Home > IT Blogs > Regulatory Compliance, Governance and Security >

Regulatory Compliance, Governance and Security:

sas 70 certification

May 4 2009   4:20PM GMT

SAS 70 Certification | Expert Advice on Type I and Type II SAS 70 Audits



Posted by: Charles Denyer
sas 70 certification, SAS 70 Type I, type II, charles denyer, audit scope, sas 70 compliant, sample sas 70 type II report

SAS 70 Certification is everywhere these days, or so it seems. From small start-up organizations to large multi-national corporations, many people have been hit by the SAS 70 bug. What’s also interesting to note are the vast differences you can see when comparing two SAS 70 reports. In short, no two reports look the same. Is this a good thing or something wrong with the auditing industry? It’s actually a little bit of both, to be honest. The good thing is that it allows auditors to customize the reports as they see fit for the client. The bad thing is that many times a SAS 70 audit does not conform to an acceptable scope or standards of testing for control objectives.

Either way, what you need to know about SAS 70 Type I and Type II audits is that the SAS 70 certification process (and by the way, use the word “certification” is technically incorrect, as a SAS 70 audit does not certify anything, rather you have complied with the auditing standard, thus it should be called “SAS 70 compliant”) is highly flexible, this based in part on the rather “flexible” auditing standards that are in place. So, you need to properly identify the scope of the audit, and by doing so, you ensure that your organization ends up receiving a quality SAS 70 Service Auditor’s Report.

As for scope, you need to identify a number of parameters, such as:
1. Is my organization doing a Type I or a Type II?
2. If a Type II, what is the test period?
3. Are there any business processes or functions to be tested in the audit, or is it just a general controls SAS 70
4. Where are the physical locations that are included in the scope of the audit?
5. What third party outsourcing entities that my organization is using are to be considered part of the scope of the audit?
6. Has my organization developed control objectives that are considered acceptable for testing by the auditors?

To learn more about SAS 70 audits or to receive a free sample SAS 70 Type II audit in pdf format, visit the official SAS 70 Resource Guide.

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend

Mar 14 2009   10:35PM GMT

SAS 70 Certification | Learn about SAS 70 Type 2 Audits



Posted by: Charles Denyer
charles denyer, sas 70 certification, sas 70 type 2 audit, sas 70 type i type ii, auditor, fieldwork, sas 70 readiness assessment

SAS 70 certification is becoming a hot topic for many organizations in today’s business world. You name the industry, and i can almost guarantee you that somebody has had to be SAS 70 compliant. Though the term SAS 70 certification is technically incorrect, because you are not really becoming “certified”, rather, you are becoming compliant. Not a big issue, just wanted to clear up a technicality that I hear quite a bit about.

So, back to SAS 70 “certification”. What you need to know is that it is a multi-step process which includes the following phases:

1. SAS 70 Readiness Assessment
2. Remediation for anything uncovered during the Readiness Assessment
3. On to the audit-That is, fieldwork for a SAS 70 Type I or Type II.
4. Findings from the auditor and drafting of the report
5. Issuing the report, which is technically called a “SAS 70 Service Auditor’s Report”

These are steps to follow in becoming SAS 70 compliant. It is the most logical, transparent, and efficient process you will find.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 certification.

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend