Follow this step by step process if you are a data center or co-location facility that will be performing a SAS 70 audit in the near future:
First and foremost, identify the scope of the SAS 70 audit. Though it sounds quite straightforward, every CPA firm approaches scope in a slightly different manner. When identifying scope, there are a number of items to keep in mind, such as the following: Does the scope of the audit satisfy your client’s demands? Does the scope of the audit conform to industry accepted standards for SAS 70 audits on data centers?
Once the scope has been identified, it’s critical to begin the planning process with the auditors. A series of planning meetings should include a discussion on the following items:
1. SAS 70 readiness questionnaire assessment and when it will be done (if deemed necessary).
2. Discussion of type of sampling that is conducted for the audit (this is important as auditors have varying views on the numbers and amounts done on audit sampling).
3. Discussion that identifies key personnel involved in the audit from both sides.
4. Discussion on what data center physical security controls will be included in the scope of the audit.
These are just some general parameters to get you going in the right direction.
If you want to learn more about SAS 70 audits, then visit the official SAS 70 resource guide, where you can obtain SAS 70 sample reports for review.]]>