Sure, these are true statements, somewhat boiler plate, but they are true.

In reality, dig a little deeper and stretch a little further into the insight and analysis and you will find that a large number of entities are operating in a Software as a Service (SaaS) mode and function, which essentially has resulted in the explosive growth for many data centers. These companies who have a SaaS business model are being hit quite hard by the SAS 70 compliance mantra from their clients and as such, the down stream effect is that data centers are now included in the scope of many SaaS entities. Amazing what 2 to 3 years can do to the I.T. industry. I say this because it was not that long ago (2005 or so) that a large number of Data Centers were not SAS 70 compliant…and i argue that a big reason for this change has been that SaaS entities occupy racks and racks of space now days.

So there is your SAS 70 and SaaS connection.

But hey, as a SAS 70 Auditor, it’s just my opinion.

Follow this step by step process if you are a data center or co-location facility that will be performing a SAS 70 audit in the near future:

First and foremost, identify the scope of the SAS 70 audit. Though it sounds quite straightforward, every CPA firm approaches scope in a slightly different manner. When identifying scope, there are a number of items to keep in mind, such as the following: Does the scope of the audit satisfy your client’s demands? Does the scope of the audit conform to industry accepted standards for SAS 70 audits on data centers?

Once the scope has been identified, it’s critical to begin the planning process with the auditors. A series of planning meetings should include a discussion on the following items:

1. SAS 70 readiness questionnaire assessment and when it will be done (if deemed necessary).

2. Discussion of type of sampling that is conducted for the audit (this is important as auditors have varying views on the numbers and amounts done on audit sampling).

3. Discussion that identifies key personnel involved in the audit from both sides.

4. Discussion on what data center physical security controls will be included in the scope of the audit.

These are just some general parameters to get you going in the right direction.

If you want to learn more about SAS 70 audits, then visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for review.

Well, my friends, let’s take a look at the crystal ball and let me give you my thoughts on SOX and SAS 70.

First and foremost, compliance is NOT going away. Sure, there have been growing pains with the cost and time associated with SOX compliance, but those costs are starting to become greatly streamlined as organizations are finding ways to be more efficient with SOX compliance. In short, it’s here to stay, so consider it a part of life in the business world. With the rash of fraud that occurred on Wall Street which almost toppled the capital markets overnight, there will no doubt be MORE compliance laws, regulations, and rules echoing out of the halls of congress. I would not be worried and thinking too much about SOX, but rather, what else is in the witches brew that could be cooked up on Capital Hill. Think i’m kiding? PCI compliance recently became codified into law in MN with many other states following closely behind.

With SOX staying, you can rest assured that SAS 70 will be hanging around like a little brother. And why not, it’s been a hugely successful internal control auditing mechanism that has shed light on service organizations and how they conduct business.

Compliance is a way of life; as sure as death and taxes. The key is finding a way to meet compliance in a cost-effective and streamlined manner.

1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.

2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?

3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.

4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.

5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.

As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.

To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.

Here’s how it works. When you look at the 12 core standards as put forth for PCI DSS, some of those functional areas can very well be part of a SAS70 audit, if scoped properly. That’s not to say that a PCI DSS and a SAS70 audit are a one for one match-by no means are they at all, but some items are examined and tested for in both the PCI DSS assessment and the SAS70 audit.

In short, there are only a handful of firms that are currently conducting both PCI DSS and SAS70 compliance. If you can find one, and they are out there, and they are willing to work on both the PCI DSS assessment and the SAS70 audit for purposes of document collection, analysis, discovery, and a host of other activities, then you have found a WIN WIN. Though the PCI DSS is much more technology driven than a SAS70 audit (and again for the thousandth time, a SAS70 is NOT an I.T. audit), there will be much learned from the PCI DSS assessment that will create great value and savings for purposes of the SAS70 audit.

If you want to learn more about this along with creating a Gap analysis, then contact NDB, Accountants and Consultants

In short, a SAS70 Type I is simply an audit that is a snapshot in time; an audit for a particular day. For example, a Type I report would be given a date of August 31, 2008.

A SAS70 Type II audit report is a report that will test the operating effectiveness of those controls over a time period, traditionally six (6) months. For example, a SAS70 Type II report would cover a period from January 1, 2008 to June 30, 2008.

It is important to note that a SAS70 Type II is what the market is calling for, that is, it suffices for Sarbanes Oxley compliance and is looked upon as a much superior audit than a SAS70 Type I report.

A good example of learning more about SAS70 audits is to obtain a SAS70 sample report, whereby you can read and understand what the major components and parts are of a final report.

Today’s data center are complex entities, providing customers with a broad array of services, thus it’s important your SAS 70 report meets and exceeds the objectives of the audit for you and your customers.

1. First and foremost, find a CPA firm that specializes in not only SAS 70 audits, but one that has a strong understanding of the services offered by your organization. From ping, power, and pipe to highly complex managed services, it’s important to remember to keep all critical services within the scope of the audit.

2. Get a fixed fee for your audit. With the rising cost of expenses, such as gas, travel and other ancillary services ,getting a “fixed fee” for your SAS 70 audit ensures that costs are contained, and you have an exact idea of what you will be paying for the audit. SAS 70 audits that do not include expenses will ending costing data centers approximately an additional 20% or more over the original agreed fee. Hourly rates for auditing data centers should be considered a thing of the past-work hard to get a fixed. fee.

3. Scope the audit correctly by making sure the CPA firm conducting the SAS 70 audit includes the following areas for examination and testing:

• Executive Tone
• Human Resources
• Customer Contract Process
• Customer Provisioning Process
• Incident Management
• Change Management
• Logical Security
• Network Security
• Physical Security
• Environmental Security
• Computer Operations

There also a number of Data Center best practices that should be in place for helping facilitate the overall success of the SAS 70 audit.

To learn more about SAS 70 audits or to receive a SAS 70 sample report, visit the official SAS 70 Resource Guide.

The sheer nature of the SaaS industry has forced the SAS 70 auditing standard’s requirement onto many SaaS providers. What’s more, what may have been perceived as a market edge, a compliance luxury, the SAS 70 audit is now a must have for SaaS providers, or lose potential clients and future prospects.

If you are an organization falling under the SaaS industry label, there are a few helpful things you can do to get ready for a SAS 70 audit:

1. Find a firm that truly understands the SaaS industry-it can be complicated due to the nature of the industry itself.
2. Fina a firm that will give you a fixed fee for the audits. That’s right, no need to pay additional out of pocket expenses to the auditor. Most reputable firms are now moving towards the fixed fee mentality, so your checkbook should too.
3. Make sure you define the scope early with the CPA firm doing the audit. The SaaS industry has many providers and outsourcing entities that could potentially be in scope for the audit of your company. From data centers to external, third party managed providers of security, you and the CPA firm need to nail down who and what is included in the scope. This will have a sizable impact on the time, fees, and man hours needed to complete the audit.

To learn more about SAS 70 audit, visit the official SAS 70 Resource guide where you can receive sample SAS 70 reports for view.

My answer to this is yes, IF and only IF, you obtain services from an individual or a firm who is both a CPA and one that is a qualified PCI QSA individual, AND that they produce both high quality SAS70 audits and PCI DSS assessments. The SAS70 auditing standard is rather loose, so its incumbent upon the firm issuing the SAS70 report to produce a report that is high quality. High quality means it is a report that covers all essential baseline elements considered for a SAS70 audit, which should include substantial testing for network security and logical access. If done correctly, you will see an overlap with other areas within the PCI DSS assessment. So, this is the yes answer. If you engage in two different firms, one to do the SAS70 audit, the other to do the PCI DSS assessment, then you can have conflicting views on what each report should contain. In short, the synergies occur when you use a firm to do both the SAS70 and PCI assessment.

For more information on Payment Card Industry compliance, visit the official PCI website.

For more information on SAS70 audits, visit the official SAS70 Resource Guide website.

I have also created a SAS70 and PCI DSS Gap analysis, which shows the overlapping areas

I’m often asked by organizations that have to be SAS70 & PCI compliant if these two audits can be a 2 for 1, that is, can I conduct SAS70 fieldwork and also hopefully piggyback off of that work to help augment a marginal part of the PCI compliance examination for QSA?

There are synergies that can be created, allowing an experienced auditor to use his or her best judgment for creating these synergies. If you look at the 12 core areas of the PCI compliance, you can extract elements from these very requirements that would most surely be included in a good, quality comprehensive SAS70 audit. I stress “good, quality” audit because the looseness of the SAS70 standard allows auditors to employ vastly different methodologies.

For example, PCI Requirement #9, “Restricting Physical Access to Cardholder Data” could be argued that this is very much in line with a common SAS70 control objective for “Physical Security”. Remember this, there are only so many regulatory compliance and governance laws that can be pushed forward before they start to become overlapping and redundant to a certain degree.

If you can find a quality firm that does both SAS70 auditing and PCI QSA compliance, then it would be most beneficial to create these synergies for the audit.

One of the most valuable tools I recently created was a SAS70 & PCI Gap analysis, showing you the overlapping features of both audits, allowing any firm to create these very efficiencies for these compliance examinations.

For more information on SAS70 audits, or to receive SAS70 sample reports, please visit the official SAS70 resource center