SOX

May 13 2009   7:44PM GMT

SAS 70 Audits for Data Centers | It’s a “SaaS”y Environment

Posted by: Charles Denyer
Compliance, sas 70 and SaaS, Software as a Service, SOX, charles denyer, data centers, managed services, colocation

SAS 70 audits are being performed at a record pace these days on data centers, managed service providers and co-location entities. The big question is why? Well, there are many general answers that we all hear, such as “Oh, it’s just today’s compliance environment” or “SOX has really affected our business”.

Sure, these are true statements, somewhat boiler plate, but they are true.

In reality, dig a little deeper and stretch a little further into the insight and analysis and you will find that a large number of entities are operating in a Software as a Service (SaaS) mode and function, which essentially has resulted in the explosive growth for many data centers. These companies who have a SaaS business model are being hit quite hard by the SAS 70 compliance mantra from their clients and as such, the down stream effect is that data centers are now included in the scope of many SaaS entities. Amazing what 2 to 3 years can do to the I.T. industry. I say this because it was not that long ago (2005 or so) that a large number of Data Centers were not SAS 70 compliant…and i argue that a big reason for this change has been that SaaS entities occupy racks and racks of space now days.

So there is your SAS 70 and SaaS connection.

But hey, as a SAS 70 Auditor, it’s just my opinion.

Apr 27 2009   2:06AM GMT

Sarbanes Oxley (SOX) and SAS 70 | What Does the Future Hold?

Posted by: Charles Denyer
Compliance, Sarbanes-Oxley, SAS 70, SOX, PCI, charles denyer, corporate governance

Sarbanes Oxley and SAS 70 audits have had a monumental impact on corporate governance and compliance. So much so, they almost invented a huge part of the pie. As a SAS 70 auditor, i’m often asked what does the future hold for Sarbanes Oxley (SOX) compliance and also SAS 70.

Well, my friends, let’s take a look at the crystal ball and let me give you my thoughts on SOX and SAS 70.

First and foremost, compliance is NOT going away. Sure, there have been growing pains with the cost and time associated with SOX compliance, but those costs are starting to become greatly streamlined as organizations are finding ways to be more efficient with SOX compliance. In short, it’s here to stay, so consider it a part of life in the business world. With the rash of fraud that occurred on Wall Street which almost toppled the capital markets overnight, there will no doubt be MORE compliance laws, regulations, and rules echoing out of the halls of congress. I would not be worried and thinking too much about SOX, but rather, what else is in the witches brew that could be cooked up on Capital Hill. Think i’m kiding? PCI compliance recently became codified into law in MN with many other states following closely behind.

With SOX staying, you can rest assured that SAS 70 will be hanging around like a little brother. And why not, it’s been a hugely successful internal control auditing mechanism that has shed light on service organizations and how they conduct business.

Compliance is a way of life; as sure as death and taxes. The key is finding a way to meet compliance in a cost-effective and streamlined manner.

Dec 31 2008   11:30PM GMT

SAS 70 Audits | Understanding PRICING for SAS 70 Engagements

Posted by: Charles Denyer
sas 70 audit, sas70, Sarbanes-Oxley, SOX, sas 70 type i type ii, cpa firm

SAS 70 Type I and Type II audits have become common for many organizations providing critical outsourcing services to companies. Known as service organizations, they have all landed on the regulatory radar of having to be SAS 70 compliant, due in large part because of Sarbanes Oxley (SOX) or any other large number of federal regulatory compliance mandates.. I’m often asked how much does a SAS 70 Type I or Type II audit cost. Well, that depends on a number of factors and circumstances that will be discussed today.

Issue #1: Choosing a Firm for the SAS 70 Audit

There are a number of providers available for SAS 70 audits, ranging from regional CPA firms to the nationally recognized big four firms. And as with anything in life, most organizations try to find the most value for their money, but remember, you get what you pay for. Small firms may be cost-effective, but they may lack the expertise and name recognition of other firms. The big four accounting firms will charge you a heavy premium audit fee, yet you get their name on the report, ultimately giving it a high level of recognition, simply based on who they are.

Remember, SAS 70 Type I and Type II audit prices have a wide range, so it’s probably a wise choice to pick in between, that is, a firm who is specialized, nationally known, not too large and bureaucratic, and provides you with a cost-effective, “fixed fee” that is fair, equitable, and you can live with.

Issue #2: Scoping the SAS 70 Audit

Numerous factors ultimately come into play for pricing considerations, but scoping is extremely important. It tells you and the CPA firm what will be tested, where it will be tested, and how long the test period will be, if a SAS 70 Type II audit is being performed.

To learn more about SAS 70 audits, visit the official sas 70 resource guide.

Dec 31 2008   11:19PM GMT

SAS 70 and Regulatory Audits | What is the Impact to our Economy?

Posted by: Charles Denyer
sas70, SAS 70, glbay, HIPAA, Sarbanes-Oxley, impacts of audits to economy, section 404, SOX, PCI, payment card industry

The impacts, in my opinion, are the following. Interestingly, the last decade has seen somewhat of a shift in auditing. That’s not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.

From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

Nov 23 2008   7:46PM GMT

SAS 70 Type II Audit Reports | Why SAS 70 is Here to Stay

Posted by: Charles Denyer
HIPAA, SOX, GLBA, Sarbanes-Oxley, regulatory compliance, SAS 70, What is SAS 70?, sas70, section 404 sox, sas 70 control objectives, sas 70 type ii, sas 70 audit report

We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.

Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.

Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.

Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

Jul 23 2008   2:53PM GMT

SAS70 Audit Guide | Section 6.0 | SAS70 Glossary of Terms

Posted by: Charles Denyer
Compliance, SOX, SAS 70, What is SAS 70?, SAS 70 download

If you want to learn about SAS70 Type I & Type II audits, then it’s a good idea to gain a thorough understanding of the terminology used for the SAS70 auditing standard. There’s much technical jargon and terms to be mastered for helping truly understand SAS70 audits. Furthermore, the more you fully comprehend what these items mean, the better armed and prepared you will be for the audit.

The SAS70 glossary of terms serves to provide an understanding of the most common terms and phrases used not only by auditors, but also everyone involved in the SAS70 process. For example, do you truly understand the definition of internal controls? Do you know the difference between a service organization and a user organization? The SAS70 glossary will help define these differences.

Also, if you want to learn more about SAS70, such as pricing along with receiving SAS70 sample reports, then the official SAS70 resource guide is your one stop shop for learning all you need to know about this highly specialized auditing standard.

Jul 21 2008   6:23PM GMT

SAS70 Audit Guide | Section 5.0 | SAS70 Roadmap for Compliance

Posted by: Charles Denyer
Security, HIPAA, Compliance, Auditing, SOX, GLBA, Sarbanes-Oxley, regulatory compliance, audits, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 download, SAS 70 checklist, SAS 70 overview presentation

SAS70 Type I & Type II audits can be daunting indeed to many service organizations, but they shouldn’t be. The more you learn about what SAS70 is, the better prepared you will be for going through a SAS70 audit. Let’s start with the basics, that is, educate yourself on what a SAS70 Type I & Type II audit is, and what are the differences.

Furthermore, obtain SAS70 sample reports electronically to see what a final SAS70 service auditors report actually looks like. Additionally, learn about what it takes in the step by step process for undertaking a SAS70 audit. There are many different stages, activities, and deliverables that comprise of a SAS70 audit, so its a good idea to educate yourself on what they are, when they occur, what to expect, and what the commitment is from your organization in terms of manpower and resources.

Beginning with a SAS 70 readiness questionnaire assessment, then culminating with the delivery of the actual service auditor’s report, you need to learn firsthand what’s involved for this type of an audit.

You can also learn more by visiting the official SAS70 resource guide, where a wealth of information is available, such as white papers on SAS70 along with current industry news affecting the auditing standard itself.

Jul 18 2008   1:55AM GMT

SAS70 Audit Guide | Section 4.0 | SAS70 Sample Reports

Posted by: Charles Denyer
Security, HIPAA, Compliance, Auditing, SOX, GLBA, audits, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 download, SAS 70 checklist, SAS 70 overview presentation

You can obtain SAS70 sample reports if you are interested in learning more about the SAS70 auditing standard. Many service organizations have to go through a SAS70 audit and would like to learn more about the auditing standard. Thus, a SAS70 Type II example report, which can be obtained from the official SAS70 Resource Guide, will give readers an in-depth understanding of the inner workings of a SAS70 audit, along with providing an excellent example of what the contents of a report are.

SAS 70 sample reports can also help better educate your organization on the auditing standard, ultimately giving you more knowledge and understanding of the audit when you begin the selection process of finding a CPA provider to conduct the SAS70 Type I or Type II audit for your organization.

Additionally, current white papers along with various information on relevant industry news is also available for learning more about SAS70 audits both Type I and Type II audits. Current industries being heavily affected by the SAS70 auditing standard are financial services, information, and health care. The past decade has seen numerous federals laws and legislations implemented that have placed a large emphasis on security, privacy, and an organization’s overall control environment. What’s more, SAS70 audits have quickly become the default tool used to ensure service organizations are in compliance with these ever expanding regulatory compliance laws.

Jul 13 2008   10:15PM GMT

SAS70 Audit Guide | Section 3.0 | What’s in a SAS 70 Report?

Posted by: Charles Denyer
HIPAA, Compliance, DataCenter, SOX, GLBA, Sarbanes-Oxley, regulatory compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 download, SAS 70 checklist, SAS 70 overview presentation

A SAS70 report can be a daunting undertaking for many service organizations who have never gone through an audit of this type. Developed in 1992 by the American Institute of Certified Public Accountants (AICPA). SAS70 Type I and Type II audits are used for examining a service organization’s control environment.

Many companies often ask me what the end deliverable report looks like. Because of the loose flexibility of the auditing standard, I have to caution them that no two reports from different CPA firms for a SAS 70 audit will ever look alike. This is largely based on the fact that the presentation of the audit findings allows CPA firms to illustrate it in any number of ways. However, even with that said, there should be some fundamental topics and areas that need to be included in almost any SAS 70 Type II audit. A good reference would be to examine the SAS70 audit & overview presentation tutorial, which gives readers an excellent example of what is SAS70 and what’s in a report.

Additionally, visit the SAS70 resource guide where you can receive SAS70 sample reports for educational viewing.