Being SAS 70 compliant is quickly becoming a requirement for many service organizations (i.e., companies that provide outsourcing to another entity) in today’s business arena. Many companies, however, voice frustration in not really understanding the audit methodology used and the process/roadmap for becoming SAS 70 compliant.
Let me distill some of these issues for you in better helping understand the auditing standard.
First and foremost, auditors who conduct SAS 70 audits use standards put forth by the AICPA and other approved governing bodies and “best of breed” corporate governance institutions (i.e. ISACA, IAA, etc.)
Additionally, what you need to know is that their is a commonly used “Roadmap” for SAS 70 compliance that consists of these sequential steps:
1. SAS 70 Readiness Assessment: Activities necessary for understanding your organization’s control environment, the scope of the audit and other essential areas.
2. Remediation: These are activities needed for becoming SAS 70 compliant. Generally, they include strengthening one’s control environment by utilizing any number of measures (additional security controls, policies and procedures, etc.)
3. Document Gathering: After steps 1 and 2 are completed, auditors need to gather documentation for the audit. This is a collaborative process that includes the auditor and the service organization undergoing the audit. This can take some time.
5. Fieldwork: Auditors will then arrive on-site to conduct fieldwork activities necessary for testing your internal controls in accordance with SAS 70 auditing standards.
6. Outcome of testing/drafting of report/discussion of findings: These are all activities that occur subsequent to fieldwork.
As one can see, being SAS 70 compliant requires the initiation of a number of steps for the audit process.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.