SAS 70

December 23, 2008  5:58 PM

Are we ready for a multi-task ID card? SAS 70

Keith Harrell Profile: SAS70ExPERT

Recently I received my credit card statement and interest rate had increased to 35%. This was not the Christmas present I was expecting. I am so glad Congress has enacted new rules to prevent this type of customer service from happening to you.


As the government continues to provide bailouts, I was thinking that we should have provide America with a hand-up. Since credit card companies can charge 35% interest, I think that we should take some of these funds back in a national Technology tax. This tax would be used to fund regional datacenters all across America. Just like the library system, one would be located near you to store critical data about you. It also could be used to provide co-location space to new businesses.


At birth, each American will receive their social security card with a computer chip. This chip would store your unique id to provide you with access to government services – including social security, drivers license, fingerprint, and tax information. In addition, you as a consumer, could add other enrollment programs to the card – your frequent flyer id, your credit card, your garage door opener. It would be a National ID that is can be used for multi-tasking.


This card could be outsourced to credit card companies as another form of revenue. Aren’t you tired of carrying a wallet full of cards –why not have one!


December 23, 2008  7:02 AM

Risk Management in times of adversity – SAS70

Keith Harrell Profile: SAS70ExPERT

In these troubled times, are you ready? Is your IT budget aligned with your projected revenues? Do you have appropriate staffing or must you outsource? Have you requested your outsourced provider to perform a SAS 70 audit? Mr CIO, you must be ready in order to manage successfully.

Wikipedia states: ” The objective of risk management is to reduce different risks related to a preselected domain to an accepable level. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics.

Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.

The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.”

What is your risk management strategy?

December 22, 2008  2:09 AM

Has the new Active Directory evolved to meet the needs of the Users – SAS70

Keith Harrell Profile: SAS70ExPERT

With the release of Windows 2000, ActiveDirectory fire appeared and is not on its fourth version. New changes with Windows Server 2008 are: 1) a new domain controller model aimed at branches, new object restoration options, ability to take snapshots backups, and more flexible password policies. When performing a SAS 70 audit, many auditors use applicaitons, such as dumpsec, to gather information that is stored in Active Directory, What tools do you use to gather user permissions within your applications?

December 20, 2008  6:34 AM

IFRS – Ready, set, GO!!! SAS70

Keith Harrell Profile: SAS70ExPERT

The Securities and Exchange Commission has published its long-delayed roadmap for the transition from U.S. generally accepted accounting principles to International Financial Reporting Standards. What effect will this have on SAS70 standard?

The roadmap was originally announced in August, but had been delayed by the global financial crisis. It aims to move U.S. companies from U.S. GAAP to International Financial Reporting Standards, with most large companies making the transition in 2014. However, the 20 largest U.S. companies in a given industry according to market capitalization can begin transitioning in 2010 for their financial statements beginning after Dec. 15, 2009. Will this effect yourSAS 70 audit?

December 18, 2008  9:15 PM

Top 10 business risks in 2009 – SAS70

Keith Harrell Profile: SAS70ExPERT

For 2009, Ernst and Young has compiled the top 10 business risks for your companies operations. As regulation and compliance is #2, SAS 70 audits should be a priority to complete in 2009.

With the downturn in the economy, your controls should not be the first area to fall.  If you must conserve, turn to green controls or automate your controls using technology. Develop a long-term relationship with a respectable IT auditor that has experience in your industry. There advice may cost upfront, but the potential revenue growth can be exponential.

Here are the risks:

  1. The credit crunch. (Number 2 in the 2008 report.)
  2. Regulation and compliance. (Number 1 last year.)
  3. Deepening recession. (New this year)
  4. Radical greening. (9)
  5. Non-traditional entrants. (16)
  6. Cost cutting. (8)
  7. Managing talent. (11)
  8. Executing alliances and transactions. (7)
  9. Business model redundancy. (New)
  10. Reputation risks. (22)

December 17, 2008  9:40 PM

Would it be better to have a digital revolution instead of a stimulus package for Christmas? SAS70

Keith Harrell Profile: SAS70ExPERT

President Obama is asking taxpayers to fund the current state of economic affairs with another stimulus package. How much money can we print before we go bankrupt? I think we need a new vision to revolution our industries and create a better life for Americans….a digital vision/revolution. SAS 70 audits would be the police force that keeps us from getting into this situation again. This digital revolution needs to be a partnership of industry and government to bring technology to every city in America.

December 16, 2008  6:30 AM

Are you a IT Leader with a SAS70 badge?

Keith Harrell Profile: SAS70ExPERT

TechRepublic recently noted the 10 most influential leaders in IT and they are noted below.  What does it take to be a IT leader with a SAS70 audit badge? Several things these great leaders have in common are:

1) Each of these leaders are visionaries in their field. They know enough about their industry and company to be able to successfully predict the next technological revolution and be ready to take action.

2) A strong work ethic. These leader knew that hardwork would provide opportunity for themselves and their staff.

3) These IT leaders were able to take complex organizational structures and make them successful growing corporations. “Keep it simple stupid” is really a learned form of business acumen that guides business strategy for successful leaders.

4) Each of these Companies takes IT security issues seriously, and have security programs that are responsive to customer requests. Not everyone is perfect, but these companies have taken their customers data and needs seriously and take steps daily to protect them.

5) They all have a SAS 70 audit completed on their Company to provide evidence that their internal controls are sound.

10. Bill Gates, Microsoft

At the end of June, Microsoft Chairman Bill Gates stepped down from his full-time job at the world’s largest software company (he remains chairman and still spends about 20% of his working hours on Microsoft stuff). True to his word, Gates has stepped back from the spotlight. However, he still casts a huge shadow over the business technology world, in part because a number of his visions have not come to fruition yet – most notably his ideas for next generation computer interfaces – and partly because Microsoft CEO Steve Ballmer was so erratic in 2008 (ah hem, Yahoo debacle) and has yet to articulate a clear vision for how Microsoft will innovate business software in the years ahead.

9. Mark Templeton, Citrix

Citrix was supposed to have been eliminated years ago when Microsoft started bundling Terminal Services into Windows Server. However, it never happened. Under the leadership of President and CEO Mark Templeton, Citrix has done two things to remain relevant: 1.) expand its product lines and 2.) re-market its itself to fit the changing times. Citrix has chosen its acquisitions wisely, with wins such as Xen virtualization software and GoToMeeting and GoToMyPC for remote workers. Meanwhile, Templeton, a former marketing executive, has re-fashioned the company by successfully hitching its wagon to virtualization. For example, terminal services is now application virtualization for Citrix. It also doesn’t hurt that Citrix’s software also goes a step beyond the version of Terminal Services that you get in Windows, and Citrix has also aggressively partnered with Microsoft.

8. Steve Jobs, Apple

Apple and its CEO Steve Jobs have had a far larger impact on consumer computing than business systems over the past several years, but Apple made one move in 2008 that was significant enough to land Jobs on this list on its merits alone. In a software update in mid-2008, Jobs and Apple took their highly successful iPhone and connected it with Exchange ActiveSync, making it capable of enterprise-class e-mail, contacts, and calendaring. This also made the iPhone a much stronger competitor to BlackBerry, Windows Mobile, and Symbian. However, the iPhone’s meteoric ascent hasn’t hurt the big smartphone vendors – at least not yet. It has actually brought more awareness to smartphones (making it a required tool for knowledge workers) and helped expand the overall smartphone market. These aren’t just tools for executives, salespeople, financial nerds, and bureaucrats anymore.

7. Safra Catz, Oracle

When you have a company that makes almost 50% of its revenue from existing software and support contracts, then it’s critical to have a leader who can drive operational efficiency. For enterprise software giant Oracle, that leader is Safra Catz, its President and former CFO. While CEO Larry Ellison remains the highly-colorful figurehead of the company, Catz is the one in charge of integrating its steady stream of acquisitions – 10 in 2008 – and handling the company’s operational strategy. With Microsoft nipping at its heals from the SMB side and SAP and IBM trying to steal away enterprise accounts, Oracle’s empire should be shrinking, but it’s not. It has put together the most diverse set of enterprise software products and it has assimilated them very well under Catz’s leadership. She is one of only two non-CEOs on this list, but the successes of Oracle’s acquisitions make her a worthy addition.

6. Eric Schmidt, Google

While Google ultimately aims for a broader consumer focus of building great tools to broaden the power of the Internet, the company is quietly making inroads with its business technology products. Whether it’s the expansion of Gmail functionality to become a true competitor to Microsoft Outlook, large organizations such as the Washington D.C. municipality migrating from Microsoft Office to Google Apps, the continued expansion of the Google enterprise search appliances, or the potential for Android smartphones to become powerful business devices, you can see Google methodically moving into the enterprise arena. And don’t forget that Google Chairman/CEO Eric Schmidt previously worked for two enterprise vendors, Sun Microsystems and Novell.

5. Marc Benioff,

There’s no better success story for cloud computing and software as a service (SaaS) in the business world than The Web-based CRM tool continued its meteoric growth in 2008 and its Chairman/CEO Marc Benioff continued to wave the flag for SaaS as the next great evolution in the business technology world. If he has his way, Benioff will take beyond CRM and build the world’s first great cloud computing platform for businesses. Don’t count him out.

4. Anne Mulcahy, Xerox

During the past five years, Anne Mulcahy – as Xerox CEO and Chairman – has turned around the fortunes of the company that was once synonymous with the photocopier. Mulcahy instituted strict financial discipline including major cost costs, while also ramping up Xerox’s services business, pushing innovation with expanded  research and development efforts, and growing its footprint in emerging markets. Ironically, Xerox consultants now show companies how to save paper and reduce the number of printers – often by replacing a bunch of HP printers with one big machine from Xerox.

3. Craig Barrett, Intel

With Bill Gates fading into the sunset, Intel Chairman Craig Barrett has emerged as one of the IT industry’s chief ambassadors. He traveled to over 30 countries in 2008, met with various heads of state, and served as the chair of a United Nations task force on technology in the developing world. “Technology is a tool to address some of the world’s most pressing challenges related to health care, education, economic development and the environment,” said Barrett. This broader vision of the role of technology in society is fueling Intel’s strategy as the company continues to drive down the cost of computers with chips that are smaller, less expensive, and cost less to operate.

2. John Chambers, Cisco

Cisco continues to completely dominate the enterprise networking market. Now, it’s trying to do the same in the small and medium business market. Its telepresence systems are also poised for a big breakthrough as the price of the product drops and businesses cut their travel budgets in these lean economic times. Now, it’s also rumored that Cisco will enter the blade server market. Chambers is a high-energy visionary with lots of discipline, and he has Cisco hitting on all cylinders.

1. Mark Hurd, Hewlett-Packard

Last year, I left Mark Hurd off the list and even remarked that Carly Fiorina deserved a lot of the credit for Hewlett-Packard’s resurgence because its roots are based in the HP-Compaq merger, which Fiorina had the guts to do. But, it becomes clearer every year that Hurd is making the right calls and motivating the various HP divisions to execute. HP is back on top in the PC market (having overtaken Dell), it is tied for the lead in servers with IBM, and it is even making strong moves in the networking market with its ProCurve gear. Plus, it bought EDS in 2008 to expand its footprint in IT services. All of the while, it has allowed its incumbent printer business to quietly take a back seat. That’s why HP is doing so well, even in the face of economic headwinds, and that’s why Hurd deserves the top spot on this list.


December 12, 2008  12:01 AM

Will 2009 be a better year? SAS70

Keith Harrell Profile: SAS70ExPERT

 With a new election just completed, will our future be brighter in 2009? I hope it will be. It seems there is never enough time to get all the work completed, document all the workpapers, and provide exceptional client service. Here some wishes for your business in 2009:

1) your SAS 70 audit will be a success.

2) you will find too many customers who want to pay you too much on the same day that you run out of coffee.

3) Every city in America will realize the value of information and access to the internet. Therefore, the U.S. Government will offer low interest loans to build a Data center in every city.

4) You learn how to work smarter, not harder. Take advantage of your access to a local data center and further your education. Perform research with your neighbors across the world and develop new technologies.

5)The new technologies will lead you to new successful business ventures that will compliment or add to your current services.

December 9, 2008  1:16 AM

Third party services and SAS70 audit

Keith Harrell Profile: SAS70ExPERT

During a SAS 70 audit, an auditor may examine any relationships with third parties.  Any third party agreements or service level agreements should contain:


1.       procedures to protect all outsourced data, applications or hardware

2.       a description of the services provided and the target level of services

3.       the establishment of an escalation process should an incident occur

4.       the right to audit and determine that they are adhering to your agreement

5.       the respective liabilities of both parties should an incident occur.


During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers.



December 7, 2008  1:24 PM

Importance of User access policy? SAS70

Keith Harrell Profile: SAS70ExPERT

Recently, I was on a plane flying home and started talking to a CIO about his SAS 70 audit. He seemed dismayed about a former trusted employee taking proprietary data from his company. He noted that they had a policy in place to remove the terminated employee from the company applications; however, this employee was able to walk away with the company’s list of customers.


Authorization of access to company applications and removal is a critical process that should be documented and followed by all employees, including executives. In our discussions, he noted that the CEO was a mover and shaker, but he did not always follow company procedures. This loss of data was a direct result of not following policy.


It is critical to a company and to the SAS 70 audit examination that employees and executives follow company policy to gain access and removals to company applications. Otherwise, why have a policy – Give everyone administrative access.


A good policy should require IT to only be the custodian of applications. They should only provide access when authorized by the business operations and initiated by human resources.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: