Dec 30 2008 3:21PM GMT
Posted by: Charles Denyer
Security,
SOX,
regulatory compliance,
audits,
payment card industry,
PCI DSS,
PCI,
pci compliance,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 checklist,
sas70,
sas70 sample reports,
pci dss qsa,
sas 70 control objectives,
sas 70 type ii,
SAS 70 Type I,
pci assessment,
sas 70 sample report,
sas 70 audit report,
payment card industry data security standards
When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.
SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.
PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.
Nov 23 2008 7:46PM GMT
Posted by: Charles Denyer
HIPAA,
SOX,
GLBA,
Sarbanes-Oxley,
regulatory compliance,
SAS 70,
What is SAS 70?,
sas70,
section 404 sox,
sas 70 control objectives,
sas 70 type ii,
sas 70 audit report
We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.
Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.
Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.
Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
Nov 23 2008 7:24PM GMT
Posted by: Charles Denyer
regulatory compliance,
payment card industry,
PCI DSS,
PCI,
pci compliance,
SAS 70,
qsa,
pci dss qsa,
policies and procedures,
pci assessment,
sas 70 audit report,
payment card industry data security standards,
pci dss requirement 1.1.2
Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”
Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.
And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org
Nov 23 2008 7:03PM GMT
Posted by: Charles Denyer
firewalls,
regulatory compliance,
payment card industry,
PCI DSS,
PCI,
pci compliance,
ports,
qsa,
pci dss qsa,
pci assessment,
requirement 1.0,
requirement 1.1,
configurations
Payment Card Industry (PCI) Data Security Standards (DSS) for Requirement 1.1 require organizations to “Establish firewall and router configuration standards”. This requirement falls under the functional area of the overall Requirement 1.0, which states that organizations must “Install and maintain a firewall configuration to protect cardholder data”. So, what does this requirement 1.1 specifically mean and what do merchants, service providers and other supporting organizations need to be aware of? In short, PCI DSS requirements for 1.1 call for organizations to “Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete”. In essence, its a rather straightforward testing approach that requires that configuration standards are commensurate and in line with the business needs of the organization for ensuring that no unwanted or malicious traffic is kept out and that only the traffic designated is allowed through. A PCI QSA can verify this requirement by consulting and inspecting the current firewall settings and configurations. Take note, as all unnecessary ports and configurations should be closed if they are not suitable or conducive to the cardholder environment. To learn more about PCI DSS, visit pciassessment.org
Oct 27 2008 9:03PM GMT
Posted by: Charles Denyer
regulatory compliance,
SAS 70,
sas 70 type ii,
SAS 70 Type I,
sas 70 sample report
SAS 70 Type I and SAS 70 Type II audits are fast becoming a mainstay in today’s regulatory compliance environment. If your organization is seeking to become SAS 70 Type I or SAS 70 Type II compliant in the near future, then here are some helpful tips in adequately preparing for all aspects of the audit.
1. Requirements-Do you need a SAS 70 Type I or SAS 70 Type II audit?
2. What is the scope of the audit? What business lines, services, and operations have to be covered in the SAS 70 audit. Are their specific demands that need to be within the audit that somebody is asking for?
3. Pricing-Always obtain three (3) quotes and get a “fixed fee” for the audit, that is, the entire audit, including travel and all out of pocket expenses, are included within the fixed fee.
4. Testing period-If moving forward with a SAS 70 Type II audit, what is the test period going to be (note: test periods are traditionally 6 or 10 months long-you will have to identify this with the CPA firm that will be conducting the SAS 70 audit)
5. SAS 70 Readiness-Make sure you conduct a Readiness Assessment before moving forward with the audit. It will prove invaluable in understanding your control environment.
To learn more about SAS 70 audits, visit the official SAS 70 Resource guide, where you can obtain a wealth of information on SAS 70 audits, including a sample SAS 70 report.
Oct 19 2008 8:27PM GMT
Posted by: Charles Denyer
regulatory compliance,
sas70,
sas 70 type ii,
SAS 70 Type I
Does your organization need to be SAS70 compliant? If so, many people often ask me if they have to complete a SAS70 Type I audit before doing a SAS70 Type II audit. And the answer? Well, it all depends on a number of factors, such as: 1. Has your organization ever gone through a SAS70 audit before, if so when? 2. Are you required to be SAS70 Type II compliant or will a SAS70 Type I suffice for your client’s for this year? 3. What is your deadline for completing a SAS70 audit and when must it be presented to your clients or their auditors?
As you can see, there’s no quick black or white answer to the question. The most important to understand is what are the requirements that are being put on you by another entity for being SAS70 compliant. In essence, you should be able to answer the who, what, when, where and why within a relatively short period of time. You can also call a CPA firm that specializes in SAS70 audits to help answer these questions for you.
If you want to learn more about SAS70 audits, then visit the official SAS70 Resource Guide, where a wealth of information awaits you on SAS70 audits.
Sep 26 2008 5:45PM GMT
Posted by: Charles Denyer
regulatory compliance,
SAS 70,
sas70,
sas70 sample reports,
sas70 readiness assessment questionnaires
SAS70 Auditing has become a staple in today’s growing regulatory compliance world. As such, I have put together a list of questions and answers for SAS70 issues that are commonly asked to me:
1. How much does a SAS70 audit cost?
That depends on a number of issues, such as the scope of the audit, are you required to be SAS70 Type I or Type II compliant. Have you ever had a SAS70 audit conducted before on your organization. However, do remember this. Get a FIXED FEE for the audit, that is, make sure all out of pocket, travel expenses are included in the FIXED FEE.
2. We have never had a SAS70 audit done before, what and where is the best place to start?
Start with a SAS70 Readiness Assessment-A series of highly customized questionnaires that help guide and facilitate the overall SAS70 audit process for your organization. You don’t go from first to third without a pit stop at second. The same theory holds true for SAS70 audits-don’t jump right into a SAS70 Type I or Type II without conducting preliminary work and analysis on your controls, your manpower, and the overall audit process. Get a SAS70 Readiness Assessment done-it will prove invaluable. You can even obtain free SAS70 Readiness Assessment questionnaires from the official SAS70 Resource Guide, developed by NDB Accountants and Consultants.
3. Can you fail a SAS70 audit? Technically, you can be given a “qualified” or adverse opinion on the audit. However, if you go through a SAS70 Readiness Assessment, learn from the deficiencies you have found, your organization should be able to successfully get a clean, “unqualified” SAS70 opinion.
Want to learn more about SAS70 audits, then ask for a complimentary SAS70 Type II audit report. You will learn much about the auditing standard from this report.
Sep 21 2008 5:01PM GMT
Posted by: Charles Denyer
regulatory compliance,
corporate governance,
sas70,
sas 70 type ii,
SAS 70 Type I,
sas 70 rfp
SAS70 audits can be seen as expensive, time consuming, and arduous, to say the least. What’s important to note though is that a SAS70 audit can be seen as a great tool for helping promote and grow your business. Just take a look at the heightened regulatory compliance and corporate governance arena we know live in. Need further proof? How you noticed how many request for proposals (RFP) that are put out to service organizations now require a SAS70 Type II audit report if you want to even be CONSIDERED a viable outsourcing entity.
Sure, they can be time consuming and expensive, but if they help your business grow, and they have done just that for many service organizations, then it should be looked upon as an effective value proposition for your business.
From an operational standpoint, SAS70 Type I and SAS70 Type II audits help you greatly understand your system of internal controls, where you are weak, where your controls are strong, and what has been unearthed during the SAS70 process to help your organization in becoming an entity that truly values controls at all levels throughout your organization.
Want to learn more about SAS70 audits, such as what a SAS70 really is? Then visit the official SAS70 resource guide.
Sep 8 2008 4:04PM GMT
Posted by: Charles Denyer
Security,
Compliance,
Sarbanes-Oxley,
regulatory compliance,
audits,
sas70,
sas70 sample reports
If your company is needing to be SAS70 compliant, then a good start is to learn about what a SAS70 audit is and what the difference is between a SAS70 Type I & SAS70 Type II audit report.
In short, a SAS70 Type I is simply an audit that is a snapshot in time; an audit for a particular day. For example, a Type I report would be given a date of August 31, 2008.
A SAS70 Type II audit report is a report that will test the operating effectiveness of those controls over a time period, traditionally six (6) months. For example, a SAS70 Type II report would cover a period from January 1, 2008 to June 30, 2008.
It is important to note that a SAS70 Type II is what the market is calling for, that is, it suffices for Sarbanes Oxley compliance and is looked upon as a much superior audit than a SAS70 Type I report.
A good example of learning more about SAS70 audits is to obtain a SAS70 sample report, whereby you can read and understand what the major components and parts are of a final report.
