sas70 sample reports

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

Dec 30 2008   2:37PM GMT

SAS 70 Audit Reports | Obtain a Sample SAS 70 Type II Audit

Posted by: Charles Denyer
SAS 70, What is SAS 70?, SAS 70 download, SAS 70 overview presentation, sas70, sas70 sample reports, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, sas70 pricing, sas 70 sample report, sas 70 audit report

If you are seeking to learn more about SAS 70 Type I and SAS 70 Type II audits, then one of the most effective ways for truly gaining an understanding of the auditing standard is to see what the finished product looks like-that is, a final SAS 70 audit report. Many people voice great frustration when going through their first SAS 70 audit because they truly don’t know what the SAS 70 audit report “looks and feels” like, that is, what is the actual content, format, and layout of the report.

Having a sample SAS 70 audit report prior to commencement of the audit who greatly benefit service organizations as they can visually see the important components of what lies in the report itself. sas70.us.com provides sample SAS 70 Type II audit reports for organizations and individuals looking to learn more about Statement on Auditing Standards No. 70, commonly known as SAS 70.

This report will give you an in-depth layout of what a SAS 70 audit report is, what are the critical components and content that make up the report, and it will also allow you to gain a true conceptual understanding of what the audit is actually undertaken and performed by auditors.

Remember, knowledge is power, so the more you know and learn about SAS 70 audits, the more prepared you and your organization will be in undertaking a SAS 70 Type I or SAS 70 Type II audit.

Nov 29 2008   5:30PM GMT

SAS 70 Type II Audits | An Auditor’s Expert Opinion on Pricing

Posted by: Charles Denyer
Compliance, SAS 70, SAS 70 readiness questionnaire, sas70, sas70 sample reports, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, sas70 pricing, sas70 readiness assessment questionnaires, sas 70 audit report

People often ask me what the price of a SAS 70 Type I or SAS 70 Type II audit is. My response? That depends, I say, on many, many factors. Here is what needs to be understood when considering pricing factors for SAS 70 Type I and Type II audits:

1. The CPA firm-Are you looking for brand recognition or are you looking for a cost-effective provider which can simply help you “check the box” for SAS 70 compliance.

2. Scope-What is being examined and tested from a control perspective for SAS 70 audits? Are you looking for just a general controls audit or an audit that also includes specific business processes?

3. Testing period: For SAS 70 Type II audits, what is the testing period going to be? The longer the test period, the more the audit will cost as auditors have to pull larger samples, do more testing, etc.

4. Location of testing: How many physical areas does your organization have that will fall under the scope of the SAS 70 audit? Having more than one means that auditors will ultimately have to travel to numerous locations to conduct more testing. Again, more locations, more time, money, and expenses out of your pocket for the audit itself.

5. Are you confident you can obtain SAS 70 compliance without conducting a SAS 70 readiness assessment? If not and you need assistance identifying weaknesses and gaps within your control environment, then expect to spend more time, money, and resources on the front end of a SAS 70 audit for preparing in an adequate manner.

As you can see, there is no quick, easy, black and white answer to the cost of a SAS 70 Type I or Type II audit.

To learn more about statement of auditing standards no. 70, visit the official sas 70 resource guide, where you can obtain a wealth of information on sas 70 audits.

Sep 26 2008   5:45PM GMT

SAS70 Frequently Asked Questions | A guide to the “Hot Topics”

Posted by: Charles Denyer
regulatory compliance, SAS 70, sas70, sas70 sample reports, sas70 readiness assessment questionnaires

SAS70 Auditing has become a staple in today’s growing regulatory compliance world. As such, I have put together a list of questions and answers for SAS70 issues that are commonly asked to me:

1. How much does a SAS70 audit cost?
That depends on a number of issues, such as the scope of the audit, are you required to be SAS70 Type I or Type II compliant. Have you ever had a SAS70 audit conducted before on your organization. However, do remember this. Get a FIXED FEE for the audit, that is, make sure all out of pocket, travel expenses are included in the FIXED FEE.

2. We have never had a SAS70 audit done before, what and where is the best place to start?
Start with a SAS70 Readiness Assessment-A series of highly customized questionnaires that help guide and facilitate the overall SAS70 audit process for your organization. You don’t go from first to third without a pit stop at second. The same theory holds true for SAS70 audits-don’t jump right into a SAS70 Type I or Type II without conducting preliminary work and analysis on your controls, your manpower, and the overall audit process. Get a SAS70 Readiness Assessment done-it will prove invaluable. You can even obtain free SAS70 Readiness Assessment questionnaires from the official SAS70 Resource Guide, developed by NDB Accountants and Consultants.

3. Can you fail a SAS70 audit? Technically, you can be given a “qualified” or adverse opinion on the audit. However, if you go through a SAS70 Readiness Assessment, learn from the deficiencies you have found, your organization should be able to successfully get a clean, “unqualified” SAS70 opinion.

Want to learn more about SAS70 audits, then ask for a complimentary SAS70 Type II audit report. You will learn much about the auditing standard from this report.

Sep 26 2008   5:33PM GMT

SAS70 Audit Reports for Data Centers |Important Facts to Know

Posted by: Charles Denyer
managed services, co-location, SAS 70, sas70, sas70 sample reports, data centers, sas 70 type ii

SAS70 audits have quickly become a mainstay in the world of data centers, managed services and co-location entities, and this will no doubt continue to grow. This is happening for a large number of reasons, but primarily data centers (and any variant thereof, such as managed services, co-location entities with “ping, power and pipe”) are hosting and residing an ever growing and enormous amount of information for many service providers. These service providers are commonly being asked to be SAS70 Type II compliant. As such, the data centers used by these very service organizations are commonly included within the scope of the SAS70 audit.

And what should data centers take from this? A good idea would be to become SAS70 compliant, and here’s why.

1. SAS70 compliance help mitigate and possibly eliminate many of these specialized requests your clients are asking for in helping them facilitate their own SAS70 compliance.

2. It greatly helps with business development and marketing for data centers.

3. It helps unearth any weaknesses or deficiencies you may have within your control environment.

To learn more about SAS70 audits and data centers and to receive a complimentary SAS70 Type II audit report, visit the official SAS70 Resource Guide.

Sep 26 2008   5:18PM GMT

SAS70 Pricing for Type I & Type II Audits | Important Facts

Posted by: Charles Denyer
sas70, sas70 sample reports, sas 70 type ii, SAS 70 Type I, sas70 pricing

SAS70 pricing for Type I and Type II audits is still a hot topic for regulatory compliance these days, and for good reason. The huge rise in SAS70 audits over the past five years has created a true need for accountants and auditors to perform these specialized audits. As a SAS70 auditor for many years now, i have noticed some interesting trends regarding SAS70 pricing along with my thoughts on where they will be going.

First and foremost, SAS70 pricing has gradually moved towards a “Fixed Fee”, that is, a SAS70 audit price that also includes travel and any out of pocket miscellaneous expenses. If you’re organization is looking to become SAS70 compliant, then get a fixed fee for all the proposals you receive.

Prices are coming down-Five years ago, only a handful of accounting firms conducted SAS70 audits. Taken a look at Google lately to search for the term “SAS70″ and WOW, CPA firms are everywhere! Well, that’s good news for service organizations looking to become SAS70 Type I or Type II compliant.

Pricing will probably stabilize. For a good quality reputable SAS70 firm, SAS70 Type I and Type II fees are becoming very reasonable. What’s more, good firms have also figured out a way to do more and more work remotely, thus minimizing business interruption for their clients.

To learn more about SAS70 pricing or to receive a complimentary SAS70 Type II audit report, then visit the official SAS70 resource guide at www.sas70.us.com

Sep 21 2008   4:51PM GMT

SAS70 Control Objectives | Here’s What You Need to Know

Posted by: Charles Denyer
sas70, sas70 sample reports, sas 70 control objectives, sas 70 type ii, SAS 70 Type I

As a SAS70 auditor, organizations often ask me how are control objectives developed. Technically, it is the service organization’s responsibility to develop SAS70 control objectives. However, in reality, it’s looked upon as a collaborative effort by a number of parties involved in the overall SAS70 audit process.

Here’s how it works in theory.

If you are new to the SAS70 audit process, then service organizations will generally seek guidance and assistance from a CPA firm that will ultimately be conducting the SAS70 audit. This is common because the CPA firm has years of experience in conducting SAS70 Type I or Type II audits and will thus be able to give a service organization a set of industry accepted SAS70 control objectives to use as a starting point. The service organization can them customize these if they desire, use them as they are in an off the shelf mode, or design their own control objectives. Generally, most service organizations tend to “adopt” the control objectives put forth by the CPA firm along with making slight modifications or adding some specific control objectives based on audit scope and/or certain requirements from clients and/or use organizations who are ultimately requesting the SAS70 audit.

To learn more about SAS70 audits, visit the official SAS70 resource guide where you can obtain an actual SAS70 Type II audit report for gaining a greater understanding of what a SAS70 actually is.

Sep 20 2008   4:32PM GMT

SAS70 Audits & Business Continuity Disaster Recovery (BCDR)

Posted by: Charles Denyer
SAS 70, What is SAS 70?, sas70, sas70 sample reports, BCDR, BCM, Business Continuity Disaster Recovery

SAS70-I’m often asked about Business Continuity & Disaster Recovery (BCDR) when preparing a new client for a SAS70 Type I or Type II audit that. Specifically, they ask me if it is a requirement for a SAS70 audit and what should they be doing in order to adequately prepare and document a BCDR strategy and plan.

Technically, NO, BCDR or any variation thereof (also commonly known as BCM, etc.) is NOT a requirement for testing for a SAS70 audit, based purely on the amended SAS70 publication of 2005 and 2007 that states a “plan is not a control objective”, thus BCDR and BCM Plans are not included in the scope of the SAS70. That’s the technical NO answer.

In theory, many auditors would say that YES, a BCDR or BCM plan should be in scope and should have a control objective in place for testing for the plan.

Regardless of which decision the auditor makes, its paramount that service organization’s have a working and documented BCDR or BCM plan in place. It just makes good business sense.

To learn more about what is SAS70, visit the official SAS70 resource guide where you can receive a complimentary SAS70 Type II audit report.

Sep 20 2008   2:23PM GMT

SAS70 Checklist | How to Prepare for a SAS70 Audit

Posted by: Charles Denyer
Security, audits, SAS 70, SAS 70 readiness questionnaire, SAS 70 checklist, sas70, sas70 sample reports

As a SAS70 auditor, I’m often asked about how organizations should prepare for a SAS70 audit. In fact, companies and organizations alike commonly ask me for a SAS70 checklist. I simply reply by asking a checklist for what-on how to prepare for the audit, on what the audit scope is, etc? You see, the phrase SAS70 checklist is just too broad and vague.

What organizations really need to do for preparing for a SAS70 audit is to conduct a SAS70 Readiness Assessment, which essentially covers a broad range of topics and subject matter for a SAS70 Type I or SAS70 Type II audit. In fact, a SAS70 Readiness Assessment will help your organization truly understand what a SAS70 audit is, how an organization actually undertakes this type of audit, along with other essential activities. Here’s an example of the core functional areas that a SAS70 Readiness Assessment would cover within an organization. Please keep in mind that this is a general reference and scope can change based on the SAS70 audit itself. But by and large, any reputable CPA firm helping you with a SAS70 Readiness Assessment will almost surely include these areas:

* Organization and Administration-Executive Tone & Human Resources
* Incident Management
* Change Management
* Logical Security
* Network Security
* Physical Security
* Environmental Security
* Computer Operations
* Business Continuity and Disaster Recovery Planning (BCDRP)

To learn more about SAS70 audits, visit the official SAS70 Resource Guide, where you can receive a sample SAS70 audit report.

Sep 8 2008   4:04PM GMT

SAS70 Reports | Know the Difference Between Type I & Type II

Posted by: Charles Denyer
Security, Compliance, Sarbanes-Oxley, regulatory compliance, audits, sas70, sas70 sample reports

If your company is needing to be SAS70 compliant, then a good start is to learn about what a SAS70 audit is and what the difference is between a SAS70 Type I & SAS70 Type II audit report.

In short, a SAS70 Type I is simply an audit that is a snapshot in time; an audit for a particular day. For example, a Type I report would be given a date of August 31, 2008.

A SAS70 Type II audit report is a report that will test the operating effectiveness of those controls over a time period, traditionally six (6) months. For example, a SAS70 Type II report would cover a period from January 1, 2008 to June 30, 2008.

It is important to note that a SAS70 Type II is what the market is calling for, that is, it suffices for Sarbanes Oxley compliance and is looked upon as a much superior audit than a SAS70 Type I report.

A good example of learning more about SAS70 audits is to obtain a SAS70 sample report, whereby you can read and understand what the major components and parts are of a final report.