Sep 28 2009 12:44AM GMT
Posted by: Charles Denyer
PCI DSS,
SAS 70,
type i,
type II,
charles denyer,
audits
PCI DSS and SAS 70 Type I and Type II audits are a mainstay in today’s regulatory arena. As such, i’m often asked what are some of the best resources available to learn about the Payment Card Industry Data Security Standards (PCI DSS) initiative and the SAS 70 audit requirements.
PCI DSS
pcisecuritystandards is the official site for PCI DSS compliance. It was put forth by the Payment Card Industry Security Standards Council, commonly known as the PCI SSC. The major payment brands have effectively endorsed the PCI DSS standards, thus you can learn all you need to know about PCI DSS by visiting their site. The left column gives you quick links to all the important PCI DSS information. Their are also some very helpful forums such as pcianswers and pcidssguru. These sites are managed by industry veterans in the Payments Industry and they give you unbiased and straight answers to any questions you may have.
SAS 70
The official AICPA website offers little in the way of education on SAS 70 audits. They do sell a book on SAS 70, but it is primarily geared towards auditors and is written in a technical manner. The other solution is to visit the Official SAS 70 Resource Guide, where you can watch training videos and learn all aspects of SAS 70 Type I and Type II audits.
Sep 25 2009 1:24PM GMT
Posted by: Charles Denyer
sas 70 training videos,
type i,
type II,
audit cost,
planning,
audit fieldwork
SAS 70 training videos are simply the best way to truly gain an understanding of the inner workings on Statement on Auditing Standards No. 70. As an auditor, i’ve been asked many times on this post and others if content can be developed to gain a better understanding of how the Type I and Type II audit process begins and ends. Well, watch the ten (10) SAS 70 training videos and you’ll quickly get up to speed on all you need to know about Type I and Type II audits. Listed below are the topics of each of the ten (10) videos.
1. Introduction to the SAS 70 Auditing Standard
2. SAS 70 Type I Audits
3. SAS 70 Type II Audits
4. SAS 70 & Audit Scope
5. SAS 70 Audit Cost & Pricing Factors
6. SAS 70 Readiness Assessment and Questionnaires
7. SAS 70 Audit Planning and Audit Fieldwork Activities
8. SAS 70 Roadmap to Compliance
9. Frequently Asked Questions
10. Concluding Thoughts on SAS 70 Audits
Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits and to also view the SAS 70 Training Videos.
Aug 23 2009 8:47PM GMT
Posted by: Charles Denyer
HIPAA,
PCI,
SAS 70,
PCI DSS,
charles denyer,
payment card industry data security standards,
health insurance portability and accountability act,
type II,
The Department of Health and Human Services,
45 CFR Parts 160,
162,
and 164,
Health Insurance Reform: Security Standards
HIPAA, The Health Insurance Portability and Accountability Act, has been with us for years now. Upon reading through the vast and cumbersome documentation, one quickly realizes that HIPAA has many moving parts, enough to make you truly gaze at amazement as to what the actual explicit intent is for compliance. In regards to the security provisions of HIPAA, The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, there are a number of broad based requirements for ensuring HIPAA compliance.
But that’s really where it ends, because unlike a SAS 70 Type II audit and a Payment Card Industry Data Security Standards (PCI DSS) assessment, compliance is, for the most part, not actively overseen. What does it really mean to be HIPAA compliant? What part of HIPAA do organizations need to be compliant with? What are the true penalties for non-compliance, if any?
HIPAA needs to take a more aggressive approach, possibly a revision of the law along with explicit rules for what compliance is and for what part of the HIPAA legislation. Only then will HIPAA really have the bite like SAS 70 or PCI DSS.
Aug 3 2009 7:25PM GMT
Posted by: Charles Denyer
PCI DSS,
SAS 70,
sas70,
type i,
type II,
payment card industry data security standards,
merchants,
service providers,
service organizations,
pci dsss level 1 assessments
SAS 70 audits and PCI DSS Assessments are on everybody’s radar screen today, or though it seems. Particularly, SAS 70 Type II Audits and Payment Card Industry Data Security Standards (PCI DSS) Level I assessments.
And why? Because many service organizations, merchants, and service providers are being asked to become compliant with either a SAS 70 audit, a PCI DSS Assessment or both, for purposes of today’s regulatory compliance initiatives. Take note, Nevada just passed provisions of PCI into law, joining Minnesota as another state that is taking security and privacy to a new level.
I’ve put together a comprehensive white paper on SAS 70 Type II audits and PCI DSS Level 1 assessments that is definitely good reading material if your organization has to become compliant with either of these.
Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits
Visit the official PCI DSS Resource Guide to learn more about PCI DSS Assessments.
Jul 8 2009 7:27PM GMT
Posted by: Charles Denyer
sas70.us.com,
sas 70 resource guide,
SAS 70,
type i,
type II,
sas 70 readiness assessment,
gap analysis,
control environment
Many service organizations having to undergo SAS 70 Type I or SAS 70 Type II compliance would greatly benefit from a SAS 70 Readiness Assessment. So, let’s clear the air as to what this actually is.
A SAS 70 Readiness Assessment should be a proactive exercise which actually benefits the overall SAS 70 audit process. A Readiness Assessment should, thus, include the following:
1. A series of in-depth and comprehensive questionnaires that help examine the control environment of a service organization, while assisting in identifying any weaknesses or deficiencies within the overall control framework.
2. A gap analysis or “findings” of deficiencies and what corrective action is needed to strengthen the control environment of the service organization.
A quality CPA firm should be able to provide you with a series of highly-customized SAS 70 Readiness Assessment Questionnaires along with giving the service organization expert guidance and assistance in answering the questionnaires.
If you want to learn more about what a Readiness Assessment actually entails, then visit the Official SAS 70 Resource Guide.
Jun 26 2009 3:37PM GMT
Posted by: Charles Denyer
sas 70 audit,
charles denyer,
sas 70 readiness assessment,
type i,
type II,
internal control framework
If your organization is seeking to become SAS 70 Type I or Type II compliant in the near future, then it is a wise decision to embark on a SAS 70 Readiness Assessment. These assessments essentially help you identify your control environment, the scope of the audit, and what deficiencies or gaps may be present within your overall internal control framework within your organization. It should not be looked upon as an additional cost of a SAS 70 audit, but that of a useful and proactive exercise in preparing your organization for the rigors of going through an actual SAS 70 audit.
Working right towards SAS 70 Type I or Type II compliance without conducting a SAS 70 Readiness Assessment can be a daunting and challenging task. Many problems can arise out of this, such as not properly scoping the audit, not adequately identifying weaknesses within your control structure, along with other critical and material issues. The result can be cost and time overruns to correct these issues that should of been addressed prior to the actual audit.
To learn more about SAS 70, visit the official SAS 70 Resource Guide.
Jun 20 2009 3:20AM GMT
Posted by: Charles Denyer
Statement on Auditing Standards No. 70,
sas70,
type II,
general controls report,
control environment,
charles denyer,
sarbanes oxley act of 2002,
SAS 70 Type I
Statement on Auditing Standards No. 70, simply known as SAS 70 to many, has had a profound impact on regulatory compliance since the passage of the Sarbanes Oxley Act in 2002. As a SAS 70 auditor for many years, i’ve been asked a broad and wide range of questions regarding the who, what, where, when and why of SAS 70 Type I and SAS 70 Type II audits. Thus, if you need to learn everything you possibly can about SAS 70, then visit the official SAS 70 Resource Guide, where a voluminous amount of information is available.
Now, with that said, let me touch on a subject that has been brought up so many times it feels like a broken record: SAS 70 PRICING. So, what do they cost? What SHOULD they cost? These are some of the questions i fielded over the years. With that said, i can tell you what my honest best assessment is for pricing on these engagements, so here you go.
A general controls SAS 70 Type I that covers no real business processes and all fieldwork can be done at one location should be between $15,000 and $25,000.
A general controls SAS 70 Type II that covers no real business processes and all fieldwork can be done at one location should be between $25,000 and $35,000. Thus, subsequent years “could” see a decrease in fees (marginal, that is) if the control environment stays somewhat static.
If you start adding in requirements to test a wide array of specific “business process” controls, the price will go up. Keep in mind, some firms may charge (and do) a slightly cheaper fee than i’ve just quoted. But remember, you get what you pay for, especially for auditors. Find that healthy medium from a quality, boutique CPA firm that specializes in SAS 70 audits and you should be fine.
May 4 2009 4:20PM GMT
Posted by: Charles Denyer
sas 70 certification,
SAS 70 Type I,
type II,
charles denyer,
audit scope,
sas 70 compliant,
sample sas 70 type II report
SAS 70 Certification is everywhere these days, or so it seems. From small start-up organizations to large multi-national corporations, many people have been hit by the SAS 70 bug. What’s also interesting to note are the vast differences you can see when comparing two SAS 70 reports. In short, no two reports look the same. Is this a good thing or something wrong with the auditing industry? It’s actually a little bit of both, to be honest. The good thing is that it allows auditors to customize the reports as they see fit for the client. The bad thing is that many times a SAS 70 audit does not conform to an acceptable scope or standards of testing for control objectives.
Either way, what you need to know about SAS 70 Type I and Type II audits is that the SAS 70 certification process (and by the way, use the word “certification” is technically incorrect, as a SAS 70 audit does not certify anything, rather you have complied with the auditing standard, thus it should be called “SAS 70 compliant”) is highly flexible, this based in part on the rather “flexible” auditing standards that are in place. So, you need to properly identify the scope of the audit, and by doing so, you ensure that your organization ends up receiving a quality SAS 70 Service Auditor’s Report.
As for scope, you need to identify a number of parameters, such as:
1. Is my organization doing a Type I or a Type II?
2. If a Type II, what is the test period?
3. Are there any business processes or functions to be tested in the audit, or is it just a general controls SAS 70
4. Where are the physical locations that are included in the scope of the audit?
5. What third party outsourcing entities that my organization is using are to be considered part of the scope of the audit?
6. Has my organization developed control objectives that are considered acceptable for testing by the auditors?
To learn more about SAS 70 audits or to receive a free sample SAS 70 Type II audit in pdf format, visit the official SAS 70 Resource Guide.
