure the CPA firm conducting the SAS 70 audit includes the following areas for examination and testing:
- Executive Tone
- Human Resources
- Customer Contract Process
- Customer Provisioning Process
- Incident Management
- Change Management
- Logical Security
- Network Security
- Physical Security
- Environmental Security
- Computer Operations
There also a number of Data Center best practices that should be in place for helping facilitate the overall success of the SAS 70 audit.
The tremendous growth of SAS 70 audits has been felt in many industries, requiring service providers (commonly known as service organizations in the SAS 70 world) to undergo an annual SAS 70 Type II audit. If your organization is new to the SAS 70 audit process, here are some helpful tips for ensuring you find the right firm, a fair fee, along with other important considerations and factors regarding statement on auditing standards no. 70.
1. Find a firm that specializes in SAS 70 audits. This is not too terribly difficult as there are many firms out there providing this services for this specialized audit.
2. Make sure the firm has industry experience, not just general SAS 70 experience. Sounds easy, but it would be wise to pick a firm that has conducted SAS 70 audits in your industry, thus a have a working knowledge of your operations and what to expect
3. Define the scope EARLY. Make sure your organization and the CPA firm conducting the SAS 70 audit come to an understanding very early on regarding the scope of the audit. Too small a scope and the SAS 70 audit may have little value. Too large a scope and you may be spending more time, money, and effort than is needed.
4. Get a fixed fee for the audit. That’s right, make sure the proposal you receive is fixed, meaning it include all out of pocket, travel related expenses. A non-fixed fee proposal will likely tack on an additional 20% for out of pocket fees.
5. Ask for templates and questionnaires so you can conduct your own SAS 70 Readiness Assessment. Many CPA firm charge for this service, but some firms are willing to give you the templates free of charge. It’s a great tool for audit preparedness in regards to completing the SAS 70 audit in a successful manner.
The Software as a Service (SaaS) industry and SAS 70 audits actually have quite a bit in common. First and foremost, both the SAS 70 auditing standard and the SaaS industry have seen explosive growth in the past five years, thanks in large part to regulatory compliance and the advent of technology. Second, from a compliance standpoint, SaaS providers are increasingly being required to be SAS 70 Type II compliant.
The sheer nature of the SaaS industry has forced the SAS 70 auditing standard’s requirement onto many SaaS providers. What’s more, what may have been perceived as a market edge, a compliance luxury, the SAS 70 audit is now a must have for SaaS providers, or lose potential clients and future prospects.
If you are an organization falling under the SaaS industry label, there are a few helpful things you can do to get ready for a SAS 70 audit:
1. Find a firm that truly understands the SaaS industry-it can be complicated due to the nature of the industry itself.
2. Fina a firm that will give you a fixed fee for the audits. That’s right, no need to pay additional out of pocket expenses to the auditor. Most reputable firms are now moving towards the fixed fee mentality, so your checkbook should too.
3. Make sure you define the scope early with the CPA firm doing the audit. The SaaS industry has many providers and outsourcing entities that could potentially be in scope for the audit of your company. From data centers to external, third party managed providers of security, you and the CPA firm need to nail down who and what is included in the scope. This will have a sizable impact on the time, fees, and man hours needed to complete the audit.
The Gramm Leach Bliley Act, commonly known as GLBA, has certain provisions that require organizations, such as financial institutions (bank, online trading entities) to protect confidential consumer information. Unfortunately, like much of the legislation that ushers out of the halls of Congress, it can be quite vague, allowing users of these very legislative laws to implement them as they see fit. Just look at HIPAA, more than a decade later, it still is looked upon as a large, encompassing, and bureaucratic law that is still being defined.
GLBA has gained some clarity in the past few years, thanks in part to the rise of the SAS 70 auditing standard along with the advent of the Sarbanes-Oxley Act of 2002. In short, SAS 70 audits are compliance audits conducted on organizations (known simply as “service organizations”) for ensuring they have a strong system of internal controls. These very financial institutions that sell and offer services to consumers that are “financial” in nature, must be in compliance with the GLBA provisions.
One of the best ways for testing for GLBA compliance is to have a SAS 70 Type II audit conducted on the financial organization that is offering financial products or services to the consumer. To learn more about GLBA and SAS 70, learn about the Privacy Rule of GLBA and SAS 70 and learn about the Safeguards rule of GLBA and SAS 70.
The relationship between Sarbanes-Oxley and SAS 70 begins with Section 404 of the 2002 Sarbanes Oxley Act (SOX). Because management must report annually on it’s effectiveness of internal controls, it then has a fiduciary responsibility and a requirement to inspect on controls considered critical to the organization as a whole, but more importantly, to it’s financial reporting process. Because a large number of publicly traded companies outsource a host of services, these outsourcing providers, known simply as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” What’s just as important is that this relationship between SAS 70 and Section 404 of the SOX Act has kicked off a regulatory compliance push that quite frankly, there is no end in sight.
If your organization is required to be SAS 70 compliant along with obtaining a PCI DSS assessment, then it’s time to think about creating efficiencies of scale when conducting both the audit for SAS 70 and the assessment for PCI compliance.
By no means are there perfect synergies, rather, both the SAS 70 and the PCI DSS can be looked upon for assisting each other in regards to preparing deliverables for auditors. Here’s how it works. Auditors create “prepared by client” (PBC) lists, which are in essence a wide assortment of documents, materials, and other deliverables needed for an audit and that must be prepared by the client. My advice is why not schedule the PCI DSS assessment before the SAS 70 audit, thus using many of the samples pulled for the PCI DSS audit for the SAS 70 audit, provided the time periods are applicable. Better yet, fieldwork could be conduced in close proximity or even overlapping both the SAS 70 and th PCI DSS assessment. The point to make is this. Compliance audits or assessments (as we’ve been told to call the PCI DSS during training-an “assessment”, not an audit!) generally ask for similar information in some shape or form. Working with an auditor that truly knows both the PCI DSS and the SAS 70 auditing standard will save you alot of time, headaches and money. Though it’s not a 2 for 1, it does create a high level of efficiency which any organization requiring both a SAS 70 and PCI DSS should consider.
To learn more about PCI DSS assessments, visit the official PCI resource center.