SAS 70

September 17, 2008  3:35 PM

Risk Assessments and the SAS 70 audit

Keith Harrell Profile: SAS70ExPERT

Management’s risk assessment process is required to be audited in a SAS70 examination; however, in my experience, most auditors do not adequately review Management’s risk assessment process. Without adequate auditing experience, most auditors would not have a basis to determine if Management had reviewed the control risk universe. In addition, Management mostly does not formally document risks, but they are discussed only in Board meeting with among C-level executive’s. The COBIT risk assessment framework can provide Management with the criteria and the details that an inexperienced auditor may use as a guide to examine their risk assessment process


COBIT consists of information that is required to help achieve business objectives. You must first begin with a vulnerability analysis of your business operations. Then determine the threats to these vulnerabilities For example, your greatest risk may be related to the legal liabilities due to incorrect financial statements….. or something more simpler, like loss of a backup tape which contained your customers social security numbers. Third, determine the impact of this threat. Is it a million dollar monetary fine, or could your license to conduct business be taken away. The conclusion is an action plan after which the cycle can start again.


When the SAS 70 auditor discusses your risk assessment process, don’t be afraid to say that you have it all stored in your brain. Without risk documentation, an experience auditing firm will assist you in forming a roadmap of risks that lead to your business success. Mr. CIO, have you determine what are your business risks or your information technology risks today? Have you formally discussed and evaluated them with other c-level executives or with your peers and association’s within your industry. Note from the diagram below the a formal risk assessment process. Next time we will discuss each of these layers in detail.




and Valuation






















September 14, 2008  11:17 PM

Encrypting for Security – SAS70

Keith Harrell Profile: SAS70ExPERT

SAS 70 audits review the not only the security of your networks but of the data that is transported across your networks and on the security of your data that remains on your servers and laptops. Before choosing an encryption vendor, there are factors you consider:

  • What administrative actions are required? Can keys be changed and modified by the user or does your network administrator have to take action? What if the key is compromised, can it be changed at will? If the key is changed, how do you remember it?
  • What steps are taken to manage keys? Are keys kept in a secure database or are they managed individually? Independent solutions allow you more flexibility, but independent users may not always follow the company standards which may give hackers an opportunity.
  • Are multiple keys supported and can you create a master? The more critical and sensitive the data, the tougher the key should be crack. 
  • Is there PKI in corporation? Does the encryption product integrate with an existing PKI production ro des it require software in order to function? Any vendor solution should be able too.

September 12, 2008  5:17 AM

CIO’s deserve respect? Are you respectable and what are these characteristics? SAS70

Keith Harrell Profile: SAS70ExPERT

SAS 70 audits focus on COSO controls and examine the leadership experience of executives and training. CIO’s and CSO’s march to the executive suite takes many paths. Opportunities to lead in the C-Level suite come in many forms….some are perhaps luck, others are from angels, but what job titles lead to the CIO or CSO role? According to a recent survey, most CIO’s have a background primarily in IT. In recent, weeks, I have begun to question this polling as I have met several well-respected CIO’s who understand strategy and operations, but do not have a clue as to operating systems, applications or how networks function. In this same poll, only 15% of CIO’s and CSO’ came from areas outside of IT. What side of the fence do you stand on? Do you think an extensive background and training in information technology makes a difference as a c-level executive? As I consider myself a hybrid with a little knowledge and experience on both sides of the fence, I wonder what is respectable?

September 10, 2008  12:16 AM

11th Commandment – Thou shalt perform the data backup process. – SAS70

Keith Harrell Profile: SAS70ExPERT

SAS 70 SAS70

It’s Monday at 9am, Your server data has been lost. You ask for the backup tape to perform the restore and determine that Friday night backup process failed. You don’t want to start the week off by committing such a sin as to not follow the 11th commandment. The backup data process must occur according to your company schedule and any identified failures should be noted and resolved. In addition, don’t make the mistake of keeping your backup tape on-site. A SAS70 audit that focuses on computer operations will examine your processes to confirm that you are adequately performing data backups. The SAS 70 audit will monitor your compliance with your Company policy – are you required to perform full or incremental backups? How do you know that your backup process was successful? A daily log should be received to indicate which file directories and files were backed up and if it was successful. In addition, your backup software should perform a verification process. When an auditor performs the SAS70 audit, one of the common mistakes by the Management is to forget to review the backup log. Who is in charge of your backup process?

September 8, 2008  1:35 PM

Successful traits of a CIO equal successful SAS70 audits (Part 6) – SAS 70

Keith Harrell Profile: SAS70ExPERT

Shazzam!!! Clap on, Clap off!!  None of these sayings work to build a strong team for a CIO. An effective CIO must work daily to build trust and a strong bond between his employees.


A SAS70 audit will examine the processes used by a CIO to hire and monitor his employees. A CIO that requires new IT employees to complete an employment application, perform background checks and requires frequent employee evaluations will have a successful SAS70 audit. What are you doing within your Company to build a strong IT team?


September 5, 2008  7:19 AM

Successful traits of a CIO equal successful SAS70 audits (Part 5) – SAS 70

Keith Harrell Profile: SAS70ExPERT

SAS 70 SAS70

Do you have 3 mainframes systems and one stand alone application that you use for recording financial results? Do any of these systems talk to one another? Are you starting to use Saas applications to better manage your data? Knowing how to leverage technologies, old or new, is key to being an effective CIO.


During a SAS70 audit, it is critical that you have an deep understanding of your systems and how they work together. If you are able to provide documentation, such as network diagrams, and data hierarchies to your auditor, then they will be more efficient when determining the controls necessary to be tested within your organization. An effective CIO cannot leverage technologies within corporate walls or as outsourced solutions without having a complete understanding of IT networks, applications, and operating systems. What helps you know how to leverage your company technologies? Or to predict what technologies will work best within your company?


September 2, 2008  8:57 PM

Successful traits of a CIO equal successful SAS70 audits (Part 4) – SAS 70

Keith Harrell Profile: SAS70ExPERT

Budgets, financial statements, and account analysis all provide you with detailed information on the financial operations of your company. An effective CIO must have a good grasp of his Companies revenue and expenses and how this information flows into his IT operations.


If you are aware of the finances of your operation, then you will be able to understand the facets of the SAS70 audit that deal with the testing and examination of financial transactions. By understanding the processes that record financial transaction, an effective CIO will quickly be able to explain abnormal differences to an auditor. Do you have financial information required to manage your operations? Or are you still managing with an abacus? What types of reports are most effective for helping you guide your organization? Are you using balanced scorecards?


August 27, 2008  2:30 PM

Successful traits of a CIO equal successful SAS70 audits (Part 3) – SAS 70

Keith Harrell Profile: SAS70ExPERT


At 5pm, the CEO returned to his office with a cup of coffee and a very unpleasant frown. He barked out a few orders to his administrative assistant. I knew then that ….it was all going to roll down hill. Apparently, an IT Director signed a vendor contract with some very unfavorable terms. Luckily, the IT Director was no longer with the Company, therefore, the CIO, was the one who would be assigned the cleanup work.


In order to deal with this situation, the CIO would have to quickly understand the requirements of the CEO and the expectations of the vendor. If he failed at delivering for either of them, then the effects could have serious consequences on IT operations. These types of political maneuvers happen everyday and it takes a skillful politician as a CIO to produce favorable results.


A CIO can use her political skills to effectively deal with a SAS70 audit. When an auditor identifies an audit exception, the CIO may fully agree with the auditor; however, the description of the audit exception may need to be qualified in order to maintain a close relationship with the CEO. Sometimes, negotiations are even held over simple words, such as “sometimes” as they can make a big difference in the eyes of the Board of Directors or Audit Committee. What are some of the circumstances that you may have been involved in? Were you successful in avoiding pitfalls? What worked best for you?

August 25, 2008  8:50 PM

Successful traits of a CIO equal successful SAS70 audits (Part 2) – SAS 70

Keith Harrell Profile: SAS70ExPERT

A very successful CIO told me once, “I can see the stars, but I can’t see the future.” At the time, I was very inexperienced and wasn’t really clear about this statement. Now, I think I understand, his experience, drive, education, and passion allowed him to be able to see opportunities for Company growth and advancement in unproven markets. To be a visionary is one of the most important characteristics of career stability and longevity.


This characteristic will also help you to guide your SAS 70 auditor to a successful audit. Because you know your operations better than anyone else, you should be able to quickly provide your auditor with the answers and solutions required to plan and conduct the audit. By staying on top of your day-to-day operations, and not focusing all your attention on the Boardroom, you will have the information necessary to deal with audit exceptions when they arise. Do you have systems/application or reporting mechanisms in place that provide you operating results on a timely basis? If so, what works best for you within your Company?

August 21, 2008  12:59 AM

Successful traits of a CIO equal successful SAS70 audits (Part 1) – SAS 70

Keith Harrell Profile: SAS70ExPERT

If you have to conduct a SAS70 audit within your organization, are you ready? As a CIO, do you have the necessary leadership skills to make an audit a success?


A recent survey by TechRepublic lists the following criteria that an effective CIO or CSO must have in order to lead a 21st century information technology (IT) team. These characteristics are, but not necessarily in order of priority:


Communication skills

Be a visionary

Able to deal with office politics effectively

Have an understanding of financials

Leverage key technologies

Ability to build a strong team


As a CIO, these characteristics are required to be an effective leader. In addition, these same characteristics will make you an effective CIO or CSO when a SAS70 audit is conducted. From the initial planning and scoping phases of the audit, you must take the initiative to develop a strong relationship with your auditor. Don’t be afraid to tell him all the bad and the good when discussing your IT operations. By developing an open rapport, and having frank discussions, you will be able to quickly develop a lasting bond with your auditor. Do you have this type of relationship with your auditor?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: