sas 70 readiness assessment

SAS 70 Type II Audit Compliance | Expert Advice from a SAS 70 Auditor

After years of working with the SAS 70 auditing standard, there comes a time when i need to clarify and hand out helpful advice to service organizations that will soon be undertaking the process of an actual SAS 70 audit. So, let’s discuss some important issues for making sure you achieve SAS 70 Type II compliance in a cost-effective and timely manner.

1. Get a FIXED FEE for the audit. Hire a firm that gives you one price for all activities associated with the audit.

2. DO conduct a SAS 70 Readiness Assessment. This is vital to the audit and in helping frame the scope of the audit, while also giving your organization the time to correct any gaps or weaknesses found. A good, quality, and reputable CPA firm will offer this service and many times as part of the entire fixed fee.

3. Do ask about how testing is conducted by the firm you have hired. That is, how do they conduct sampling, what is their method for determining an “exception” to the audit process, etc. In short, communicate frequently and often and ask the right questions.

If you want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.

SAS 70 Compliance | Why a Readiness Assessment is Essential for the Audit

Many service organizations having to undergo SAS 70 Type I or SAS 70 Type II compliance would greatly benefit from a SAS 70 Readiness Assessment. So, let’s clear the air as to what this actually is.

A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:

1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.

A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.

If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.

SAS 70 Audit | Why a Readiness Assessment is Crucial

If your organization is seeking to become SAS 70 Type I or Type II compliant in the near future, then it is a wise decision to embark on a SAS 70 Readiness Assessment. These assessments essentially help you identify your control environment, the scope of the audit, and what deficiencies or gaps may be present within your overall internal control framework within your organization. It should not be looked upon as an additional cost of a SAS 70 audit, but that of a useful and proactive exercise in preparing your organization for the rigors of going through an actual SAS 70 audit.

Working right towards SAS 70 Type I or Type II compliance without conducting a SAS 70 Readiness Assessment can be a daunting and challenging task. Many problems can arise out of this, such as not properly scoping the audit, not adequately identifying weaknesses within your control structure, along with other critical and material issues. The result can be cost and time overruns to correct these issues that should of been addressed prior to the actual audit.

To learn more about SAS 70, visit the official SAS 70 Resource Guide.

SAS 70 Compliance | A Step by Step Processes for SAS 70 Type I and Type II Audits

SAS 70 compliance is a multi-phased, process based methodology that is undertaken by organizations seeking to become SAS 70 Type I or Type II compliant. As a SAS 70 auditor, I’m often asked what the SAS 70 audit process is, how long it takes, what are the “bumps” in the road that can occur. Thus, listed below are the major activities that must be enacted for ensuring your organization is on the right path to SAS 70 compliance.

1. Choose a CPA firm that provides SAS 70 services on a fixed fee, not an hourly basis.
2. Identify the SAS 70 audit that must be undertaken; either a Type I or a Type II audit.
3. If a Type II audit is your goal, identify the “test period” for the audit.
4. Discuss the scope of the audit, that is, what “business processes” are being covered and what physical locations will have to be a part of the testing process.
5. Begin a SAS 70 Readiness Assessment phase. This helps further identify the scope of the audit along with highlighting any weaknesses in your control environment.
6. If necessary, conduct remediation activities that were identified during the SAS 70 Readiness Assessment.
7. Once the above phases are complete, start to discuss fieldwork testing and the collection of documents for auditor that will be needed to help facilitate the audit.
8. Ask auditor for list of items that will need to be collected prior to the audit fieldwork.
9. Plan and prepare accordingly with the auditors for fieldwork.
10. Once fieldwork is complete, findings should be reported to you from the auditing firm, allowing you to give answers to any exceptions found during testing.
11. Drafting of report and final closing meeting to discuss report and finding ensues.

Visit the official SAS 70 Resource guide to learn more about SAS 70 compliance.

SAS 70 Compliant | Discussion on SAS 70 Auditing Methodologies

Being SAS 70 compliant is quickly becoming a requirement for many service organizations (i.e., companies that provide outsourcing to another entity) in today’s business arena. Many companies, however, voice frustration in not really understanding the audit methodology used and the process/roadmap for becoming SAS 70 compliant.

Let me distill some of these issues for you in better helping understand the auditing standard.

First and foremost, auditors who conduct SAS 70 audits use standards put forth by the AICPA and other approved governing bodies and “best of breed” corporate governance institutions (i.e. ISACA, IAA, etc.)

Additionally, what you need to know is that their is a commonly used “Roadmap” for SAS 70 compliance that consists of these sequential steps:

1. SAS 70 Readiness Assessment: Activities necessary for understanding your organization’s control environment, the scope of the audit and other essential areas.

2. Remediation: These are activities needed for becoming SAS 70 compliant. Generally, they include strengthening one’s control environment by utilizing any number of measures (additional security controls, policies and procedures, etc.)

3. Document Gathering: After steps 1 and 2 are completed, auditors need to gather documentation for the audit. This is a collaborative process that includes the auditor and the service organization undergoing the audit. This can take some time.

5. Fieldwork: Auditors will then arrive on-site to conduct fieldwork activities necessary for testing your internal controls in accordance with SAS 70 auditing standards.

6. Outcome of testing/drafting of report/discussion of findings: These are all activities that occur subsequent to fieldwork.

As one can see, being SAS 70 compliant requires the initiation of a number of steps for the audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Certification | Learn about SAS 70 Type 2 Audits

SAS 70 certification is becoming a hot topic for many organizations in today’s business world. You name the industry, and i can almost guarantee you that somebody has had to be SAS 70 compliant. Though the term SAS 70 certification is technically incorrect, because you are not really becoming “certified”, rather, you are becoming compliant. Not a big issue, just wanted to clear up a technicality that I hear quite a bit about.

So, back to SAS 70 “certification”. What you need to know is that it is a multi-step process which includes the following phases:

1. SAS 70 Readiness Assessment
2. Remediation for anything uncovered during the Readiness Assessment
3. On to the audit-That is, fieldwork for a SAS 70 Type I or Type II.
4. Findings from the auditor and drafting of the report
5. Issuing the report, which is technically called a “SAS 70 Service Auditor’s Report”

These are steps to follow in becoming SAS 70 compliant. It is the most logical, transparent, and efficient process you will find.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 certification.