Dec 30 2008 3:21PM GMT
Posted by: Charles Denyer
Security,
SOX,
regulatory compliance,
audits,
payment card industry,
PCI DSS,
PCI,
pci compliance,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 checklist,
sas70,
sas70 sample reports,
pci dss qsa,
sas 70 control objectives,
sas 70 type ii,
SAS 70 Type I,
pci assessment,
sas 70 sample report,
sas 70 audit report,
payment card industry data security standards
When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.
SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.
PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.
Dec 30 2008 2:37PM GMT
Posted by: Charles Denyer
SAS 70,
What is SAS 70?,
SAS 70 download,
SAS 70 overview presentation,
sas70,
sas70 sample reports,
sas 70 control objectives,
sas 70 type ii,
SAS 70 Type I,
sas70 pricing,
sas 70 sample report,
sas 70 audit report
If you are seeking to learn more about SAS 70 Type I and SAS 70 Type II audits, then one of the most effective ways for truly gaining an understanding of the auditing standard is to see what the finished product looks like-that is, a final SAS 70 audit report. Many people voice great frustration when going through their first SAS 70 audit because they truly don’t know what the SAS 70 audit report “looks and feels” like, that is, what is the actual content, format, and layout of the report.
Having a sample SAS 70 audit report prior to commencement of the audit who greatly benefit service organizations as they can visually see the important components of what lies in the report itself. sas70.us.com provides sample SAS 70 Type II audit reports for organizations and individuals looking to learn more about Statement on Auditing Standards No. 70, commonly known as SAS 70.
This report will give you an in-depth layout of what a SAS 70 audit report is, what are the critical components and content that make up the report, and it will also allow you to gain a true conceptual understanding of what the audit is actually undertaken and performed by auditors.
Remember, knowledge is power, so the more you know and learn about SAS 70 audits, the more prepared you and your organization will be in undertaking a SAS 70 Type I or SAS 70 Type II audit.
Nov 23 2008 7:46PM GMT
Posted by: Charles Denyer
HIPAA,
SOX,
GLBA,
Sarbanes-Oxley,
regulatory compliance,
SAS 70,
What is SAS 70?,
sas70,
section 404 sox,
sas 70 control objectives,
sas 70 type ii,
sas 70 audit report
We live in a world of heightened regulatory compliance and corporate governance. From the passage of the 2002 Sarbanes-Oxley Act to numerous other pieces of legislation (HIPAA, GLBA, just to name a few), “comply, comply, comply” is the new mantra being pushed throughout organizations and at all levels. SAS 70 audits, originally introduced as the 70th auditing standard in April of 1992, has stood the test of time as the main “go to” compliance audit for many of these regulatory requirements that have ushered from the halls of Congress.
Okay, so, why is it here to stay? Well, for a number of reasons. First and foremost, it will always be used as an audit tool for evaluating service organization’s that could have a material impact to a company’s “information system”-This term, “information system” is used to describe the user organization’s “information system”, that is, what services are being performed by the service organization that are considered a part of the user organization’s “information system”. Transactions, procedures (be it manual or automated), supporting information, the capturing of events and conditions-are all considered traits and activities that relate to, have an effect, and impact the user organization’s “information system”.
Second, the SAS 70 auditing standard has been quite flexible, adapting to the needs of service organizations that must have their control environment examined. Witness the numerous times the SAS 70 auditing standard has been amended over the last 16 years to keep “pace” with the changes of business.
Third, the SAS 70 auditing standard has become very quickly recognized as the global de facto audit for internal controls on service organizations. In short, it has built up quite a following that is simply very hard to ignore.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
Sep 20 2008 4:32PM GMT
Posted by: Charles Denyer
SAS 70,
What is SAS 70?,
sas70,
sas70 sample reports,
BCDR,
BCM,
Business Continuity Disaster Recovery
SAS70-I’m often asked about Business Continuity & Disaster Recovery (BCDR) when preparing a new client for a SAS70 Type I or Type II audit that. Specifically, they ask me if it is a requirement for a SAS70 audit and what should they be doing in order to adequately prepare and document a BCDR strategy and plan.
Technically, NO, BCDR or any variation thereof (also commonly known as BCM, etc.) is NOT a requirement for testing for a SAS70 audit, based purely on the amended SAS70 publication of 2005 and 2007 that states a “plan is not a control objective”, thus BCDR and BCM Plans are not included in the scope of the SAS70. That’s the technical NO answer.
In theory, many auditors would say that YES, a BCDR or BCM plan should be in scope and should have a control objective in place for testing for the plan.
Regardless of which decision the auditor makes, its paramount that service organization’s have a working and documented BCDR or BCM plan in place. It just makes good business sense.
To learn more about what is SAS70, visit the official SAS70 resource guide where you can receive a complimentary SAS70 Type II audit report.
Aug 18 2008 3:30PM GMT
Posted by: Charles Denyer
Compliance,
pci compliance,
SAS 70,
What is SAS 70?,
sas70,
pci dss qsa
Many organizations are now being required to be SAS70 and PCI DSS compliant. With that said, I am often asked where the synergies or overlaps are for a SAS70 audit, which can only be done by a CPA firm and a PCI DSS assessment, which can only be done by a qualified PCI QSA individual.
My answer to this is yes, IF and only IF, you obtain services from an individual or a firm who is both a CPA and one that is a qualified PCI QSA individual, AND that they produce both high quality SAS70 audits and PCI DSS assessments. The SAS70 auditing standard is rather loose, so its incumbent upon the firm issuing the SAS70 report to produce a report that is high quality. High quality means it is a report that covers all essential baseline elements considered for a SAS70 audit, which should include substantial testing for network security and logical access. If done correctly, you will see an overlap with other areas within the PCI DSS assessment. So, this is the yes answer. If you engage in two different firms, one to do the SAS70 audit, the other to do the PCI DSS assessment, then you can have conflicting views on what each report should contain. In short, the synergies occur when you use a firm to do both the SAS70 and PCI assessment.
For more information on Payment Card Industry compliance, visit the official PCI website.
For more information on SAS70 audits, visit the official SAS70 Resource Guide website.
I have also created a SAS70 and PCI DSS Gap analysis, which shows the overlapping areas
Jul 25 2008 3:00PM GMT
Posted by: Charles Denyer
Compliance,
Auditing,
Sarbanes-Oxley,
SAS 70,
What is SAS 70?,
SAS 70 download
Data centers are increasingly being called upon to be SAS70 Type I or Type II compliant. It stems primarily from the rapid growth of compliance legislation, along with the advent of many industries, particularly Software as a Service (SaaS), that require services from data centers and co-location entities. Moreover, today’s data centers provide a wide array of services, and as such, client using these very services often have to adhere to regulatory compliance mandates also. Ultimately, this has a downstream effect that places data centers on the compliance radar, with SAS70 audits commonly being the default compliance tool used for evaluating their internal control structure.
Additionally, because no two SAS70 audits are truly identical, and because a SAS70 audit should be customized to reflect specific industry needs, it’s important to note what is considered as an acceptable baseline scope for SAS70 audits on data centers. Thus, the areas of executive tone, human resources, incident management, change management, logical security, network security, physical security, environmental security, and computer operations form the basis of the audit for purposes of scope. Please keep in mind, this a generally accepted scope, which can increase or decrease based primarily on what is driving the requirements for the audit itself.
To gain a greater understanding of your organization’s SAS70 needs, it would be helpful for you to learn about what SAS70 is and also obtaining SAS70 sample reports, which are an excellent tool for learning more about this type of audit.
Jul 23 2008 2:53PM GMT
Posted by: Charles Denyer
Compliance,
SOX,
SAS 70,
What is SAS 70?,
SAS 70 download
If you want to learn about SAS70 Type I & Type II audits, then it’s a good idea to gain a thorough understanding of the terminology used for the SAS70 auditing standard. There’s much technical jargon and terms to be mastered for helping truly understand SAS70 audits. Furthermore, the more you fully comprehend what these items mean, the better armed and prepared you will be for the audit.
The SAS70 glossary of terms serves to provide an understanding of the most common terms and phrases used not only by auditors, but also everyone involved in the SAS70 process. For example, do you truly understand the definition of internal controls? Do you know the difference between a service organization and a user organization? The SAS70 glossary will help define these differences.
Also, if you want to learn more about SAS70, such as pricing along with receiving SAS70 sample reports, then the official SAS70 resource guide is your one stop shop for learning all you need to know about this highly specialized auditing standard.
Jul 21 2008 6:23PM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
Sarbanes-Oxley,
regulatory compliance,
audits,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 download,
SAS 70 checklist,
SAS 70 overview presentation
SAS70 Type I & Type II audits can be daunting indeed to many service organizations, but they shouldn’t be. The more you learn about what SAS70 is, the better prepared you will be for going through a SAS70 audit. Let’s start with the basics, that is, educate yourself on what a SAS70 Type I & Type II audit is, and what are the differences.
Furthermore, obtain SAS70 sample reports electronically to see what a final SAS70 service auditors report actually looks like. Additionally, learn about what it takes in the step by step process for undertaking a SAS70 audit. There are many different stages, activities, and deliverables that comprise of a SAS70 audit, so its a good idea to educate yourself on what they are, when they occur, what to expect, and what the commitment is from your organization in terms of manpower and resources.
Beginning with a SAS 70 readiness questionnaire assessment, then culminating with the delivery of the actual service auditor’s report, you need to learn firsthand what’s involved for this type of an audit.
You can also learn more by visiting the official SAS70 resource guide, where a wealth of information is available, such as white papers on SAS70 along with current industry news affecting the auditing standard itself.
Jul 18 2008 1:55AM GMT
Posted by: Charles Denyer
Security,
HIPAA,
Compliance,
Auditing,
SOX,
GLBA,
audits,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 download,
SAS 70 checklist,
SAS 70 overview presentation
You can obtain SAS70 sample reports if you are interested in learning more about the SAS70 auditing standard. Many service organizations have to go through a SAS70 audit and would like to learn more about the auditing standard. Thus, a SAS70 Type II example report, which can be obtained from the official SAS70 Resource Guide, will give readers an in-depth understanding of the inner workings of a SAS70 audit, along with providing an excellent example of what the contents of a report are.
SAS 70 sample reports can also help better educate your organization on the auditing standard, ultimately giving you more knowledge and understanding of the audit when you begin the selection process of finding a CPA provider to conduct the SAS70 Type I or Type II audit for your organization.
Additionally, current white papers along with various information on relevant industry news is also available for learning more about SAS70 audits both Type I and Type II audits. Current industries being heavily affected by the SAS70 auditing standard are financial services, information, and health care. The past decade has seen numerous federals laws and legislations implemented that have placed a large emphasis on security, privacy, and an organization’s overall control environment. What’s more, SAS70 audits have quickly become the default tool used to ensure service organizations are in compliance with these ever expanding regulatory compliance laws.
