Aug 3 2008 2:49PM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
GLBA,
Sarbanes-Oxley,
regulatory compliance,
audits,
payment card industry,
PCI,
SAS 70,
qsa,
sas70,
sas70 sample reports
SAS70 audits have grown tremendously in the past five years, largely due in part to the explosive growth of federal regulatory compliance laws and legislation. Interestingly also, Payment Card Industry (PCI) compliance has also received much attention as of recent, particularly with the recent breaches of security in a number of well publicized cases.
I’m often asked by organizations that have to be SAS70 & PCI compliant if these two audits can be a 2 for 1, that is, can I conduct SAS70 fieldwork and also hopefully piggyback off of that work to help augment a marginal part of the PCI compliance examination for QSA?
There are synergies that can be created, allowing an experienced auditor to use his or her best judgment for creating these synergies. If you look at the 12 core areas of the PCI compliance, you can extract elements from these very requirements that would most surely be included in a good, quality comprehensive SAS70 audit. I stress “good, quality” audit because the looseness of the SAS70 standard allows auditors to employ vastly different methodologies.
For example, PCI Requirement #9, “Restricting Physical Access to Cardholder Data” could be argued that this is very much in line with a common SAS70 control objective for “Physical Security”. Remember this, there are only so many regulatory compliance and governance laws that can be pushed forward before they start to become overlapping and redundant to a certain degree.
If you can find a quality firm that does both SAS70 auditing and PCI QSA compliance, then it would be most beneficial to create these synergies for the audit.
One of the most valuable tools I recently created was a SAS70 & PCI Gap analysis, showing you the overlapping features of both audits, allowing any firm to create these very efficiencies for these compliance examinations.
For more information on SAS70 audits, or to receive SAS70 sample reports, please visit the official SAS70 resource center
Jul 25 2008 3:00PM GMT
Posted by: Charles Denyer
Compliance,
Auditing,
Sarbanes-Oxley,
SAS 70,
What is SAS 70?,
SAS 70 download
Data centers are increasingly being called upon to be SAS70 Type I or Type II compliant. It stems primarily from the rapid growth of compliance legislation, along with the advent of many industries, particularly Software as a Service (SaaS), that require services from data centers and co-location entities. Moreover, today’s data centers provide a wide array of services, and as such, client using these very services often have to adhere to regulatory compliance mandates also. Ultimately, this has a downstream effect that places data centers on the compliance radar, with SAS70 audits commonly being the default compliance tool used for evaluating their internal control structure.
Additionally, because no two SAS70 audits are truly identical, and because a SAS70 audit should be customized to reflect specific industry needs, it’s important to note what is considered as an acceptable baseline scope for SAS70 audits on data centers. Thus, the areas of executive tone, human resources, incident management, change management, logical security, network security, physical security, environmental security, and computer operations form the basis of the audit for purposes of scope. Please keep in mind, this a generally accepted scope, which can increase or decrease based primarily on what is driving the requirements for the audit itself.
To gain a greater understanding of your organization’s SAS70 needs, it would be helpful for you to learn about what SAS70 is and also obtaining SAS70 sample reports, which are an excellent tool for learning more about this type of audit.
Jul 21 2008 6:23PM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
Sarbanes-Oxley,
regulatory compliance,
audits,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 download,
SAS 70 checklist,
SAS 70 overview presentation
SAS70 Type I & Type II audits can be daunting indeed to many service organizations, but they shouldn’t be. The more you learn about what SAS70 is, the better prepared you will be for going through a SAS70 audit. Let’s start with the basics, that is, educate yourself on what a SAS70 Type I & Type II audit is, and what are the differences.
Furthermore, obtain SAS70 sample reports electronically to see what a final SAS70 service auditors report actually looks like. Additionally, learn about what it takes in the step by step process for undertaking a SAS70 audit. There are many different stages, activities, and deliverables that comprise of a SAS70 audit, so its a good idea to educate yourself on what they are, when they occur, what to expect, and what the commitment is from your organization in terms of manpower and resources.
Beginning with a SAS 70 readiness questionnaire assessment, then culminating with the delivery of the actual service auditor’s report, you need to learn firsthand what’s involved for this type of an audit.
You can also learn more by visiting the official SAS70 resource guide, where a wealth of information is available, such as white papers on SAS70 along with current industry news affecting the auditing standard itself.
Jul 18 2008 1:55AM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
audits,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 download,
SAS 70 checklist,
SAS 70 overview presentation
You can obtain SAS70 sample reports if you are interested in learning more about the SAS70 auditing standard. Many service organizations have to go through a SAS70 audit and would like to learn more about the auditing standard. Thus, a SAS70 Type II example report, which can be obtained from the official SAS70 Resource Guide, will give readers an in-depth understanding of the inner workings of a SAS70 audit, along with providing an excellent example of what the contents of a report are.
SAS 70 sample reports can also help better educate your organization on the auditing standard, ultimately giving you more knowledge and understanding of the audit when you begin the selection process of finding a CPA provider to conduct the SAS70 Type I or Type II audit for your organization.
Additionally, current white papers along with various information on relevant industry news is also available for learning more about SAS70 audits both Type I and Type II audits. Current industries being heavily affected by the SAS70 auditing standard are financial services, information, and health care. The past decade has seen numerous federals laws and legislations implemented that have placed a large emphasis on security, privacy, and an organization’s overall control environment. What’s more, SAS70 audits have quickly become the default tool used to ensure service organizations are in compliance with these ever expanding regulatory compliance laws.
Jul 11 2008 3:50AM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
regulatory compliance,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 download,
SAS 70 checklist,
SAS 70 overview presentation
SAS 70 audits have become a way of life for many in today’s ever growing regulatory compliance world. From financial services to healthcare and I.T., no industry is safe from the large and expanding compliance mandates being pushed out of Congress. Notable legislation, such as HIPAA, GLBA, and Sarbanes-Oxley have had a profound impact on many of today’s businesses.
Though SAS 70 audits are a considerable time and expense proposition for many service organizations, there are many positive attributes that can be taken from these audits. Most importantly, they help you identify weaknesses within your internal control structure. Second, they are a great marketing tool for attracting new business for your organization. And third, they help satisfy the growing compliance demands set forth by industry regulations that are being pushed on your organization by your client’s auditors.
But before you can reap the benefits of SAS 70 audits, you need to learn about the auditing standard and what is SAS 70. Visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for free and read up on current industry news and how SAS 70 audits is affecting various business segments in today’s economy.
Jul 9 2008 2:27AM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
regulatory compliance,
audits,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 download,
SAS 70 checklist,
SAS 70 overview presentation
The SAS70 audit guide is a series of reports that will help educate individuals on this widely used auditing standard that was developed in 1992. Section 1.0 gives readers a brief history of SAS 70 audits.
What’s important to note about the auditing standard is that it’s main purposes is to examine an organization’s internal controls or control environment. The auditing standard gained much traction within the last five years due to the passage of the Sarbanes Oxley Act, simply known as SOX to many. At the time of the passing, no one probably knew the implications that section 404 of the SOX act would have on SAS 70 audits. Needless to say, it has been extremely significant. Other regulatory legislation, such as HIPAA and GLBA, have also contributed to the rise of the auditing standard.
To learn more about SAS 70 audits, visit the official resource guide, where current white papers on the auditing standard can be read, along with sas 70 pricing and the ability to obtain SAS 70 sample reports for educational purposes.
Jul 4 2008 8:40PM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
regulatory compliance,
audits,
SAS 70
SAS70 audits can be looked upon as an examination of an entity’s control environment. In more technical terms, a SAS70 Type I audit is used to report on controls placed in operation. Thus, a SAS 70 Type II audit is used to report on controls placed in operation and the testing of operating effectiveness.
Quickly, you can see the difference between a Type I and a Type II audit. a Type II audit’s testing of operating effectiveness essentially means that a testing period is undertaken when examining a service organization’s control environment. It’s the main difference between a SAS70 Type I and Type II.
Keep in mind that Type II audits are commonly used for complying with section 404 of the Sarbanes Oxley act. Management (executives of user organizations, that is) must have assurances of their internal control environment, thus, many times a SAS70 Type II audit is required from service organizations who provide outsourcing functions for these very user organizations.
To learn more about what is SAS70, visit the official SAS70 Resource Guide.
Jul 4 2008 2:19AM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
regulatory compliance,
audits,
SAS 70
From health care to financial services and I.T., SAS 70 Type I and Type II audits are having a significant impact in today’s ever growing regulatory compliance arena. Many service organizations initially struggle with SAS 70 compliance, due in part to a large number of issues. These issue traditionally revolve around audit scope, SAS 70 pricing, time commitments, along with other important issues.
What’s important to understand is that if your organization has become a SAS 70 candidate, its wise to educate yourself on this auditing standard which was put forth by the American Institute of Certified Public Accountants (AICPA) in 1992.
A quality SAS 70 CPA firm, and there are many of them out there, will be able to effectively guide you through the major issues of SAS 70 audits (pricing, scope, time commitments, etc.) along with giving you a SAS 70 roadmap for compliance for ensuring the audit is completed in a cost-effective, efficient manner.
Jul 3 2008 1:24AM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
regulatory compliance,
audits,
SAS 70
If your organization needs to embark on SAS 70 Type I or Type II compliance, here’s what you need to know about getting a fair, equitable fee from a CPA firm that proposes on the audit.
- Discuss what the scope of the audit will be, that is, is it a general controls audit or does the SAS 70 Type I or Type II audit proposal include provisions for examining specific business processes. This is vitally important because the organization requiring you to be SAS 70 compliant may very well have special provisions for the audit. Talk to your clients and communicate this with CPA firms giving you a proposal.
- Determine the testing time period of the audit, if a SAS 70 Type II is being conducted. Generally speaking, the longer the test period, the more testing will be done, thus the audit will be more costly. See if a six (6) month testing period will suffice for your client’s demands.
- Once you have determined scope, make sure to discuss where and when testing will take place. The more physical locations the auditors have to visit, then the more costly the audit will be. You may be able to test for the audit at one central location, so be sure to come to an agreement on this early.
- Make sure the proposal is a fixed fee. In today’s economy with rising gas, food, and transportation costs, any non-audit, out of pocket fees can become quite costly. A fixed fee will help mitigate some of these unknown, variable costs.
To learn more about SAS 70 audits or to receive SAS 70 sample reports, visit the official SAS 70 Resource Guide.
