sas 70 resource guide

SAS 70 Compliance | Why a Readiness Assessment is Essential for the Audit

Many service organizations having to undergo SAS 70 Type I or SAS 70 Type II compliance would greatly benefit from a SAS 70 Readiness Assessment. So, let’s clear the air as to what this actually is.

A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:

1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.

A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.

If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.

SAS 70 Compliant | Discussion on SAS 70 Auditing Methodologies

Being SAS 70 compliant is quickly becoming a requirement for many service organizations (i.e., companies that provide outsourcing to another entity) in today’s business arena. Many companies, however, voice frustration in not really understanding the audit methodology used and the process/roadmap for becoming SAS 70 compliant.

Let me distill some of these issues for you in better helping understand the auditing standard.

First and foremost, auditors who conduct SAS 70 audits use standards put forth by the AICPA and other approved governing bodies and “best of breed” corporate governance institutions (i.e. ISACA, IAA, etc.)

Additionally, what you need to know is that their is a commonly used “Roadmap” for SAS 70 compliance that consists of these sequential steps:

1. SAS 70 Readiness Assessment: Activities necessary for understanding your organization’s control environment, the scope of the audit and other essential areas.

2. Remediation: These are activities needed for becoming SAS 70 compliant. Generally, they include strengthening one’s control environment by utilizing any number of measures (additional security controls, policies and procedures, etc.)

3. Document Gathering: After steps 1 and 2 are completed, auditors need to gather documentation for the audit. This is a collaborative process that includes the auditor and the service organization undergoing the audit. This can take some time.

5. Fieldwork: Auditors will then arrive on-site to conduct fieldwork activities necessary for testing your internal controls in accordance with SAS 70 auditing standards.

6. Outcome of testing/drafting of report/discussion of findings: These are all activities that occur subsequent to fieldwork.

As one can see, being SAS 70 compliant requires the initiation of a number of steps for the audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

SAS 70 Compliance | Tips on Scoping a SAS 70 Audit

SAS 70 compliance is commonplace for many of today’s businesses. Unfortunately, one of the missing ingredients in understanding SAS 70 compliance is the scope of the audit. That’s right. The who, what, when, where, and why of the actual SAS 70 audit process. Most service organizations undergoing a SAS 70 audit think that they are all the same, that is, one SAS 70 report should “look and feel” like another report. This is incorrect, as different industries and companies alike have varying requirements on what needs to be covered for SAS 70 compliance.

Here are some things you need to know to help determine SAS 70 scope:

1. What is the test period (if a SAS 70 Type II audit is being conducted)
2. Where are all the locations (physical offices, data centers) that will be included in the testing of the audit.
3. What is the audit actually COVERING? That is, is it a general controls audit or are their certain business processes that are being included in the scope of the audit? (This is essentially one of the biggest scoping issues you need to understand and come to an agreement on).

To learn more about SAS 70 compliance and scoping, visit the official SAS 70 Resource Guide.

SAS 70 Type 2 Audit | Learn about SAS 70 Compliance

If you want to learn more about a SAS 70 Type 2 audit and SAS 70 compliance, then listen up. Becoming SAS 70 compliant can be full of minefields out in today’s regulatory compliance world. But it shouldn’t be. In fact achieving SAS 70 compliance should be looked upon as a structured, multi-step process where you live and learn each and every step of the way about compliance. Sure, there may be horror stories out there about the time, costs, and pain in becoming compliant, especially for a SAS 70 Type 2 audit.

So, let’s distill fact from fiction in helping you learn the nuts and bolts about statement on auditing standards number 70.

First, you need to gaining a strong understanding of what SAS 70 is, what internal controls are, what control objective are, amongst other things. But how? There are a couple of ways: the AICPA publishes excellent, technical reference manuals on SAS 70. Though written more for the auditor in mind, they can still help you greatly understand SAS 70 compliance.

Second, visit the official SAS 70 resource guide, where an abundance of use information awaits you.

Some tips on saving money on SAS 70 compliance? Whoever conducts the audit, ask for a free readiness assessment and also ask for a Fixed fee for the audit. If you can get both of these, you are on your way.