SAS 70 audits are being performed on many service organizations in today’s growing regulatory compliance economy. From federal legislation, such as Sarbanes-Oxley to HIPAA, the SAS 70 auditing standard has been pushed to the forefront of the business arena. It’s becoming such a big requirement now that many request for proposals (RFP) are demanding that a service organization be SAS 70 compliant for even bidding on work or submitting a proposal.
So let’s erase some myths and misconceptions about the SAS 70 auditing standard. First and foremost, the audit can be done in an efficient, cost effective manner, provided you find a firm that has a good working knowledge of the SAS 70 auditing standard AND your industry. Put both of those variables together, and you should get a good fee from a quality auditor who truly knows what they are doing.
Secondly, you don’t have to do a SAS 70 Type I first if you need a SAS 70 Type II. Why waste thousands of dollars on a Type I when it’s not really what you needed? Some CPA firms will try and sell you the full package, often including a Type I by stating its needed to begin the audit process. What you need to start with instead is a SAS 70 Readiness Assessment, which will get your organization up to speed and ready for the actual SAS 70 Type II audit.
Lastly, SAS 70 audits can be a reasonable financial proposition, if you use a firm with experience that has a working, scalable model, resulting in efficiency and cost-effectiveness.
As a SAS 70 auditor for many years, i’ve seen a huge increase in the number of third party administrators (TPA) that are required to go through a SAS 70 Type I or SAS 70 Type II audit. Man of these TPA organizations are considered small, with limited budgets, thus they voice a great deal of frustration about the time and costs of this highly specialized audit process. What’s worse, many feel the value of the audit is simply lacking, as many CPA firms do not have the knowledge or background sufficient for auditing a Third Party Administrator (TPA).
With that said, it’s important you properly assess the value of the CPA firm for their overall expertise and knowledge for a TPA. The term TPA is a broad and much overused term, based on the fact that many organizations “administer” some kind of business function of claim, ranging from property and casualty to self funded health and benefits claims.
When assessing a CPA firm, ask them how many SAS 70 audits they have conducted on a TPA and also ask them if they can provide you with a SAS 70 sample report, whereby you can actually see and visualize their expertise.
Also, ask them for a fixed fee, as SAS 70 pricing is now becoming a very important issue for budget minded Third Party Administrators (TPA).
To learn more about SAS 70 audits, visit the official SAS 70 Resource guide, where helpful information awaits any interested reader.
Many organizations are now being required to be SAS70 and PCI DSS compliant. With that said, I am often asked where the synergies or overlaps are for a SAS70 audit, which can only be done by a CPA firm and a PCI DSS assessment, which can only be done by a qualified PCI QSA individual.
My answer to this is yes, IF and only IF, you obtain services from an individual or a firm who is both a CPA and one that is a qualified PCI QSA individual, AND that they produce both high quality SAS70 audits and PCI DSS assessments. The SAS70 auditing standard is rather loose, so its incumbent upon the firm issuing the SAS70 report to produce a report that is high quality. High quality means it is a report that covers all essential baseline elements considered for a SAS70 audit, which should include substantial testing for network security and logical access. If done correctly, you will see an overlap with other areas within the PCI DSS assessment. So, this is the yes answer. If you engage in two different firms, one to do the SAS70 audit, the other to do the PCI DSS assessment, then you can have conflicting views on what each report should contain. In short, the synergies occur when you use a firm to do both the SAS70 and PCI assessment.
For more information on Payment Card Industry compliance, visit the official PCI website.
For more information on SAS70 audits, visit the official SAS70 Resource Guide website.
I have also created a SAS70 and PCI DSS Gap analysis, which shows the overlapping areas
SAS70 audits have grown tremendously in the past five years, largely due in part to the explosive growth of federal regulatory compliance laws and legislation. Interestingly also, Payment Card Industry (PCI) compliance has also received much attention as of recent, particularly with the recent breaches of security in a number of well publicized cases.
I’m often asked by organizations that have to be SAS70 & PCI compliant if these two audits can be a 2 for 1, that is, can I conduct SAS70 fieldwork and also hopefully piggyback off of that work to help augment a marginal part of the PCI compliance examination for QSA?
There are synergies that can be created, allowing an experienced auditor to use his or her best judgment for creating these synergies. If you look at the 12 core areas of the PCI compliance, you can extract elements from these very requirements that would most surely be included in a good, quality comprehensive SAS70 audit. I stress “good, quality” audit because the looseness of the SAS70 standard allows auditors to employ vastly different methodologies.
For example, PCI Requirement #9, “Restricting Physical Access to Cardholder Data” could be argued that this is very much in line with a common SAS70 control objective for “Physical Security”. Remember this, there are only so many regulatory compliance and governance laws that can be pushed forward before they start to become overlapping and redundant to a certain degree.
If you can find a quality firm that does both SAS70 auditing and PCI QSA compliance, then it would be most beneficial to create these synergies for the audit.
One of the most valuable tools I recently created was a SAS70 & PCI Gap analysis, showing you the overlapping features of both audits, allowing any firm to create these very efficiencies for these compliance examinations.
Data centers are increasingly being called upon to be SAS70 Type I or Type II compliant. It stems primarily from the rapid growth of compliance legislation, along with the advent of many industries, particularly Software as a Service (SaaS), that require services from data centers and co-location entities. Moreover, today’s data centers provide a wide array of services, and as such, client using these very services often have to adhere to regulatory compliance mandates also. Ultimately, this has a downstream effect that places data centers on the compliance radar, with SAS70 audits commonly being the default compliance tool used for evaluating their internal control structure.
Additionally, because no two SAS70 audits are truly identical, and because a SAS70 audit should be customized to reflect specific industry needs, it’s important to note what is considered as an acceptable baseline scope for SAS70 audits on data centers. Thus, the areas of executive tone, human resources, incident management, change management, logical security, network security, physical security, environmental security, and computer operations form the basis of the audit for purposes of scope. Please keep in mind, this a generally accepted scope, which can increase or decrease based primarily on what is driving the requirements for the audit itself.
To gain a greater understanding of your organization’s SAS70 needs, it would be helpful for you to learn about what SAS70 is and also obtaining SAS70 sample reports, which are an excellent tool for learning more about this type of audit.
If you want to learn about SAS70 Type I & Type II audits, then it’s a good idea to gain a thorough understanding of the terminology used for the SAS70 auditing standard. There’s much technical jargon and terms to be mastered for helping truly understand SAS70 audits. Furthermore, the more you fully comprehend what these items mean, the better armed and prepared you will be for the audit.
The SAS70 glossary of terms serves to provide an understanding of the most common terms and phrases used not only by auditors, but also everyone involved in the SAS70 process. For example, do you truly understand the definition of internal controls? Do you know the difference between a service organization and a user organization? The SAS70 glossary will help define these differences.
Also, if you want to learn more about SAS70, such as pricing along with receiving SAS70 sample reports, then the official SAS70 resource guide is your one stop shop for learning all you need to know about this highly specialized auditing standard.
SAS70 Type I & Type II audits can be daunting indeed to many service organizations, but they shouldn’t be. The more you learn about what SAS70 is, the better prepared you will be for going through a SAS70 audit. Let’s start with the basics, that is, educate yourself on what a SAS70 Type I & Type II audit is, and what are the differences.
Furthermore, obtain SAS70 sample reports electronically to see what a final SAS70 service auditors report actually looks like. Additionally, learn about what it takes in the step by step process for undertaking a SAS70 audit. There are many different stages, activities, and deliverables that comprise of a SAS70 audit, so its a good idea to educate yourself on what they are, when they occur, what to expect, and what the commitment is from your organization in terms of manpower and resources.
Beginning with a SAS 70 readiness questionnaire assessment, then culminating with the delivery of the actual service auditor’s report, you need to learn firsthand what’s involved for this type of an audit.
You can also learn more by visiting the official SAS70 resource guide, where a wealth of information is available, such as white papers on SAS70 along with current industry news affecting the auditing standard itself.
You can obtain SAS70 sample reports if you are interested in learning more about the SAS70 auditing standard. Many service organizations have to go through a SAS70 audit and would like to learn more about the auditing standard. Thus, a SAS70 Type II example report, which can be obtained from the official SAS70 Resource Guide, will give readers an in-depth understanding of the inner workings of a SAS70 audit, along with providing an excellent example of what the contents of a report are.
SAS 70 sample reports can also help better educate your organization on the auditing standard, ultimately giving you more knowledge and understanding of the audit when you begin the selection process of finding a CPA provider to conduct the SAS70 Type I or Type II audit for your organization.
Additionally, current white papers along with various information on relevant industry news is also available for learning more about SAS70 audits both Type I and Type II audits. Current industries being heavily affected by the SAS70 auditing standard are financial services, information, and health care. The past decade has seen numerous federals laws and legislations implemented that have placed a large emphasis on security, privacy, and an organization’s overall control environment. What’s more, SAS70 audits have quickly become the default tool used to ensure service organizations are in compliance with these ever expanding regulatory compliance laws.
A SAS70 report can be a daunting undertaking for many service organizations who have never gone through an audit of this type. Developed in 1992 by the American Institute of Certified Public Accountants (AICPA). SAS70 Type I and Type II audits are used for examining a service organization’s control environment.
Many companies often ask me what the end deliverable report looks like. Because of the loose flexibility of the auditing standard, I have to caution them that no two reports from different CPA firms for a SAS 70 audit will ever look alike. This is largely based on the fact that the presentation of the audit findings allows CPA firms to illustrate it in any number of ways. However, even with that said, there should be some fundamental topics and areas that need to be included in almost any SAS 70 Type II audit. A good reference would be to examine the SAS70 audit & overview presentation tutorial, which gives readers an excellent example of what is SAS70 and what’s in a report.
Additionally, visit the SAS70 resource guide where you can receive SAS70 sample reports for educational viewing.
SAS 70 audits have become a way of life for many in today’s ever growing regulatory compliance world. From financial services to healthcare and I.T., no industry is safe from the large and expanding compliance mandates being pushed out of Congress. Notable legislation, such as HIPAA, GLBA, and Sarbanes-Oxley have had a profound impact on many of today’s businesses.
Though SAS 70 audits are a considerable time and expense proposition for many service organizations, there are many positive attributes that can be taken from these audits. Most importantly, they help you identify weaknesses within your internal control structure. Second, they are a great marketing tool for attracting new business for your organization. And third, they help satisfy the growing compliance demands set forth by industry regulations that are being pushed on your organization by your client’s auditors.
But before you can reap the benefits of SAS 70 audits, you need to learn about the auditing standard and what is SAS 70. Visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for free and read up on current industry news and how SAS 70 audits is affecting various business segments in today’s economy.