SAS 70 audits focus on COSO controls and examine the leadership experience of executives and training. CIO’s and CSO’s march to the executive suite takes many paths. Opportunities to lead in the C-Level suite come in many forms….some are perhaps luck, others are from angels, but what job titles lead to the CIO or CSO role? According to a recent survey, most CIO’s have a background primarily in IT. In recent, weeks, I have begun to question this polling as I have met several well-respected CIO’s who understand strategy and operations, but do not have a clue as to operating systems, applications or how networks function. In this same poll, only 15% of CIO’s and CSO’ came from areas outside of IT. What side of the fence do you stand on? Do you think an extensive background and training in information technology makes a difference as a c-level executive? As I consider myself a hybrid with a little knowledge and experience on both sides of the fence, I wonder what is respectable? SAS70ExPERT@gmail.com

Shazzam!!! Clap on, Clap off!!  None of these sayings work to build a strong team for a CIO. An effective CIO must work daily to build trust and a strong bond between his employees.

A SAS70 audit will examine the processes used by a CIO to hire and monitor his employees. A CIO that requires new IT employees to complete an employment application, perform background checks and requires frequent employee evaluations will have a successful SAS70 audit. What are you doing within your Company to build a strong IT team? Sas70expert@gmail.com

Do you have 3 mainframes systems and one stand alone application that you use for recording financial results? Do any of these systems talk to one another? Are you starting to use Saas applications to better manage your data? Knowing how to leverage technologies, old or new, is key to being an effective CIO.

During a SAS70 audit, it is critical that you have an deep understanding of your systems and how they work together. If you are able to provide documentation, such as network diagrams, and data hierarchies to your auditor, then they will be more efficient when determining the controls necessary to be tested within your organization. An effective CIO cannot leverage technologies within corporate walls or as outsourced solutions without having a complete understanding of IT networks, applications, and operating systems. What helps you know how to leverage your company technologies? Or to predict what technologies will work best within your company? sas70expert@gmail.com

Budgets, financial statements, and account analysis all provide you with detailed information on the financial operations of your company. An effective CIO must have a good grasp of his Companies revenue and expenses and how this information flows into his IT operations.

If you are aware of the finances of your operation, then you will be able to understand the facets of the SAS70 audit that deal with the testing and examination of financial transactions. By understanding the processes that record financial transaction, an effective CIO will quickly be able to explain abnormal differences to an auditor. Do you have financial information required to manage your operations? Or are you still managing with an abacus? What types of reports are most effective for helping you guide your organization? Are you using balanced scorecards? Sas70expert@gmail.com

At 5pm, the CEO returned to his office with a cup of coffee and a very unpleasant frown. He barked out a few orders to his administrative assistant. I knew then that ….it was all going to roll down hill. Apparently, an IT Director signed a vendor contract with some very unfavorable terms. Luckily, the IT Director was no longer with the Company, therefore, the CIO, was the one who would be assigned the cleanup work.

In order to deal with this situation, the CIO would have to quickly understand the requirements of the CEO and the expectations of the vendor. If he failed at delivering for either of them, then the effects could have serious consequences on IT operations. These types of political maneuvers happen everyday and it takes a skillful politician as a CIO to produce favorable results.

A CIO can use her political skills to effectively deal with a SAS70 audit. When an auditor identifies an audit exception, the CIO may fully agree with the auditor; however, the description of the audit exception may need to be qualified in order to maintain a close relationship with the CEO. Sometimes, negotiations are even held over simple words, such as “sometimes” as they can make a big difference in the eyes of the Board of Directors or Audit Committee. What are some of the circumstances that you may have been involved in? Were you successful in avoiding pitfalls? What worked best for you?

Sas70expert@gmail.com

A very successful CIO told me once, “I can see the stars, but I can’t see the future.” At the time, I was very inexperienced and wasn’t really clear about this statement. Now, I think I understand, his experience, drive, education, and passion allowed him to be able to see opportunities for Company growth and advancement in unproven markets. To be a visionary is one of the most important characteristics of career stability and longevity.

This characteristic will also help you to guide your SAS 70 auditor to a successful audit. Because you know your operations better than anyone else, you should be able to quickly provide your auditor with the answers and solutions required to plan and conduct the audit. By staying on top of your day-to-day operations, and not focusing all your attention on the Boardroom, you will have the information necessary to deal with audit exceptions when they arise. Do you have systems/application or reporting mechanisms in place that provide you operating results on a timely basis? If so, what works best for you within your Company? Sas70expert@gmail.com

If you have to conduct a SAS70 audit within your organization, are you ready? As a CIO, do you have the necessary leadership skills to make an audit a success?

A recent survey by TechRepublic lists the following criteria that an effective CIO or CSO must have in order to lead a 21^st century information technology (IT) team. These characteristics are, but not necessarily in order of priority:

Communication skills

Be a visionary

Able to deal with office politics effectively

Have an understanding of financials

Leverage key technologies

Ability to build a strong team

As a CIO, these characteristics are required to be an effective leader. In addition, these same characteristics will make you an effective CIO or CSO when a SAS70 audit is conducted. From the initial planning and scoping phases of the audit, you must take the initiative to develop a strong relationship with your auditor. Don’t be afraid to tell him all the bad and the good when discussing your IT operations. By developing an open rapport, and having frank discussions, you will be able to quickly develop a lasting bond with your auditor. Do you have this type of relationship with your auditor? sas70expert@gmail.com

ITIL provides you with a simple-to-understand IT standards and specific operational situations for your IT environment. ITIL best practices are prescriptive and descriptive. Are you using it for guidance? Many SAS70 audits will want you what guidance you are using as your IT roadmap – COBIT, ITIL, ISO standards.

COBIT will provide you with overall corporate governance. ISO and ITIL are much more operational and provide in-depth procedures. All of them require resources and funds to implement. Many organizations use a combination – they take a more holistic approach. What do you consider as the most effective for your organization? Sas70Expert@gmail.com

Your largest customer called and asked for your SAS70 audit report and which type of audit was completed? Do you perform a Type I or II? Don’t flip a coin; you must consider your objectives.

A SAS 70 Type I audit report provides an audit opinion of your Companies’ operating environment. A Type II report combines the elements of a Type I report but requires extensive testing over a defined period of time. Which is more appropriate for your organization? In accountant speak, it depends.

Consider these objectives: Determine what your customers require and where you’re operating an IT controls need improvement; are your policies and procedures well documented; and how much can you afford. In general, a Company would first perform a Type I, then a Type II SAS 70 audit. You may not have been reviewing firewall logs or monitoring user access to your exchange server over a six month period in order to perform a Type II audit. Therefore, a Type I would be more suitable.  In addition, performing a Type I audit first would allow you to quickly learn the areas of improvement with your IT framework. Which type SAS 70 audit are you pursuing and what are your objectives? Sas70expert@gmail.com