SAS 70

January 5, 2019  5:45 PM

Good Habits for Great Coding

Keith Harrell Profile: SAS70ExPERT

The recent emphases on coding, automation and technology in general has led to a surge in interest among otherwise non-technical professionals in computer programming and its ancillary skills and experience types. As a result, a lot of people are trying to figure out the best way to incorporate their new skillsets into their daily work, and to find ways to do their jobs well at the same time.

Computer programming is unique among creative professions because it combines two fairly disparate disciplines. On the one hand, programming is very much like writing composition, where imagination and lyrical expression are employed to create imagery and a fictive dream. On the other hand, programming is applied mathematics, where logic, precision and trial and error are synthesized into a set of instructions that can be properly followed by a microprocessor.

Doing the job of programming well, therefore, has its share of challenges.


The bane of programming well is distraction. You simply cannot write good code, nor can you test or evaluate the systems you have already developed if you are being pulled out of the zone constantly. Nowhere is this more apparent than in your choice of tools.

Like a carpenter, you must use tools that are a natural extension of not only your physical needs but also your thinking process. If you are fighting your tools you will not produce good work no matter how skilled or how experienced you are.

Low-Level Access

Everyone has their preferences when it comes to the right tools. When working with a computer, even if you aren’t writing highly optimized drivers or some kind of firmware, you should be certain you have as low a level of access to the machine as possible. “Low” vs. “high” in this context means you are looking for direct access to the hardware. You don’t want to be building systems that require you to constantly unlock doors between where you are and where your system resources live.

For some kinds of projects, this may not turn out to be all that important. But for others, it is vital. You can’t write good code if you don’t have access to the machine.

The Right Language 

Like cars, computer programming languages are suited for different kinds of tasks. You wouldn’t deliver lumber in a Ferarri, nor would you enter your paint truck at Le Mans. The same principles apply if you are choosing a language. For example, if your purpose is to process and filter a great deal of text such as that found in a system log, then Perl is the obvious choice. On the other hand, if you are writing a printer driver, Perl probably isn’t going to serve as well as C.

Your choice of language is going to depend quite a bit on your experience as a programmer, and the number of languages you’ve utilized. A good piece of advice is to experiment with as many languages as you can early in your career so if you do choose to specialize at some point you will know which languages suit which projects.

Best Practices 

It might seem that programming depends heavily on planning ahead of time, and that is true to a certain extent. Choosing the right tools, getting complete access to your machine and choosing the right language are steps that will cut a huge amount of potential hindrance out of your project long before you ever start writing your first functions.

Aside from your choice of tools and languages, the key to writing good code is to write good comments and to keep a log of your activities. Nothing is more expensive than the second solution to the same problem, and if you don’t have a complete record of what you did, then you will never be able to draw on your own experiences efficiently. Computer programming is far too large a subject to manage by anecdote and vague memories of what worked before. From the moment you start writing actual code, you need to think like a scientist or a detective and document everything you do and every reference you consult.

Programming is a lot like flying. Once you know the basic principles, what language you choose and what platform you are on makes little difference. It is very similar to a pilot with a choice between a 737 and a Beechcraft. Flying is flying. Everything else is where to find the right controls.

December 23, 2008  5:58 PM

Are we ready for a multi-task ID card? SAS 70

Keith Harrell Profile: SAS70ExPERT

Recently I received my credit card statement and interest rate had increased to 35%. This was not the Christmas present I was expecting. I am so glad Congress has enacted new rules to prevent this type of customer service from happening to you.


As the government continues to provide bailouts, I was thinking that we should have provide America with a hand-up. Since credit card companies can charge 35% interest, I think that we should take some of these funds back in a national Technology tax. This tax would be used to fund regional datacenters all across America. Just like the library system, one would be located near you to store critical data about you. It also could be used to provide co-location space to new businesses.


At birth, each American will receive their social security card with a computer chip. This chip would store your unique id to provide you with access to government services – including social security, drivers license, fingerprint, and tax information. In addition, you as a consumer, could add other enrollment programs to the card – your frequent flyer id, your credit card, your garage door opener. It would be a National ID that is can be used for multi-tasking.


This card could be outsourced to credit card companies as another form of revenue. Aren’t you tired of carrying a wallet full of cards –why not have one!


December 23, 2008  7:02 AM

Risk Management in times of adversity – SAS70

Keith Harrell Profile: SAS70ExPERT

In these troubled times, are you ready? Is your IT budget aligned with your projected revenues? Do you have appropriate staffing or must you outsource? Have you requested your outsourced provider to perform a SAS 70 audit? Mr CIO, you must be ready in order to manage successfully.

Wikipedia states: ” The objective of risk management is to reduce different risks related to a preselected domain to an accepable level. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics.

Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.

The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.”

What is your risk management strategy?

December 22, 2008  2:09 AM

Has the new Active Directory evolved to meet the needs of the Users – SAS70

Keith Harrell Profile: SAS70ExPERT

With the release of Windows 2000, ActiveDirectory fire appeared and is not on its fourth version. New changes with Windows Server 2008 are: 1) a new domain controller model aimed at branches, new object restoration options, ability to take snapshots backups, and more flexible password policies. When performing a SAS 70 audit, many auditors use applicaitons, such as dumpsec, to gather information that is stored in Active Directory, What tools do you use to gather user permissions within your applications?

December 20, 2008  6:34 AM

IFRS – Ready, set, GO!!! SAS70

Keith Harrell Profile: SAS70ExPERT

The Securities and Exchange Commission has published its long-delayed roadmap for the transition from U.S. generally accepted accounting principles to International Financial Reporting Standards. What effect will this have on SAS70 standard?

The roadmap was originally announced in August, but had been delayed by the global financial crisis. It aims to move U.S. companies from U.S. GAAP to International Financial Reporting Standards, with most large companies making the transition in 2014. However, the 20 largest U.S. companies in a given industry according to market capitalization can begin transitioning in 2010 for their financial statements beginning after Dec. 15, 2009. Will this effect yourSAS 70 audit?

December 18, 2008  9:15 PM

Top 10 business risks in 2009 – SAS70

Keith Harrell Profile: SAS70ExPERT

For 2009, Ernst and Young has compiled the top 10 business risks for your companies operations. As regulation and compliance is #2, SAS 70 audits should be a priority to complete in 2009.

With the downturn in the economy, your controls should not be the first area to fall.  If you must conserve, turn to green controls or automate your controls using technology. Develop a long-term relationship with a respectable IT auditor that has experience in your industry. There advice may cost upfront, but the potential revenue growth can be exponential.

Here are the risks:

  1. The credit crunch. (Number 2 in the 2008 report.)
  2. Regulation and compliance. (Number 1 last year.)
  3. Deepening recession. (New this year)
  4. Radical greening. (9)
  5. Non-traditional entrants. (16)
  6. Cost cutting. (8)
  7. Managing talent. (11)
  8. Executing alliances and transactions. (7)
  9. Business model redundancy. (New)
  10. Reputation risks. (22)

December 17, 2008  9:40 PM

Would it be better to have a digital revolution instead of a stimulus package for Christmas? SAS70

Keith Harrell Profile: SAS70ExPERT

President Obama is asking taxpayers to fund the current state of economic affairs with another stimulus package. How much money can we print before we go bankrupt? I think we need a new vision to revolution our industries and create a better life for Americans….a digital vision/revolution. SAS 70 audits would be the police force that keeps us from getting into this situation again. This digital revolution needs to be a partnership of industry and government to bring technology to every city in America.

December 16, 2008  6:30 AM

Are you a IT Leader with a SAS70 badge?

Keith Harrell Profile: SAS70ExPERT

TechRepublic recently noted the 10 most influential leaders in IT and they are noted below.  What does it take to be a IT leader with a SAS70 audit badge? Several things these great leaders have in common are:

1) Each of these leaders are visionaries in their field. They know enough about their industry and company to be able to successfully predict the next technological revolution and be ready to take action.

2) A strong work ethic. These leader knew that hardwork would provide opportunity for themselves and their staff.

3) These IT leaders were able to take complex organizational structures and make them successful growing corporations. “Keep it simple stupid” is really a learned form of business acumen that guides business strategy for successful leaders.

4) Each of these Companies takes IT security issues seriously, and have security programs that are responsive to customer requests. Not everyone is perfect, but these companies have taken their customers data and needs seriously and take steps daily to protect them.

5) They all have a SAS 70 audit completed on their Company to provide evidence that their internal controls are sound.

10. Bill Gates, Microsoft

At the end of June, Microsoft Chairman Bill Gates stepped down from his full-time job at the world’s largest software company (he remains chairman and still spends about 20% of his working hours on Microsoft stuff). True to his word, Gates has stepped back from the spotlight. However, he still casts a huge shadow over the business technology world, in part because a number of his visions have not come to fruition yet – most notably his ideas for next generation computer interfaces – and partly because Microsoft CEO Steve Ballmer was so erratic in 2008 (ah hem, Yahoo debacle) and has yet to articulate a clear vision for how Microsoft will innovate business software in the years ahead.

9. Mark Templeton, Citrix

Citrix was supposed to have been eliminated years ago when Microsoft started bundling Terminal Services into Windows Server. However, it never happened. Under the leadership of President and CEO Mark Templeton, Citrix has done two things to remain relevant: 1.) expand its product lines and 2.) re-market its itself to fit the changing times. Citrix has chosen its acquisitions wisely, with wins such as Xen virtualization software and GoToMeeting and GoToMyPC for remote workers. Meanwhile, Templeton, a former marketing executive, has re-fashioned the company by successfully hitching its wagon to virtualization. For example, terminal services is now application virtualization for Citrix. It also doesn’t hurt that Citrix’s software also goes a step beyond the version of Terminal Services that you get in Windows, and Citrix has also aggressively partnered with Microsoft.

8. Steve Jobs, Apple

Apple and its CEO Steve Jobs have had a far larger impact on consumer computing than business systems over the past several years, but Apple made one move in 2008 that was significant enough to land Jobs on this list on its merits alone. In a software update in mid-2008, Jobs and Apple took their highly successful iPhone and connected it with Exchange ActiveSync, making it capable of enterprise-class e-mail, contacts, and calendaring. This also made the iPhone a much stronger competitor to BlackBerry, Windows Mobile, and Symbian. However, the iPhone’s meteoric ascent hasn’t hurt the big smartphone vendors – at least not yet. It has actually brought more awareness to smartphones (making it a required tool for knowledge workers) and helped expand the overall smartphone market. These aren’t just tools for executives, salespeople, financial nerds, and bureaucrats anymore.

7. Safra Catz, Oracle

When you have a company that makes almost 50% of its revenue from existing software and support contracts, then it’s critical to have a leader who can drive operational efficiency. For enterprise software giant Oracle, that leader is Safra Catz, its President and former CFO. While CEO Larry Ellison remains the highly-colorful figurehead of the company, Catz is the one in charge of integrating its steady stream of acquisitions – 10 in 2008 – and handling the company’s operational strategy. With Microsoft nipping at its heals from the SMB side and SAP and IBM trying to steal away enterprise accounts, Oracle’s empire should be shrinking, but it’s not. It has put together the most diverse set of enterprise software products and it has assimilated them very well under Catz’s leadership. She is one of only two non-CEOs on this list, but the successes of Oracle’s acquisitions make her a worthy addition.

6. Eric Schmidt, Google

While Google ultimately aims for a broader consumer focus of building great tools to broaden the power of the Internet, the company is quietly making inroads with its business technology products. Whether it’s the expansion of Gmail functionality to become a true competitor to Microsoft Outlook, large organizations such as the Washington D.C. municipality migrating from Microsoft Office to Google Apps, the continued expansion of the Google enterprise search appliances, or the potential for Android smartphones to become powerful business devices, you can see Google methodically moving into the enterprise arena. And don’t forget that Google Chairman/CEO Eric Schmidt previously worked for two enterprise vendors, Sun Microsystems and Novell.

5. Marc Benioff,

There’s no better success story for cloud computing and software as a service (SaaS) in the business world than The Web-based CRM tool continued its meteoric growth in 2008 and its Chairman/CEO Marc Benioff continued to wave the flag for SaaS as the next great evolution in the business technology world. If he has his way, Benioff will take beyond CRM and build the world’s first great cloud computing platform for businesses. Don’t count him out.

4. Anne Mulcahy, Xerox

During the past five years, Anne Mulcahy – as Xerox CEO and Chairman – has turned around the fortunes of the company that was once synonymous with the photocopier. Mulcahy instituted strict financial discipline including major cost costs, while also ramping up Xerox’s services business, pushing innovation with expanded  research and development efforts, and growing its footprint in emerging markets. Ironically, Xerox consultants now show companies how to save paper and reduce the number of printers – often by replacing a bunch of HP printers with one big machine from Xerox.

3. Craig Barrett, Intel

With Bill Gates fading into the sunset, Intel Chairman Craig Barrett has emerged as one of the IT industry’s chief ambassadors. He traveled to over 30 countries in 2008, met with various heads of state, and served as the chair of a United Nations task force on technology in the developing world. “Technology is a tool to address some of the world’s most pressing challenges related to health care, education, economic development and the environment,” said Barrett. This broader vision of the role of technology in society is fueling Intel’s strategy as the company continues to drive down the cost of computers with chips that are smaller, less expensive, and cost less to operate.

2. John Chambers, Cisco

Cisco continues to completely dominate the enterprise networking market. Now, it’s trying to do the same in the small and medium business market. Its telepresence systems are also poised for a big breakthrough as the price of the product drops and businesses cut their travel budgets in these lean economic times. Now, it’s also rumored that Cisco will enter the blade server market. Chambers is a high-energy visionary with lots of discipline, and he has Cisco hitting on all cylinders.

1. Mark Hurd, Hewlett-Packard

Last year, I left Mark Hurd off the list and even remarked that Carly Fiorina deserved a lot of the credit for Hewlett-Packard’s resurgence because its roots are based in the HP-Compaq merger, which Fiorina had the guts to do. But, it becomes clearer every year that Hurd is making the right calls and motivating the various HP divisions to execute. HP is back on top in the PC market (having overtaken Dell), it is tied for the lead in servers with IBM, and it is even making strong moves in the networking market with its ProCurve gear. Plus, it bought EDS in 2008 to expand its footprint in IT services. All of the while, it has allowed its incumbent printer business to quietly take a back seat. That’s why HP is doing so well, even in the face of economic headwinds, and that’s why Hurd deserves the top spot on this list.


December 12, 2008  12:01 AM

Will 2009 be a better year? SAS70

Keith Harrell Profile: SAS70ExPERT

 With a new election just completed, will our future be brighter in 2009? I hope it will be. It seems there is never enough time to get all the work completed, document all the workpapers, and provide exceptional client service. Here some wishes for your business in 2009:

1) your SAS 70 audit will be a success.

2) you will find too many customers who want to pay you too much on the same day that you run out of coffee.

3) Every city in America will realize the value of information and access to the internet. Therefore, the U.S. Government will offer low interest loans to build a Data center in every city.

4) You learn how to work smarter, not harder. Take advantage of your access to a local data center and further your education. Perform research with your neighbors across the world and develop new technologies.

5)The new technologies will lead you to new successful business ventures that will compliment or add to your current services.

December 9, 2008  1:16 AM

Third party services and SAS70 audit

Keith Harrell Profile: SAS70ExPERT

During a SAS 70 audit, an auditor may examine any relationships with third parties.  Any third party agreements or service level agreements should contain:


1.       procedures to protect all outsourced data, applications or hardware

2.       a description of the services provided and the target level of services

3.       the establishment of an escalation process should an incident occur

4.       the right to audit and determine that they are adhering to your agreement

5.       the respective liabilities of both parties should an incident occur.


During a SAS70 audit, you have a choice to exclude your outsourced services or include them in the examination. I would recommend you include them, especially if they are essential to the services you are providing to your customers.



Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: