sas70.us.com

SAS 70 Compliance | Why a Readiness Assessment is Essential for the Audit

Many service organizations having to undergo SAS 70 Type I or SAS 70 Type II compliance would greatly benefit from a SAS 70 Readiness Assessment. So, let’s clear the air as to what this actually is.

A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:

1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.

A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.

If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.

SAS 70 Control Objectives for Investment Advisers | Custodial Operations

The SEC released a draft of proposed changes regarding “Custody of Funds or Securities of Clients by Investment Advisers” (File No. S7-09-09), calling for more oversight and controls over investment advisers or related persons who have custody of client funds or securities along with performing custodial duties and operations.

In short, the proposed changes will possibly require a “surprise examination” and an “internal control report” on these very entities that have custody of client funds or securities along with performing custodial duties and operations.

The proposed control objectives are as follows:

• Physical securities are safeguarded from loss or misappropriation;
• Cash and security positions are reconciled accurately and on a timely basis between the custodian and depositories, and between the custodian and accounting systems;
• Client-initiated trades are properly authorized and recorded completely and accurately in the client account;
• Securities income and corporate action transactions are processed to client accounts in an accurate and timely manner;
• Net settlement procedures for delivery and receive transactions are performed accurately;
• Documentation for the opening of accounts is received and authenticated, and established completely and accurately on the applicable system; and
• Market values of securities obtained from various outside pricing sources have been recorded accurately in client accounts.

If you want to learn more about these proposed changes and would like to receive a sample SAS 70 Type II report, then visit the official SAS 70 Resource Guide at sas70.us.com.

SAS 70 Compliance | A Step by Step Processes for SAS 70 Type I and Type II Audits

SAS 70 compliance is a multi-phased, process based methodology that is undertaken by organizations seeking to become SAS 70 Type I or Type II compliant. As a SAS 70 auditor, I’m often asked what the SAS 70 audit process is, how long it takes, what are the “bumps” in the road that can occur. Thus, listed below are the major activities that must be enacted for ensuring your organization is on the right path to SAS 70 compliance.

1. Choose a CPA firm that provides SAS 70 services on a fixed fee, not an hourly basis.
2. Identify the SAS 70 audit that must be undertaken; either a Type I or a Type II audit.
3. If a Type II audit is your goal, identify the “test period” for the audit.
4. Discuss the scope of the audit, that is, what “business processes” are being covered and what physical locations will have to be a part of the testing process.
5. Begin a SAS 70 Readiness Assessment phase. This helps further identify the scope of the audit along with highlighting any weaknesses in your control environment.
6. If necessary, conduct remediation activities that were identified during the SAS 70 Readiness Assessment.
7. Once the above phases are complete, start to discuss fieldwork testing and the collection of documents for auditor that will be needed to help facilitate the audit.
8. Ask auditor for list of items that will need to be collected prior to the audit fieldwork.
9. Plan and prepare accordingly with the auditors for fieldwork.
10. Once fieldwork is complete, findings should be reported to you from the auditing firm, allowing you to give answers to any exceptions found during testing.
11. Drafting of report and final closing meeting to discuss report and finding ensues.

Visit the official SAS 70 Resource guide to learn more about SAS 70 compliance.

What is SAS 70 | A Question I’m Often Asked by Service Organizations

What is SAS 70? For us in the regulatory compliance and Information Technology world, this would be an absurd question. Well, put yourself in the shoes of businesses who work hard everyday, struggling to make ends meet, and then suddenly, they’ve been told they need a SAS 70. A SAS what? I field these calls everyday from the curious minded individuals who have now come to find themselves locked into the regulatory compliance game that many service organizations have come accustomed to.

So, then. What is SAS 70? Well, its an auditing standard put forth the American Institute of Certified Public Accountants (AICPA) in 1992, which is used to report on controls placed in operation and (if need be), tests of operating effectiveness. English please, right? Okay, in more simpler terms, its an audit that is used to test a number of controls (i.e., “checks and balances” you should have in place) throughout your organization.

To add to this, there are TWO types of SAS 70 audits; a Type I and a Type II. Most organizations having to comply with and go through a SAS 70 audit ultimately prepare for a SAS 70 Type II audit.

Okay, these are the basics, to learn more, visit the official SAS 70 Resource Guide, where you can learn all you need to know about SAS 70 audits to help answer that ever important question-What is SAS 70?

SAS 70 Audits and PCI DSS Compliance | A Two for One Audit? Not Quite

As an accountant and a PCI Qualified Security Assessor (QSA), i’m seeing more and more auditors essentially provide audit and fieldwork services for both a SAS 70 and a PCI DSS assessment at the same time, then issue a PCI DSS Report on Compliance (ROC) and a SAS 70 Type II Service Auditor’s Report. While I am all for audit efficiencies, there does need to be some degree of engagement independence, both in an administrative manner (different engagement letters, etc.) and in terms of audit expertise (both CPA’s and QSA’s need to be involved in their respective assignments and committed to the work at hand).

Furthermore, SAS 70 audits will also examine areas not covered by PCI DSS assessments, and the same is true for PCI DSS assessments covering technical areas traditionally not under the scope of a SAS 70 audit. As professionals, we need to be careful in not blurring the lines and distinctions between CPA’s and QSA’s and still try to maintain professional indepedence in regards to the work that each does and what they are qualified to do.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit pciassessment.org

SAS 70 Audits and PCI DSS Compliance |What you NEED to Know

As an auditor, I am constantly approached by my clients desperately wanting to know if efficiencies can be obtained within the audit and assessment process for companies undergoing both a SAS70 audit and a PCI DSS assessment. There’s no simple yes or no, black or white answer to this, as many variables come into play when conducting a SAS70 audit or a PCI DSS assessment for organizations.

What I can tell you though is that there are some common themes and drivers seen in both a SAS70 audit and a PCI DSS assessment. Both a SAS70 audit and a PCI DSS assessment rely heavily on the existence of documented policies & procedures. Furthermore, both of these examinations also examine various aspects of physical security, network security, logical security, change management, to name a few. Quickly, you can see some overlapping themes in both a SAS70 audit and a PCI DSS assessment. So, that’s the YES answer to “audit efficiencies can be obtained” when a company has to undertake a SAS70 audit and a PCI DSS assessment. So, what’s the NO or the gray erea? Keep in mind that the PCI DSS assessment is a very technical examination, much more so than a SAS70 audit. At the same time, a SAS70 audit also covers comprehensive business process controls applicable to that specific entity being examined for a SAS70. A PCI DSS assessment does generally not cover or assess these specific business processes that a SAS70 would. Thus, you can see the gaps between these two examinations.

To learn more about what SAS70 is, visit the official SAS70 Resource Guide

To learn about Payment Card Industry (PCI) DSS compliance, visit the official PCI Resource Guide.