sas 70 type ii

May 31 2009   3:33PM GMT

Policies and Procedures | SAS 70 | PCI DSS | An Auditor’s Viewpoint

Posted by: Charles Denyer
Maintain an Information Security Policy, PCI DSS, charles denyer, SAS 70 Type I, sas 70 type ii, change management, Add new tag, policies and procedures, requirement 12

Policies and Procedures-it’s such a common theme and phrase in today’s regulatory compliance and governance arena, so much so, i think it should have it’s own Wikipedia page. It can be an arduous undertaking in developing these documents. Furthermore, policies and procedures are becoming increasingly larger and larger in scope for compliance initiatives.

Take a look at Requirement 12 for PCI DSS compliance; Maintain an Information Security Policy. It’s quite detailed, to say the least. Furthermore, there are numerous other P&P requirements sprinkled throughout the other 11 PCI DSS requirements.

As for SAS 70, the audit’s success also depends on policies and procedures for a large range of items. A few examples of common P&P documents that may fall under the scope of a SAS 70 Type I or SAS 70 Type II audit are as follows:

Change Management P&P
An organizational wide security policy handbook with documented P&P
Backup P&P
SDLC documentation

To be blunt, most organization despise authoring these documents for a number of reasons: time, cost, or the simple inability to write effective P&P documents.

Even with that said, organizations need to be aware of the growing requirements for P&P for SAS 70, PCI DSS, and a whole host of other regulatory compliance mandates.

Mar 20 2009   6:34PM GMT

SAS 70 Compliant | Discussion on SAS 70 Auditing Methodologies

Posted by: Charles Denyer
charles denyer, sas 70 resource guide, sas 70 compliant, sas 70 readiness assessment, sas 70 type ii, sas 70 compliance, audit, remediation, isaca, IIA, aicpa

Being SAS 70 compliant is quickly becoming a requirement for many service organizations (i.e., companies that provide outsourcing to another entity) in today’s business arena. Many companies, however, voice frustration in not really understanding the audit methodology used and the process/roadmap for becoming SAS 70 compliant.

Let me distill some of these issues for you in better helping understand the auditing standard.

First and foremost, auditors who conduct SAS 70 audits use standards put forth by the AICPA and other approved governing bodies and “best of breed” corporate governance institutions (i.e. ISACA, IAA, etc.)

Additionally, what you need to know is that their is a commonly used “Roadmap” for SAS 70 compliance that consists of these sequential steps:

1. SAS 70 Readiness Assessment: Activities necessary for understanding your organization’s control environment, the scope of the audit and other essential areas.

2. Remediation: These are activities needed for becoming SAS 70 compliant. Generally, they include strengthening one’s control environment by utilizing any number of measures (additional security controls, policies and procedures, etc.)

3. Document Gathering: After steps 1 and 2 are completed, auditors need to gather documentation for the audit. This is a collaborative process that includes the auditor and the service organization undergoing the audit. This can take some time.

5. Fieldwork: Auditors will then arrive on-site to conduct fieldwork activities necessary for testing your internal controls in accordance with SAS 70 auditing standards.

6. Outcome of testing/drafting of report/discussion of findings: These are all activities that occur subsequent to fieldwork.

As one can see, being SAS 70 compliant requires the initiation of a number of steps for the audit process.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

Mar 20 2009   6:20PM GMT

SAS 70 Compliance | Tips on Scoping a SAS 70 Audit

Posted by: Charles Denyer
sas 70 compliance, SAS 70, sas 70 type ii, audit, general controls audit, sas 70 resource guide, charles denyer, managed services sas 70

SAS 70 compliance is commonplace for many of today’s businesses. Unfortunately, one of the missing ingredients in understanding SAS 70 compliance is the scope of the audit. That’s right. The who, what, when, where, and why of the actual SAS 70 audit process. Most service organizations undergoing a SAS 70 audit think that they are all the same, that is, one SAS 70 report should “look and feel” like another report. This is incorrect, as different industries and companies alike have varying requirements on what needs to be covered for SAS 70 compliance.

Here are some things you need to know to help determine SAS 70 scope:

1. What is the test period (if a SAS 70 Type II audit is being conducted)
2. Where are all the locations (physical offices, data centers) that will be included in the testing of the audit.
3. What is the audit actually COVERING? That is, is it a general controls audit or are their certain business processes that are being included in the scope of the audit? (This is essentially one of the biggest scoping issues you need to understand and come to an agreement on).

To learn more about SAS 70 compliance and scoping, visit the official SAS 70 Resource Guide.

Feb 23 2009   5:13PM GMT

SAS 70 Internal Controls | Important Facts and Tips to Know

Posted by: Charles Denyer
sas 70 internal controls, SAS 70 Type I, sas 70 type ii

SAS 70 audits test a wide array of internal controls within your organization for helping ensure SAS 70 Type I or Type II compliance. What’s interesting to note about these “internal controls” is that you need to truly understand what they are and how they relate to the “control objectives” being tested for during the SAS 70 audit.

Technically speaking, internal controls are: A process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in various categories.

In more simpler terms, internal controls for SAS 70 audits can be best viewed as the processes, procedures, and related activities that YOUR organization has in place for ensuring that a structured, safe, sound, and secure “control environment’ is in place. In short, is your organization dotting your I’s and crossing your T’s when it comes to daily operations within your organization.

Now, there are a “best of breed” agreed up control objectives and related internal controls that should be used for SAS 70 audits, which you obtain from a quality CPA firm specializing in SAS 70 audits.

However, not all CPA firms use the same control objectives and technically, its really up to the organization undergoing the SAS 70 to actually construct, develop, and agree upon what there internal controls and control objectives would be. In reality, good quality CPA firms can help you with this. It’s really a colloborative process, to say the least, regarding SAS 70 internal controls.

Feb 23 2009   1:11AM GMT

What is SAS 70 | A Question I’m Often Asked by Service Organizations

Posted by: Charles Denyer
What is SAS 70?, SAS 70 Type I, sas 70 type ii, service organizations, aicpa, regulatory compliance, sas70.us.com

What is SAS 70? For us in the regulatory compliance and Information Technology world, this would be an absurd question. Well, put yourself in the shoes of businesses who work hard everyday, struggling to make ends meet, and then suddenly, they’ve been told they need a SAS 70. A SAS what? I field these calls everyday from the curious minded individuals who have now come to find themselves locked into the regulatory compliance game that many service organizations have come accustomed to.

So, then. What is SAS 70? Well, its an auditing standard put forth the American Institute of Certified Public Accountants (AICPA) in 1992, which is used to report on controls placed in operation and (if need be), tests of operating effectiveness. English please, right? Okay, in more simpler terms, its an audit that is used to test a number of controls (i.e., “checks and balances” you should have in place) throughout your organization.

To add to this, there are TWO types of SAS 70 audits; a Type I and a Type II. Most organizations having to comply with and go through a SAS 70 audit ultimately prepare for a SAS 70 Type II audit.

Okay, these are the basics, to learn more, visit the official SAS 70 Resource Guide, where you can learn all you need to know about SAS 70 audits to help answer that ever important question-What is SAS 70?

Dec 31 2008   11:14PM GMT

Sarbanes Oxley (SOX) and SAS 70 | Understanding the relationship

Posted by: Charles Denyer
sas70, sas 70 sarbanes oxley sox, sas 70 type ii, PCAOB, SEC, section 404, service organizations, financial reporting, publicly traded companies

Many people often ask me what exactly is the relationship between SOX and SAS 70. The relationship between SOX and SAS 70 begins with Section 404. Because management must report annually on it’s effectiveness of internal controls, it then has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. Since a large number of publicly traded companies outsource a host of critical services, these outsourcer providers, commonly referred to as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” So, there you have it. If you want to learn more about SAS 70, visit the most in-depth web site available on Statement on Auditing Standards No. 70, at www.sas70.us.com

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

Dec 30 2008   2:37PM GMT

SAS 70 Audit Reports | Obtain a Sample SAS 70 Type II Audit

Posted by: Charles Denyer
SAS 70, What is SAS 70?, SAS 70 download, SAS 70 overview presentation, sas70, sas70 sample reports, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, sas70 pricing, sas 70 sample report, sas 70 audit report

If you are seeking to learn more about SAS 70 Type I and SAS 70 Type II audits, then one of the most effective ways for truly gaining an understanding of the auditing standard is to see what the finished product looks like-that is, a final SAS 70 audit report. Many people voice great frustration when going through their first SAS 70 audit because they truly don’t know what the SAS 70 audit report “looks and feels” like, that is, what is the actual content, format, and layout of the report.

Having a sample SAS 70 audit report prior to commencement of the audit who greatly benefit service organizations as they can visually see the important components of what lies in the report itself. sas70.us.com provides sample SAS 70 Type II audit reports for organizations and individuals looking to learn more about Statement on Auditing Standards No. 70, commonly known as SAS 70.

This report will give you an in-depth layout of what a SAS 70 audit report is, what are the critical components and content that make up the report, and it will also allow you to gain a true conceptual understanding of what the audit is actually undertaken and performed by auditors.

Remember, knowledge is power, so the more you know and learn about SAS 70 audits, the more prepared you and your organization will be in undertaking a SAS 70 Type I or SAS 70 Type II audit.

Dec 30 2008   2:19PM GMT

SAS 70 Type II Audits | Become SAS 70 Compliant in a Cost Effective Manner

Posted by: Charles Denyer
Auditing, audits, SAS 70, SAS 70 readiness questionnaire, SAS 70 overview presentation, sas70, sas 70 type ii, SAS 70 Type I, sas70 pricing, sas70 readiness assessment questionnaires, sas 70 audit report

If your organization is seeking to become SAS 70 Type I or SAS 70 Type II compliant for 2009, then its time to roll up your sleeves and learn all you can about what a SAS 70 audit actually is along with many of its inner workings? And why? Knowledge is power. The more information you have about what a SAS 70 audit truly is, then the more informed you are about issues for the audit, such as scope, pricing, testing of controls, just to name a few. Think all SAS 70 audits are alike? Not quite. Does every CPA firm follow the same roadmap when conducting auditing and test procedures for SAS 70 audits? Hardly.

With that said, visit sas70.us.com and learn all you will ever need to know about Statement on Auditing Standards No. 70, simply known as SAS 70. You will be able to obtain critical information regarding SAS 70 audits, such as the history of the auditing standard, pricing considerations and factors to be taken into consideration for a SAS 70 audit, a SAS 70 roadmap for compliance checklist, just to name a few. It’s all part of being able to provide interested readers with a comprehensive guide to one of the most widely used and recognized audits in today’s business world.

So before you accept any proposals from any number of CPA firms that specialize in SAS 70 audits, take the time to educate yourself on the inner workings of what a SAS 70 audit actually is.

Today’s regulatory compliance mandates are here to say, and so are SAS 70 audits.

Nov 29 2008   5:30PM GMT

SAS 70 Type II Audits | An Auditor’s Expert Opinion on Pricing

Posted by: Charles Denyer
Compliance, SAS 70, SAS 70 readiness questionnaire, sas70, sas70 sample reports, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, sas70 pricing, sas70 readiness assessment questionnaires, sas 70 audit report

People often ask me what the price of a SAS 70 Type I or SAS 70 Type II audit is. My response? That depends, I say, on many, many factors. Here is what needs to be understood when considering pricing factors for SAS 70 Type I and Type II audits:

1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.

2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?

3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.

4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.

5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.

As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.

To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.