As a SAS70 auditor, I’m often asked about how organizations should prepare for a SAS70 audit. In fact, companies and organizations alike commonly ask me for a SAS70 checklist. I simply reply by asking a checklist for what-on how to prepare for the audit, on what the audit scope is, etc? You see, the phrase SAS70 checklist is just too broad and vague.
What organizations really need to do for preparing for a SAS70 audit is to conduct a SAS70 Readiness Assessment, which essentially covers a broad range of topics and subject matter for a SAS70 Type I or SAS70 Type II audit. In fact, a SAS70 Readiness Assessment will help your organization truly understand what a SAS70 audit is, how an organization actually undertakes this type of audit, along with other essential activities. Here’s an example of the core functional areas that a SAS70 Readiness Assessment would cover within an organization. Please keep in mind that this is a general reference and scope can change based on the SAS70 audit itself. But by and large, any reputable CPA firm helping you with a SAS70 Readiness Assessment will almost surely include these areas:
* Organization and Administration-Executive Tone & Human Resources
* Incident Management
* Change Management
* Logical Security
* Network Security
* Physical Security
* Environmental Security
* Computer Operations
* Business Continuity and Disaster Recovery Planning (BCDRP)
To learn more about SAS70 audits, visit the official SAS70 Resource Guide, where you can receive a sample SAS70 audit report.