SAS 70 compliance is commonplace for many of today’s businesses. Unfortunately, one of the missing ingredients in understanding SAS 70 compliance is the scope of the audit. That’s right. The who, what, when, where, and why of the actual SAS 70 audit process. Most service organizations undergoing a SAS 70 audit think that they are all the same, that is, one SAS 70 report should “look and feel” like another report. This is incorrect, as different industries and companies alike have varying requirements on what needs to be covered for SAS 70 compliance.
Here are some things you need to know to help determine SAS 70 scope:
1. What is the test period (if a SAS 70 Type II audit is being conducted)
2. Where are all the locations (physical offices, data centers) that will be included in the testing of the audit.
3. What is the audit actually COVERING? That is, is it a general controls audit or are their certain business processes that are being included in the scope of the audit? (This is essentially one of the biggest scoping issues you need to understand and come to an agreement on).
To learn more about SAS 70 compliance and scoping, visit the official SAS 70 Resource Guide.