SAS 70 Type I

Jun 20 2009   3:20AM GMT

SAS 70

Posted by: Charles Denyer
Statement on Auditing Standards No. 70, sas70, type II, general controls report, control environment, charles denyer, sarbanes oxley act of 2002, SAS 70 Type I

Statement on Auditing Standards No. 70, simply known as SAS 70 to many, has had a profound impact on regulatory compliance since the passage of the Sarbanes Oxley Act in 2002. As a SAS 70 auditor for many years, i’ve been asked a broad and wide range of questions regarding the who, what, where, when and why of SAS 70 Type I and SAS 70 Type II audits. Thus, if you need to learn everything you possibly can about SAS 70, then visit the official SAS 70 Resource Guide, where a voluminous amount of information is available.

Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.

A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.

A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.

If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.

May 31 2009   3:33PM GMT

Policies and Procedures | SAS 70 | PCI DSS | An Auditor’s Viewpoint

Posted by: Charles Denyer
Maintain an Information Security Policy, PCI DSS, charles denyer, SAS 70 Type I, sas 70 type ii, change management, Add new tag, policies and procedures, requirement 12

Policies and Procedures-it’s such a common theme and phrase in today’s regulatory compliance and governance arena, so much so, i think it should have it’s own Wikipedia page. It can be an arduous undertaking in developing these documents. Furthermore, policies and procedures are becoming increasingly larger and larger in scope for compliance initiatives.

Take a look at Requirement 12 for PCI DSS compliance; Maintain an Information Security Policy. It’s quite detailed, to say the least. Furthermore, there are numerous other P&P requirements sprinkled throughout the other 11 PCI DSS requirements.

As for SAS 70, the audit’s success also depends on policies and procedures for a large range of items. A few examples of common P&P documents that may fall under the scope of a SAS 70 Type I or SAS 70 Type II audit are as follows:

Change Management P&P
An organizational wide security policy handbook with documented P&P
Backup P&P
SDLC documentation

To be blunt, most organization despise authoring these documents for a number of reasons: time, cost, or the simple inability to write effective P&P documents.

Even with that said, organizations need to be aware of the growing requirements for P&P for SAS 70, PCI DSS, and a whole host of other regulatory compliance mandates.

May 10 2009   2:59PM GMT

COSO | SAS 55 | SAS 70 | SAS 78 | Understanding the Relationship

Posted by: Charles Denyer
coso, sas 55, SAS 70, sas 78, charles denyer, SAS 70 Type I, type ii audit, internal controls, aicpa, american institute of certified public accountants, The Committee of Sponsoring Organizations of the Treadway Commission

COSO is a widely used and accepted internal control framework in today’s growing corporate governance initiatives. It’s also heavily found in Statement on Auditing Standards No. 70 (SAS 70) audits.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework essentially defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

1. Internal control is a process. It is a means to an end, not an end in itself.
2. Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
3. Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
4. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

What’s notable about the relationship with COSO and SAS 70 are COSO’s framework for internal control, which consists of the following five (5) broad based themes:

1. Control Environment
2. Control Activities
3. Risk Assessment
4. Information and Communication
5. Monitoring

Many SAS 70 Type I and Type II audit reports will discuss, in narrative form, these above five areas and how they relate to the organization undergoing the SAS 70 audit and what specific controls they have in place in relation to these five areas.

And let’s not forget the Statement on Auditing Standards (SAS pronouncements) that help bring these five internal control themes to light.

In 1988, the American Institute of Certified Public Accountants (AICPA) issued SAS 55, which describes internal control in terms of its three major components: control environment, accounting system, and control procedures. Shortly thereafter, the Committee of Sponsoring Organizations (COSO) released the following: Internal Control: Integrated Framework, in which internal control was characterized as five components: control environment, control activities, risk assessment, information and communication, and monitoring.

Thus, in 1995, the AICPA adopted COSO’s definition and it’s five components of internal control, issuing SAS No. 78 to supplement SAS No. 55.

So, you should be able to now clearly see the relationship with SAS 70 and COSO and the relationship with SAS 70 and other SAS pronouncements, specifically, SAS 55 and SAS 78.

If you want to learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

May 4 2009   4:20PM GMT

SAS 70 Certification | Expert Advice on Type I and Type II SAS 70 Audits

Posted by: Charles Denyer
sas 70 certification, SAS 70 Type I, type II, charles denyer, audit scope, sas 70 compliant, sample sas 70 type II report

SAS 70 Certification is everywhere these days, or so it seems. From small start-up organizations to large multi-national corporations, many people have been hit by the SAS 70 bug. What’s also interesting to note are the vast differences you can see when comparing two SAS 70 reports. In short, no two reports look the same. Is this a good thing or something wrong with the auditing industry? It’s actually a little bit of both, to be honest. The good thing is that it allows auditors to customize the reports as they see fit for the client. The bad thing is that many times a SAS 70 audit does not conform to an acceptable scope or standards of testing for control objectives.

Either way, what you need to know about SAS 70 Type I and Type II audits is that the SAS 70 certification process (and by the way, use the word “certification” is technically incorrect, as a SAS 70 audit does not certify anything, rather you have complied with the auditing standard, thus it should be called “SAS 70 compliant”) is highly flexible, this based in part on the rather “flexible” auditing standards that are in place. So, you need to properly identify the scope of the audit, and by doing so, you ensure that your organization ends up receiving a quality SAS 70 Service Auditor’s Report.

As for scope, you need to identify a number of parameters, such as:
1. Is my organization doing a Type I or a Type II?
2. If a Type II, what is the test period?
3. Are there any business processes or functions to be tested in the audit, or is it just a general controls SAS 70
4. Where are the physical locations that are included in the scope of the audit?
5. What third party outsourcing entities that my organization is using are to be considered part of the scope of the audit?
6. Has my organization developed control objectives that are considered acceptable for testing by the auditors?

To learn more about SAS 70 audits or to receive a free sample SAS 70 Type II audit in pdf format, visit the official SAS 70 Resource Guide.

Apr 30 2009   3:13PM GMT

SAS 70 Compliance | A Step by Step Processes for SAS 70 Type I and Type II Audits

Posted by: Charles Denyer
sas70.us.com, sas 70 compliance, charles denyer, SAS 70 Type I, type ii audit, sas70 services, sas 70 readiness assessment

SAS 70 compliance is a multi-phased, process based methodology that is undertaken by organizations seeking to become SAS 70 Type I or Type II compliant. As a SAS 70 auditor, I’m often asked what the SAS 70 audit process is, how long it takes, what are the “bumps” in the road that can occur. Thus, listed below are the major activities that must be enacted for ensuring your organization is on the right path to SAS 70 compliance.

1. Choose a CPA firm that provides SAS 70 services on a fixed fee, not an hourly basis.
2. Identify the SAS 70 audit that must be undertaken; either a Type I or a Type II audit.
3. If a Type II audit is your goal, identify the “test period” for the audit.
4. Discuss the scope of the audit, that is, what “business processes” are being covered and what physical locations will have to be a part of the testing process.
5. Begin a SAS 70 Readiness Assessment phase. This helps further identify the scope of the audit along with highlighting any weaknesses in your control environment.
6. If necessary, conduct remediation activities that were identified during the SAS 70 Readiness Assessment.
7. Once the above phases are complete, start to discuss fieldwork testing and the collection of documents for auditor that will be needed to help facilitate the audit.
8. Ask auditor for list of items that will need to be collected prior to the audit fieldwork.
9. Plan and prepare accordingly with the auditors for fieldwork.
10. Once fieldwork is complete, findings should be reported to you from the auditing firm, allowing you to give answers to any exceptions found during testing.
11. Drafting of report and final closing meeting to discuss report and finding ensues.

Visit the official SAS 70 Resource guide to learn more about SAS 70 compliance.

Feb 23 2009   5:13PM GMT

SAS 70 Internal Controls | Important Facts and Tips to Know

Posted by: Charles Denyer
sas 70 internal controls, SAS 70 Type I, sas 70 type ii

SAS 70 audits test a wide array of internal controls within your organization for helping ensure SAS 70 Type I or Type II compliance. What’s interesting to note about these “internal controls” is that you need to truly understand what they are and how they relate to the “control objectives” being tested for during the SAS 70 audit.

Technically speaking, internal controls are: A process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in various categories.

In more simpler terms, internal controls for SAS 70 audits can be best viewed as the processes, procedures, and related activities that YOUR organization has in place for ensuring that a structured, safe, sound, and secure “control environment’ is in place. In short, is your organization dotting your I’s and crossing your T’s when it comes to daily operations within your organization.

Now, there are a “best of breed” agreed up control objectives and related internal controls that should be used for SAS 70 audits, which you obtain from a quality CPA firm specializing in SAS 70 audits.

However, not all CPA firms use the same control objectives and technically, its really up to the organization undergoing the SAS 70 to actually construct, develop, and agree upon what there internal controls and control objectives would be. In reality, good quality CPA firms can help you with this. It’s really a colloborative process, to say the least, regarding SAS 70 internal controls.

Feb 23 2009   1:11AM GMT

What is SAS 70 | A Question I’m Often Asked by Service Organizations

Posted by: Charles Denyer
What is SAS 70?, SAS 70 Type I, sas 70 type ii, service organizations, aicpa, regulatory compliance, sas70.us.com

What is SAS 70? For us in the regulatory compliance and Information Technology world, this would be an absurd question. Well, put yourself in the shoes of businesses who work hard everyday, struggling to make ends meet, and then suddenly, they’ve been told they need a SAS 70. A SAS what? I field these calls everyday from the curious minded individuals who have now come to find themselves locked into the regulatory compliance game that many service organizations have come accustomed to.

So, then. What is SAS 70? Well, its an auditing standard put forth the American Institute of Certified Public Accountants (AICPA) in 1992, which is used to report on controls placed in operation and (if need be), tests of operating effectiveness. English please, right? Okay, in more simpler terms, its an audit that is used to test a number of controls (i.e., “checks and balances” you should have in place) throughout your organization.

To add to this, there are TWO types of SAS 70 audits; a Type I and a Type II. Most organizations having to comply with and go through a SAS 70 audit ultimately prepare for a SAS 70 Type II audit.

Okay, these are the basics, to learn more, visit the official SAS 70 Resource Guide, where you can learn all you need to know about SAS 70 audits to help answer that ever important question-What is SAS 70?

Feb 8 2009   2:59PM GMT

SAS 70 Audit Guide | Learn the Secrets to SAS 70 Audits

Posted by: Charles Denyer
SAS 70 Type I, sas 70 audit guide, sas 70 scoping and pricing, sas70

Need to learn about SAS 70 audits? Not too sure about what the audit actually entails in regards to scope, time, effort and financial considerations? Well, if your organization is seeking to become SAS 70 Type I or Type II compliant for 2009 and beyond, then its a good idea to start educating yourself on the particulars of SAS 70 audits. The more informed and educated you are, the greater your success in going through a SAS 70 audit for your organization in a timely, efficient, and cost-effective manner.

Helpful suggestions on learning about SAS 70 audits include the following:

Know the difference between a Type I and Type II audit
Learn about pricing for SAS 70 audits
Understand and comprehend the meaning of audit “scope”
Learn about a SAS 70 Readiness Assessment and how it can help augment the overall audit process for Type I and Type II reports.

Keep in mind that all organizations are different, as such, your SAS 70 requirements and what you essentially need to “get out” of your report could be significantly different from another company. For example, are you just looking to “check the box” for a compliance report or are you actually seeking value out of your SAS 70 audit.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

Dec 31 2008   11:36PM GMT

SAS 70 Audit Reports | Learn About SAS 70 by Obtaining a Sample Report

Posted by: Charles Denyer
sas70, SAS 70, SAS 70 Type I, type ii audit

Many service organizations who have to undergo a SAS 70 Type I or Type II audit have never had the ability to see or read what a final report looks like after the audit has been completed. With this now available, service organizations can gain a greater understanding of the auditing standard, while also having an expectation of what the final report should look and “feel” like.

It’s one of the elements that was missing in the compliance industry, so we thought it was necessary and helpful to put forth an excellent example of a SAS 70 Type II service auditor’s report. And remember, because of the looseness within the auditing standard, no two reports are going to look exactly alike. Sure, there are slightly different variations of SAS 70 reports, but they should encompass and include most of the elements contained within our sample sas 70 available to all who wish to read on and learn more about statement on auditing standards no. 70.

Please take time to educate yourself on this highly used auditing standard by visiting a number of other areas on the website, such as the white papers section, industry news section, along with the what is sas 70 section.

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.