During a SAS 70 audit, an auditor may examine any relationships with third parties.  Any third party agreements or service level agreements should contain:

1.       procedures to protect all outsourced data, applications or hardware

2.       a description of the services provided and the target level of services

3.       the establishment of an escalation process should an incident occur

4.       the right to audit and determine that they are adhering to your agreement

5.       the respective liabilities of both parties should an incident occur.

During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com

Before outsourcing to save funds, make sure you have a defined plan. Without it, one small security breach of a politicians’ social security number can destroy your company reputation and your ability to generate new business. This plan should included:

1)definitions related to service levels. You will require your vendor to have uptime of at least 99%.

2) the ability to process your information quickly. Customers accesses your company website and purchasing items should occur relatively fast.

3) reporting functions which allow you monitoring capability and to  capture your data and analyze.

4) a Disaster Recovery plan, a single hardware failure can result in the loss of business.

SAS70expert@gmail.com

During a SAS70 audit, an auditor may examine any relationships with third parties.  Any third party agreements or service level agreements should contain:

1.       procedures to protect all outsourced data, applications or hardware

2.       a description of the services provided and the target level of services

3.       the establishment of an escalation process should an incident occur

4.       the right to audit and determine that they are adhering to your agreement

5.       the respective liabilities of both parties should an incident occur.

During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers. SAS70ExPERT@gmail.com

Access rights for current employees are essential for the completion of a successful audit. Your company should have a hiring and firing policy that is followed to the letter of the law. When an employee is hired or fired they should have an authorization process to add or delete from company systems or applications. It is essential that you educate your current employees, contractors, an third party users on this process on a continual basis.

Your company should company not only operating systems or applications, but physical access to company assets. Shared passwords or usernames should be immediately deactivated once an employee or third party leaves. When developing a policy for hiring or terminating consider:

1.       whether the termination or change of employment will be initiated by your or a third party

2.       the current responsibilities of the employee

3.       the value of the company assets or data that the employee has access too.

Without a good termination policy or checklist, you will have exceptions within your SAS 70 audit. SAS70ExPERT@gmail.com

During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.

How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs? SAS70ExPERT@gmail.com

Outsourcing your data backup process – SAS70

During the SAS70 audit, an examination will be performed on your data backup process. If you have outsourced this to a local vendor, you are still responsible for making sure that your data is kept safe, secure, and is backed up properly. Hosted or online backup processes are very attractive for small to medium size businesses. Why? They don’t have to maintain the expertise internally and the IT equipment is expensive.

How best do you manage your backup provider? Be sure to have a service level agreement in place. The service level agreement should provide you response times for when you need help. And you will! When you need to find that lost report that is due for your presentation today, you will want the file restored today – NOT in 24-36 hours. In addition, review your own internet connection as you will need a fast one to transfer your data. Does your outsourced vendor take care of your needs? SAS70ExPERT@gmail.com

Which new technologies are you adopting? With Web 2.0, social networking, wikis, and blogs – oh mY! With so many new avenues to penetrate your market, the decisions you make today can effect the success of your SAS 70 audit. When evaluating new technology, always first determine your company objectives as we previously discussed. In addition, you will need to remember to consider what new security features must be implemented in your computing environment to prevent downtime. It is essential early in the process that you identify the threats, the risks, and then create a plan.

 In identifying threats, the assessment team must consider who or what could compromise a target system’s components such that the system’s security attributes would be jeopardized. You should focus on how the information assets and components differ from what you already have. In identifying the security risks, consider what will th total potential impact on the organization. When your system is compromised – and it will be – how would you handle the loss of critical data?

To address technology security risks, requires a documented plan and you must train your employees on how to enact the plan. The SAS70 audit will require you to have a plan in place and it will examine who are the participants in the plan. The plan should include not only IT, but operations and senior management. Where is your security plan? SAS70ExPERT@gmail.com

When selecting the outsourced vendor, carefully screen each vendor to determine if they have the necessary expertise to perform on time and after hours when emergencies occur. Don’t just go to lunch with the local sales representative and expect him to be there when an emergency occurs. Be sure to get all guarantees in writing, and a service level agreement is required. Due diligence is required to understand and compare the capabilities in order to meet corporate objectives. sas70expert@gmail.com

At 5pm, the CEO returned to his office with a cup of coffee and a very unpleasant frown. He barked out a few orders to his administrative assistant. I knew then that ….it was all going to roll down hill. Apparently, an IT Director signed a vendor contract with some very unfavorable terms. Luckily, the IT Director was no longer with the Company, therefore, the CIO, was the one who would be assigned the cleanup work.

In order to deal with this situation, the CIO would have to quickly understand the requirements of the CEO and the expectations of the vendor. If he failed at delivering for either of them, then the effects could have serious consequences on IT operations. These types of political maneuvers happen everyday and it takes a skillful politician as a CIO to produce favorable results.

A CIO can use her political skills to effectively deal with a SAS70 audit. When an auditor identifies an audit exception, the CIO may fully agree with the auditor; however, the description of the audit exception may need to be qualified in order to maintain a close relationship with the CEO. Sometimes, negotiations are even held over simple words, such as “sometimes” as they can make a big difference in the eyes of the Board of Directors or Audit Committee. What are some of the circumstances that you may have been involved in? Were you successful in avoiding pitfalls? What worked best for you?

Sas70expert@gmail.com

What’s your plan as a new CIO to make IT operations a success? Consider Jack Ben, newly appointed CIO. In his new role, he assumes the management and performance of the financial statement application and has to complete a SAS70 audit in six months.. This application has been in use for over 7 years, and much of the customization, reporting, and user access management is performed by a third party vendor. What roadblocks do you face to meeting strategic objectives and making your bonus plan?

Consider the following:

1)      If your vendor performs customization, then the specialized knowledge to maintain new software upgrades, enhancements and reports remain at the vendor. This could wrestle your CIO title to the ground, unless you require the vendor to supply you with instruction manuals, executive level briefing and/or detailed on-line help features.

2)      In addition, is the software code in escrow? In your vendor contract, you should have a requirement that your vendor maintain the source code in a safe and secure lockbox. Even if your vendor doesn’t survive the economy, your source code will! In addition, you could hire your vendor’s coders to work for you.

In a SAS70 audit, if your sole operating system application is managed by an outsourced vendor, the auditor will request that they have a SAS70 audit performed. In addition, they will require that controls that secure your control of the application. What steps have you put in place to manage your outsourced systems? Do you have a comprehensive SLA? Do you have a project leader that monitors your outsourced vendor and your application? sas70expert@gmail.com

As transportation costs continue to skyrocket over the summer, telework/telecommuting is becoming the new trend among office environments. Basically, we have been doing a form of telework by outsourcing all of our jobs overseas, so this premise is not really new, it’s just new for American workers. 92 percent of workers said their work could be performed from home according to a recent survey by advocacy group Telework Exchange. I agree that operating expenses could be reduced by:

1)      less office space per employee

2)      transportation costs are reduced from commuting to work

3)      reduction in computer hardware expenses

But what is the downside of a remote workforce and what effect will that have on company information assets? These information assets are now stored at a families home on First Avenue, in a 3 bedroom, 2 bath, instead of your 5 story office building. These telecommuting risks will need to examined by management and should be considered in a SAS70 audit.

Consider that most employee homes will not have extended physical or environmental security – only garage door locks and an air conditioner. Their computer office could be located next to their children’s bathroom – which is a likely water hazard, in an open space by a garden window. How easy would it be for a burgular to reach in and knock your coffee cup over, and grab your computer from your first floor home office?Really EASY, as I think many homes today still have yet to have a home alarm system on their windows.Critical company information now could be sold on the internet.

In addition, what network security are you assured that they have on their home computer? Do they have the latest virus preventing application? Is their firewall always up and running or might it be turned off to watch a movie?

Is your IT staff prepared to make housecalls? Your company information assets now resids at your employees home. It is now not on the second floor of your office, but could be 20-30 miles to First Avenue home. You now must manage users that are at locations that are spread miles apart? This may be okay if 15% of your workforce is remote, but what if it is 92%? Is your IT staff trained accordingly? If they have to make housecalls, do transportation costs truly decrease? Who is managing the network while your IT Administrator is stuck in traffic on his way to the Marketing Director’s home to fix his computer?

Any third party vendor must complete a SAS70 audit to assure it customer that their data is secure. Are you ready to expand your company floor space beyond the office perimeter? Telecommuting risks must be considered in the SAS70 audit process. What are some of the risks you have identified? Do you even have any policies in place at your company which specifically discuss the do’s and don’t’s of a telecommuter? SAS70ExPERT@gmail.com