Properly scoping a SAS 70 Type I or SAS 70 Type II audit is an extremely important component of the audit process itself. Why? Because as a service organization undergoing a SAS 70 audit, your goal is to have a report produced and issued to you that meets your clients expectations for quality and covers all critical components within your operations. Too small an audit scope and the report may lack the quality you or your clients expect.
All SAS 70 reports start off with a baseline of highly accepted and recognized control objectives that you would test for in essentially any organization, regardless if they are a data center or a widget company. Control “areas” such as Human Resources, Executive Management, Physical Security, Environmental Security, just to name a few, are excellent examples. The ingredient to success for your SAS 70 audit is the ability to adequately identify the specific “business process” controls within your organization. For example, a data center could possibly test various controls related to “managed services”, while a widget company would test controls related to the building of widgets and what operational activities surround these activities. Simple example, but get the point? Talk to the CPA firm conducting your SAS 70 audit to ensure they will be testing for specific “business processes” within your SAS 70. After all, this is what creates true value in your report.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.