sas70

Jun 20 2009   3:20AM GMT

SAS 70

Posted by: Charles Denyer
Statement on Auditing Standards No. 70, sas70, type II, general controls report, control environment, charles denyer, sarbanes oxley act of 2002, SAS 70 Type I

Statement on Auditing Standards No. 70, simply known as SAS 70 to many, has had a profound impact on regulatory compliance since the passage of the Sarbanes Oxley Act in 2002. As a SAS 70 auditor for many years, i’ve been asked a broad and wide range of questions regarding the who, what, where, when and why of SAS 70 Type I and SAS 70 Type II audits. Thus, if you need to learn everything you possibly can about SAS 70, then visit the official SAS 70 Resource Guide, where a voluminous amount of information is available.

Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.

A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.

A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.

If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.

Feb 18 2009   7:53PM GMT

PCI DSS and SAS 70 Audits | Audit Efficiencies? Maybe…just Maybe

Posted by: Charles Denyer
payment card industry data security standards (PCI DSS), qsa, PCI DSS, SAS 70, sas70, sas 70 audits, pci dss assessments

As a SAS 70 auditor and a PCI QSA, i’m often asked about the efficiencies of scale that can be achieved with SAS 70 audits and PCI DSS assessments. I have blogged about this a few times before, so let me be more clear and transparent in what i believe can actually be obtained in regards to audit efficiencies when conducting a SAS 70 and a PCI DSS assessment on an entity.

First and foremost, as an auditor, there should still be independence within the SAS 70 audit and the PCI DSS assessment. Independence how? Simple, do not treat them as one audit, because they are simply not that. Technically speaking, a PCI assessment is just that, an assessment, not an audit, which requires “attestation”. Moreover, there are significant differences between the audit and the assessment, which can be discussed at length (and will be) in a whole different blog.

I stress in the title of this blog that “maybe” there can be audit efficiencies, however, it many times is dependent on the quality of the auditors, their expertise in both conducting a PCI and a SAS 70 audit, and how much they are willing to rely on evidence from the PCI DSS assessment for the SAS 70 audit, and vice versa. Good auditors will find ways to create these efficiencies; other auditors might want to conduct a PCI DSS assessment and rubber stamp a SAS 70-this is a BIG NO NO.

Want to learn more about where these efficiencies of scale can be maximized? To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide and to learn more about PCI DSS Assessments, visit the PCI Resource Guide.

Feb 8 2009   2:59PM GMT

SAS 70 Audit Guide | Learn the Secrets to SAS 70 Audits

Posted by: Charles Denyer
SAS 70 Type I, sas 70 audit guide, sas 70 scoping and pricing, sas70

Need to learn about SAS 70 audits? Not too sure about what the audit actually entails in regards to scope, time, effort and financial considerations? Well, if your organization is seeking to become SAS 70 Type I or Type II compliant for 2009 and beyond, then its a good idea to start educating yourself on the particulars of SAS 70 audits. The more informed and educated you are, the greater your success in going through a SAS 70 audit for your organization in a timely, efficient, and cost-effective manner.

Helpful suggestions on learning about SAS 70 audits include the following:

Know the difference between a Type I and Type II audit
Learn about pricing for SAS 70 audits
Understand and comprehend the meaning of audit “scope”
Learn about a SAS 70 Readiness Assessment and how it can help augment the overall audit process for Type I and Type II reports.

Keep in mind that all organizations are different, as such, your SAS 70 requirements and what you essentially need to “get out” of your report could be significantly different from another company. For example, are you just looking to “check the box” for a compliance report or are you actually seeking value out of your SAS 70 audit.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

Jan 17 2009   8:00PM GMT

Payment Card Compliance | PCI DSS | Tips on Passing your PCI DSS Assessment

Posted by: Charles Denyer
sas 70 audits, sas70, PCI DSS, payment card industry data security standards, pci compliance, two-factor authentication for pci dss, change mangement for pci dss

Regarding PCI DSS, as a PCI QSA i’m often asked what’s the most difficult hurdle that organizations need to overcome for ensuring PCI DSS compliance. Well, we could talk at length about some of the technical, I.T. challenges, such as two-factor authentication, encryption (though not required.lol!). But in all seriousness, organizations are very deficient on having documented policies and procedures in place for their critical infrastructure. From change management to tape/media backup and recovery procedures, many organizations fail to have these very policies and procedures documented in an organizational wide corporate security document, or something of a similar nature, such as online WIKI.

So, why is this such a repetitive and persistent problem for companies? For the most part, it has to do with the lack of expertise in writing these documented policies and procedures along with finding the time to do them. They can be painstakingly slow and arduous to complete. The solution; hire a firm that have experience and expertise in developing and writing policies and procedures for PCI DSS and for any other regulatory compliance mandate your company may encounter, such as SAS 70 audits.

Jan 16 2009   3:46PM GMT

SAS 70 Audits & Data Centers | Tips on Preparing for the Audit

Posted by: Charles Denyer
SAS 70, sas70, payment card industry, PCI, PCI DSS, sas 70 data centers, co-locations, managed services sas 70, change management sas 70, incident management sas 70, physical security, environmental security, incident management

Today’s data centers and managed services providers are complex businesses, providing customers with a wide array of services. As such, SAS 70 audits have become the standard compliance audit for assessing internal controls for data centers and managed services. But buyer beware, not all SAS 70 audits are the same when being conducted on data centers and managed service providers. So, what’s the scope, you say? Well, generally speaking a good quality SAS 70 audit process and its subsequent report should include the following areas for considerations of controls:

1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security

Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit the Payment Card Industry (PCI) Resource Guide.

Dec 31 2008   11:36PM GMT

SAS 70 Audit Reports | Learn About SAS 70 by Obtaining a Sample Report

Posted by: Charles Denyer
sas70, SAS 70, SAS 70 Type I, type ii audit

Many service organizations who have to undergo a SAS 70 Type I or Type II audit have never had the ability to see or read what a final report looks like after the audit has been completed. With this now available, service organizations can gain a greater understanding of the auditing standard, while also having an expectation of what the final report should look and “feel” like.

It’s one of the elements that was missing in the compliance industry, so we thought it was necessary and helpful to put forth an excellent example of a SAS 70 Type II service auditor’s report. And remember, because of the looseness within the auditing standard, no two reports are going to look exactly alike. Sure, there are slightly different variations of SAS 70 reports, but they should encompass and include most of the elements contained within our sample sas 70 available to all who wish to read on and learn more about statement on auditing standards no. 70.

Please take time to educate yourself on this highly used auditing standard by visiting a number of other areas on the website, such as the white papers section, industry news section, along with the what is sas 70 section.

Dec 31 2008   11:30PM GMT

SAS 70 Audits | Understanding PRICING for SAS 70 Engagements

Posted by: Charles Denyer
sas 70 audit, sas70, Sarbanes-Oxley, SOX, sas 70 type i type ii, cpa firm

SAS 70 Type I and Type II audits have become common for many organizations providing critical outsourcing services to companies. Known as service organizations, they have all landed on the regulatory radar of having to be SAS 70 compliant, due in large part because of Sarbanes Oxley (SOX) or any other large number of federal regulatory compliance mandates.. I’m often asked how much does a SAS 70 Type I or Type II audit cost. Well, that depends on a number of factors and circumstances that will be discussed today.

Issue #1: Choosing a Firm for the SAS 70 Audit

There are a number of providers available for SAS 70 audits, ranging from regional CPA firms to the nationally recognized big four firms. And as with anything in life, most organizations try to find the most value for their money, but remember, you get what you pay for. Small firms may be cost-effective, but they may lack the expertise and name recognition of other firms. The big four accounting firms will charge you a heavy premium audit fee, yet you get their name on the report, ultimately giving it a high level of recognition, simply based on who they are.

Remember, SAS 70 Type I and Type II audit prices have a wide range, so it’s probably a wise choice to pick in between, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” that is fair, equitable, and you can live with.

Issue #2: Scoping the SAS 70 Audit

Numerous factors ultimately come into play for pricing considerations, but scoping is extremely important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being performed.

To learn more about SAS 70 audits, visit the official sas 70 resource guide.

Dec 31 2008   11:19PM GMT

SAS 70 and Regulatory Audits | What is the Impact to our Economy?

Posted by: Charles Denyer
sas70, SAS 70, glbay, HIPAA, Sarbanes-Oxley, impacts of audits to economy, section 404, SOX, PCI, payment card industry

The impacts, in my opinion, are the following. Interestingly, the last decade has seen somewhat of a shift in auditing. That’s not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.

From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.

Dec 31 2008   11:14PM GMT

Sarbanes Oxley (SOX) and SAS 70 | Understanding the relationship

Posted by: Charles Denyer
sas70, sas 70 sarbanes oxley sox, sas 70 type ii, PCAOB, SEC, section 404, service organizations, financial reporting, publicly traded companies

Many people often ask me what exactly is the relationship between SOX and SAS 70. The relationship between SOX and SAS 70 begins with Section 404. Because management must report annually on it’s effectiveness of internal controls, it then has an obligation to inquire and inspect on all controls considered vital to the organization as a whole, but more importantly, to it’s financial reporting process. Since a large number of publicly traded companies outsource a host of critical services, these outsourcer providers, commonly referred to as “service organizations”, are considered an integral component for purposes of financial reporting. Therefore, a due-diligence process must be enacted to have their internal controls observed and certified. The Securities and Exchange Commission’s (SEC) Chief Accountant and the Division of Corporation Finance has stated that “In many situations, a registrant relies on a third party service provider to perform certain functions where the outsourced activity affects the initiation, authorization, recording, processing or reporting of transactions in the registrant’s financial statement. In assessing internal controls over financial reporting, management may rely on a Type 2 SAS 70 report.” So, there you have it. If you want to learn more about SAS 70, visit the most in-depth web site available on Statement on Auditing Standards No. 70, at www.sas70.us.com

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.