sas 70 compliant

SAS 70 Certification | Expert Advice on Type I and Type II SAS 70 Audits

SAS 70 Certification is everywhere these days, or so it seems. From small start-up organizations to large multi-national corporations, many people have been hit by the SAS 70 bug. What’s also interesting to note are the vast differences you can see when comparing two SAS 70 reports. In short, no two reports look the same. Is this a good thing or something wrong with the auditing industry? It’s actually a little bit of both, to be honest. The good thing is that it allows auditors to customize the reports as they see fit for the client. The bad thing is that many times a SAS 70 audit does not conform to an acceptable scope or standards of testing for control objectives.

Either way, what you need to know about SAS 70 Type I and Type II audits is that the SAS 70 certification process (and by the way, use the word “certification” is technically incorrect, as a SAS 70 audit does not certify anything, rather you have complied with the auditing standard, thus it should be called “SAS 70 compliant”) is highly flexible, this based in part on the rather “flexible” auditing standards that are in place. So, you need to properly identify the scope of the audit, and by doing so, you ensure that your organization ends up receiving a quality SAS 70 Service Auditor’s Report.

As for scope, you need to identify a number of parameters, such as:
1. Is my organization doing a Type I or a Type II?
2. If a Type II, what is the test period?
3. Are there any business processes or functions to be tested in the audit, or is it just a general controls SAS 70
4. Where are the physical locations that are included in the scope of the audit?
5. What third party outsourcing entities that my organization is using are to be considered part of the scope of the audit?
6. Has my organization developed control objectives that are considered acceptable for testing by the auditors?

To learn more about SAS 70 audits or to receive a free sample SAS 70 Type II audit in pdf format, visit the official SAS 70 Resource Guide.

SAS 70 Compliant | Discussion on SAS 70 Auditing Methodologies

Being SAS 70 compliant is quickly becoming a requirement for many service organizations (i.e., companies that provide outsourcing to another entity) in today’s business arena. Many companies, however, voice frustration in not really understanding the audit methodology used and the process/roadmap for becoming SAS 70 compliant.

Let me distill some of these issues for you in better helping understand the auditing standard.

First and foremost, auditors who conduct SAS 70 audits use standards put forth by the AICPA and other approved governing bodies and “best of breed” corporate governance institutions (i.e. ISACA, IAA, etc.)

Additionally, what you need to know is that their is a commonly used “Roadmap” for SAS 70 compliance that consists of these sequential steps:

1. SAS 70 Readiness Assessment: Activities necessary for understanding your organization’s control environment, the scope of the audit and other essential areas.

2. Remediation: These are activities needed for becoming SAS 70 compliant. Generally, they include strengthening one’s control environment by utilizing any number of measures (additional security controls, policies and procedures, etc.)

3. Document Gathering: After steps 1 and 2 are completed, auditors need to gather documentation for the audit. This is a collaborative process that includes the auditor and the service organization undergoing the audit. This can take some time.

5. Fieldwork: Auditors will then arrive on-site to conduct fieldwork activities necessary for testing your internal controls in accordance with SAS 70 auditing standards.

6. Outcome of testing/drafting of report/discussion of findings: These are all activities that occur subsequent to fieldwork.

As one can see, being SAS 70 compliant requires the initiation of a number of steps for the audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Type 2 Audit | Learn about SAS 70 Compliance

If you want to learn more about a SAS 70 Type 2 audit and SAS 70 compliance, then listen up. Becoming SAS 70 compliant can be full of minefields out in today’s regulatory compliance world. But it shouldn’t be. In fact achieving SAS 70 compliance should be looked upon as a structured, multi-step process where you live and learn each and every step of the way about compliance. Sure, there may be horror stories out there about the time, costs, and pain in becoming compliant, especially for a SAS 70 Type 2 audit.

So, let’s distill fact from fiction in helping you learn the nuts and bolts about statement on auditing standards number 70.

First, you need to gaining a strong understanding of what SAS 70 is, what internal controls are, what control objective are, amongst other things. But how? There are a couple of ways: the AICPA publishes excellent, technical reference manuals on SAS 70. Though written more for the auditor in mind, they can still help you greatly understand SAS 70 compliance.

Second, visit the official SAS 70 resource guide, where an abundance of use information awaits you.

Some tips on saving money on SAS 70 compliance? Whoever conducts the audit, ask for a free readiness assessment and also ask for a Fixed fee for the audit. If you can get both of these, you are on your way.