Secrets and Wisdom of a SAS-70 Pro - Part I


Published on

I've experienced IT pertaining to a lot a lot more than many years and endured more than 2 dozen SAS...

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secrets and Wisdom of a SAS-70 Pro - Part I

  1. 1. Secrets and Wisdom of a SAS-70 Pro - Part I I've experienced IT pertaining to a lot a lot more than many years and endured more than 2 dozen SAS-70 audits. It's an straightforward task to locate details about SAS-70 however what I'm with regards to to share are the unwritten rules in which nobody is actually likely to tell you about how to pass through any SAS-70 audit. whether you've just lately been handed SAS-70 as well as informed in order to "make certain you pass" or even you're a SAS-70 veteran, this 4 portion series will offer you the data along with abilities a person have to make certain that the SAS-70 audits are usually virtually painless. OK, any SAS-70 can be in no way painless but it's a lot simpler to get through it if you have the proper information. part certainly one of your series starts using SAS-70 basics. When you're struggling using the fundamentals of your SAS-70 and need some real-world perspective, this is truly a great destination to start. Component a pair of delves straight into everything you want to become doing in order to prepare. Your preparation takes over the particular audit but can be well well worth the time you invest. Next, component three explores what forms of issues auditors search for during an audit. Hint: they're not merely looking at paper. Lastly, portion four will provide tips upon how to appropriately interact together with auditors. How a person interact with most the auditors is actually both an art form along along with a science. I keep within mind being advised for that first time that will I has been going to become in cost of enforcing SAS-70 controls inside my organization. "SAS-70?" I asked. "What can be that?" I found out quickly that the Statement about Auditing Standards (SAS) No. 70 is actually one of probably the actual most widely utilized auditing standards enforced from the American Institute associated with Certified Public Accountants. Even though a new SAS-70 is surely an American accounting standard, the particular heightened awareness about danger management along with internal controls is actually global. Several organizations get expanded their operations in order to global industry spaces. While a result, SAS70 is now an increasingly popular audit regular inside many countries. Consequently what could it be along with what may end up being the purpose? I was asking myself these concerns as I sat in the darkened conference room around the 1st floor of our regional headquarters. Your door opened and the couple people inside black suits and also dark glasses entered. one of these turned on a very bright spotlight directed with my encounter which usually managed to get challenging to see. The really first gentleman sat down as well as positioned any manila folder around the table in front of him. Slowly, he slid it over. "You've never been through a SAS-70 before?" he inquired in a reduced voice. As Well afraid to speak I nodded my head no. the man checked out his colleague and they both laughed inside a really contrived manner. "You tell us that which in turn you want to know along with no one can get hurt." "Dawn?" Our SAS-70 coordinator, John, shook me out of my day-dream truly it had been more like a nightmare regarding what I pictured the SAS-70 audit would be like. "I'd just like one to meet the auditors. This can be Megan and Melissa." I looked to locate 2 really pretty, well manicured and also efficient searching small ladies together with briefcases standing within the doorway. "You're the actual auditors?" I requested as I shook his or her hands. They Will both nodded, smiled brightly as well as sat upon another aspect in the table. Flabbergasted, I sat back again right down to face them while they neatly unpacked their own briefcases, create his or her laptops and obtained the tools they were going to require for that problem along with answer session. As Well As thus began my SAS-70 journey - a journey where I kept a new watchful eye, took copious notes generating numerous mistakes in which I aspire to share in an effort to always be able to ensure that you never make individuals same mistakes. the first thing I discovered has been which knowing the basics of exactly what a SAS-70 has been would give me virtually 50% of the abilities I needed to make certain that our organization passed its SAS-70 audit. Just what will always be the real definition of the SAS-70 audit? Your Statement involving Auditing Standards web site defines it as "A set of guidelines which usually manuals the service organizations in how to disclose their particular control processes, actions as well as objectives with
  2. 2. their customer's auditors in add-on for you to their consumers in the uniform and also standardized reporting format." My definition? The cross in between an IRS audit and a proctology exam. In case you're a subject matter expert, SAS-70 coordinator or perhaps enterprise owner, plan for you to sit in a space for several hours with consultants freshly out of college picking apart each and also every aspect involving your company practices and also questioning their validity. Also worse, if the auditors find *any* tiny section of your business practices that do not conform for their rigid code, they're able to fall short you. Exactly why would a new company desire a SAS-70 audit? the purpose of your SAS-70 audit would be to give services providers the chance to disclose their particular internal processes and also controls to an impartial auditor so the auditor can give his or her honest opinion about how efficient and also sufficient the actual controls are. The Actual findings of your SAS-70 audit are employed by financial auditors to become able to prepare reports on the economic viability of the services organization. These kinds of economic statements could be provided in order to companies making use of your solutions of the support provider. Bottom line, the particular audit is actually absolutely nothing greater than the particular objective opinion involving an auditor and never topic to be able to just about any benchmarked industry standards. Whilst SAS-70 forces most companies to check with their processes, methods as well as manage points and also improve those processes, SAS-70 is truly a buzz word. Many far-removed people get oneself a warm and also fuzzy feeling upon hearing that a company is actually "SAS-70 compliant." What exactly are the components SAS-70 audit? Any SAS-70 audit revolves around a new listing of exactly what are known as "control objectives." Manage objectives tend to be nothing a lot much more than statements about how precisely a new method as well as procedure will be executed. An instance may well be, "User acceptance screening is conducted by the client. Customers tend to be then inspired to sign the actual User Acceptance Sign-off Form for you to make positive that the screening ended up being total along with give it back with their designated account manager." in order in order to test the power of this control, the auditor may well request for your signed user acceptance sign-off forms for several dates for several clients. Which can be subject to a SAS-70 audit? The Particular expanding popularity associated with companies outsourcing non-core competencies provides actually forced many companies to engage inside a SAS-70 audit. Ann Bednarz in the girl own Network world Fusion article entitled "Offsite safety complicates compliance" states in which support suppliers that perform the role of an outsourced service similar to benefits, HR or even payroll are usually subject to some SAS-70 audit. The Particular step to knowing whether or not any company will be subject to an audit will be comprehending the place where the control lies. In the event that a new organization uses an outsourcer for certain types of transactions but is actually still responsible for the processes, treatments along with controls, then your outsourcer wouldn't normally automatically end up being topic for an audit. If there is any kind of problem concerning whether your business could be subject to a audit, it is the majority of beneficial in order to obtain outside counsel via independent auditing firms. Whom performs a SAS70 audit? Since SAS-70 reporting standards are stringent and also should be adopted to a exacting standard, only independent certified public accountant (CPA) as well as firms of CPAs tend to be allowed below the US laws to be able to carry out any SAS-70 audit. one thing to keep throughout mind, many independent audit firms employ people which are not CPAs to conduct SAS-70 audits. Nearly All in the auditors using which in turn I have got interacted are already young, driven and also sharp. Usually, these people are sent into a coaching class which usually lasts anywhere coming from 4-6 weeks after which they will are put within the area using a a lot more senior auditor to observe prior to heading off upon their own. Several of which lack true practical knowledge along with have a new problem applying their particular "book knowledge" in order to real life scenarios. Don't get me incorrect - you could find plenty of experienced experts available but learning how to differentiate between them as well as the ones that have been green and also refreshing out of faculty will help you comprehend the means to appropriately interact along with them. Exactly Where is actually a SAS-70 audit conducted? Each As Well As Every SAS-70 audit I've at any time been involved with continues to be conducted onsite. That Will means that auditors will be coming
  3. 3. for your location of company for you to carry out the audit. Concerned? Don't be. As lengthy as you have someone using the auditors at all occasions along along with a work area designated, this actually isn't any cause for concern. is the audit process standardized? Although auditing methods as well as standards could vary from state in order to state, the particular American Institute regarding Certified Public Accountants (AICPA) offers set up strict guidelines together with respect for you to planning, execution and also supervision of auditing procedures. Usually remember that the particular auditors aren't auditing against a new library involving "best practices." Precisely what is the distinction between a type I plus a Kind II audit? type I audits capture descriptions associated with controls and processes with a point and also time. Sort II audits would end up being the descriptions with the controls along with processes that are tested with regard to effectiveness. The Majority Of companies opt for any Sort II audit due for the stringent quantity of manage screening that will is said to become employed by the auditors. Keep inside mind, though, the tests of effectiveness aren't scenarios that an auditor dreams up and then executes. tests associated with effectiveness are generally absolutely nothing a lot much more than showing which you are generally doing what you say you do and you could show it. How is a SAS-70 audit conducted? the best possible scenario to have an audit can be to make one individual the point person for your auditors. This specific person would be accountable for coordinating dates along with times during the your auditors' visit, gathering any kind of documentation required before serious quantities of establishing a complete agenda. the very best SAS-70 agendas I've seen have been agendas that will slot 1-2 hour conferences with regard to each along with every control objective. Invited to people conferences would always be the senior leader of the department and then any subject issue experts that can speak towards the controls. Your SAS-70 coordinator ought to reserve a personal conference space or region which in turn is planning to be clear of disturbances for your auditors to work. Regarding all of the particular designated meeting times, the correct people ought to arrive for the designated location punctually with a copy of the controls to become reviewed. Because the audit begins, there exists a brief question and also answer session as the auditor evaluations your controls. Throughout Sort II audits, documentation to become able to keep the technique controls is needed and often auditors may also inquire for you to observe the manage getting utilized in a genuine situation. How often is a SAS-70 audit conducted and also the duration involving time will it take? Based around the number of controls, companies can pick to complete audits every six as well as twelve months (twelve becoming the actual minimal suitable standard). some companies select to do an interim and a final for you to ensure they're prepared. Audits usually final anywhere via 2-5 days depending around the complexity along with scope with the audit. It's also plausible that the auditors may request extra conferences as well as documentation as followup even following your on-site audit can be complete. What are the actual inputs as well as outputs of your SAS-70 type II audit? at your conclusion of the SAS-70 audit, a Support Audit Document can be issued. The Particular report contains a set of the particular controls and the auditor's opinion on the effectiveness along with adequacy with the controls in use. With Regard To Sort II audits, your auditor must include thorough info on how a controls had been tested. The Actual document will be issued along with either the qualified or unqualified opinion or may contain exceptions. An unqualified opinion can be issued when the audit examination was sufficient throughout scope as well as the auditors have observed that the controls are increasingly being followed as stated. The qualified opinion will be issued when the auditor observes significant limitations existed, such being an inability to become able to prove which a process as well as manage is actually being consistently followed. An exception can be noted whenever a method or perhaps control seems to be adopted a new majority of the time but the services organization isn't in any position to produce proof of the specific merchandise requested from the auditors. Exceptions are usually OK along with quite frequent. We're almost all human as well as it's conceivable which don't assume all individuals will observe processes and procedures 100% of times even when they've excellent intentions. Any qualified opinion is NOT OK. When a new qualified opinion will be issued, it calls directly into query any company's business practices. Inside addition, it may be also cumbersome as well as time
  4. 4. consuming. one of the large corporations I labored regarding as quickly as received a new qualified opinion. The Actual outcome was greater than 50 hrs price of conference calls as well as conversations along with corporate auditors, internal auditors and also the independent auditors. In top of most that, corporate sent their particular auditors out for you to conduct yet another audit along with the actual SAS-70 audit we'd just gone through. Consider my word pertaining to it, conducting your own personal pre-audit will be in no way a negative idea. It will take a lot less time as compared to if you have to endure being forced to explain to business executives and also customers the cause why you received a qualified opinion. While a new organization is deemed SAS70 compliant, will it suggest that will their particular controls and also processes are already audited against a pair of best practices? SAS-70 compliance does not necessarily mean in which any organization continues to be audited against a new pair of best practices; instead, it suggests that a new company has a group of controls plus they adhere to those controls. in my personal experience, I've seen SAS-70 controls which were absolutely the worst enterprise procedures I've at any time witnessed; however, simply because these were documented as well as the controls were getting followed, the business passed the SAS-70 audit with flying colors. The Actual lesson here is usually that any method is a lot better than zero process. Today that will you realize your basics, study component 2 involving my SAS-70 series for you to realize everything you want to accomplish to prepare.