Regulatory Compliance, Governance and Security

Jan 11 2010   2:03PM GMT

SAS 70 Audit Scope for Type I and Type II Audits | Important Advice



Properly scoping a SAS 70 Type I or SAS 70 Type II audit is an extremely important component of the audit process itself. Why? Because as a service organization undergoing a SAS 70 audit, your goal is to have a report produced and issued to you that meets your clients expectations for quality and covers all critical components within your operations. Too small an audit scope and the report may lack the quality you or your clients expect.

All SAS 70 reports start off with a baseline of highly accepted and recognized control objectives that you would test for in essentially any organization, regardless if they are a data center or a widget company. Control “areas” such as Human Resources, Executive Management, Physical Security, Environmental Security, just to name a few, are excellent examples. The ingredient to success for your SAS 70 audit is the ability to adequately identify the specific “business process” controls within your organization. For example, a data center could possibly test various controls related to “managed services”, while a widget company would test controls related to the building of widgets and what operational activities surround these activities. Simple example, but get the point? Talk to the CPA firm conducting your SAS 70 audit to ensure they will be testing for specific “business processes” within your SAS 70. After all, this is what creates true value in your report.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: