Yes, in that if an organization has never gone through a SAS 70 audit, has time to conduct a Type I audit, or has “cold feet” about going right into a SAS 70 Type II, which can be an extensive undertaking for any organization not familiar with Statement on Auditing Standards No. 70.
As for the NO answer. Well, if organizations have a compelling regulatory requirement to obtain SAS 70 Type II compliance, then you know the answer. Also, if an organization is continuing to roll forward every year with a Type II, then obviously, one would never go back to do a Type I, unless it was on a completely different business line (but that is a whole different topic to discuss at a later time).
As an auditor, my advice is to “crawl” before you “walk”, that is, get your feet wet and become acquainted with the SAS 70 process by conducting a Type I audit first and foremost-if you CAN.
Want to learn more about SAS 70 audits, then visit the official SAS 70 Resource Guide.]]>
However, the problem is that under the new rules, only about 1,900 of the approximately 11,300 advisory firms registered with the SEC will be required to obtain surprise audits. Why? The SEC simply folded under intense pressure from various business groups, thus excluding a large number of advisory firms with a surprise audit (Which, by the way will more than likely be a SAS 70 Type II audit)
And if the asset threshold for SEC registration is raised to $100 million from $25 million, then the 1,900 advisory firms will become even smaller.
Nevertheless, the new audit rules “grow out of the Madoff Ponzi scheme and other frauds in which investor assets were misappropriated by investment advisers,” SEC Chairman Mary Schapiro said in a statement. “Such frauds have caused investors to question whether their assets are safe when they entrust them to an investment adviser. I believe today’s rules will help put their minds at ease.”
To learn more about SAS 70 audits, please visit the official SAS 70 Resource Guide.]]>
A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:
1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.
A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.
If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.]]>
Let me distill some of these issues for you in better helping understand the auditing standard.
First and foremost, auditors who conduct SAS 70 audits use standards put forth by the AICPA and other approved governing bodies and “best of breed” corporate governance institutions (i.e. ISACA, IAA, etc.)
Additionally, what you need to know is that their is a commonly used “Roadmap” for SAS 70 compliance that consists of these sequential steps:
1. SAS 70 Readiness Assessment: Activities necessary for understanding your organization’s control environment, the scope of the audit and other essential areas.
2. Remediation: These are activities needed for becoming SAS 70 compliant. Generally, they include strengthening one’s control environment by utilizing any number of measures (additional security controls, policies and procedures, etc.)
3. Document Gathering: After steps 1 and 2 are completed, auditors need to gather documentation for the audit. This is a collaborative process that includes the auditor and the service organization undergoing the audit. This can take some time.
5. Fieldwork: Auditors will then arrive on-site to conduct fieldwork activities necessary for testing your internal controls in accordance with SAS 70 auditing standards.
6. Outcome of testing/drafting of report/discussion of findings: These are all activities that occur subsequent to fieldwork.
As one can see, being SAS 70 compliant requires the initiation of a number of steps for the audit process.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.]]>
Here are some things you need to know to help determine SAS 70 scope:
1. What is the test period (if a SAS 70 Type II audit is being conducted)
2. Where are all the locations (physical offices, data centers) that will be included in the testing of the audit.
3. What is the audit actually COVERING? That is, is it a general controls audit or are their certain business processes that are being included in the scope of the audit? (This is essentially one of the biggest scoping issues you need to understand and come to an agreement on).
To learn more about SAS 70 compliance and scoping, visit the official SAS 70 Resource Guide.]]>
So, let’s distill fact from fiction in helping you learn the nuts and bolts about statement on auditing standards number 70.
First, you need to gaining a strong understanding of what SAS 70 is, what internal controls are, what control objective are, amongst other things. But how? There are a couple of ways: the AICPA publishes excellent, technical reference manuals on SAS 70. Though written more for the auditor in mind, they can still help you greatly understand SAS 70 compliance.
Second, visit the official SAS 70 resource guide, where an abundance of use information awaits you.
Some tips on saving money on SAS 70 compliance? Whoever conducts the audit, ask for a free readiness assessment and also ask for a Fixed fee for the audit. If you can get both of these, you are on your way.]]>