Management’s description of the service organization’s “system” fairly presents the service organization’s system that was designed and implemented at either a specific date (Type 1 report) or implemented throughout a specified time period (Type 2 report).
The control objectives stated in management’s description of the service organization’s system were suitably designed to achieve those control objectives at either a specific date (16 Type 1 report) or designed throughout a specified time period (Type 2 report) to achieve those control objectives along with having them operate effectively throughout the specified time period.
The criteria used to effectively making these assertions (i.e., risk factors relating to controls and control objectives) and (for a SSAE 16 Type 2) that the controls were consistently applied.
To learn more about SSAE 16, visit the SSAE 16 Resource Guide.]]>
1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security
Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit the Payment Card Industry (PCI) Resource Guide.