Secrets and Wisdom of a SAS-70 Pro - Part I


Published on

I've been in IT pertaining to a lot more than many years and endured a lot more than 2 dozen SAS-70 ...

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secrets and Wisdom of a SAS-70 Pro - Part I

  1. 1. Secrets and Wisdom of a SAS-70 Pro - Part I I've been in IT pertaining to a lot more than many years and endured a lot more than 2 dozen SAS-70 audits. It's simple to discover information about SAS-70 nevertheless what I'm with regards to to talk about are the unwritten guidelines in which nobody is actually planning to let anyone know about how to give the SAS-70 audit. Regardless Involving Whether you've just lately been handed SAS-70 along with told for you to "make sure you pass" or even you're the SAS-70 veteran, this four component series will provide a person with the data along with skills you must make positive that your SAS-70 audits are generally virtually painless. OK, a SAS-70 will be never painless nevertheless it will be a lot easier to make it through it if you've the right information. Portion among the series starts using SAS-70 basics. In case you're struggling with most the fundamentals of your SAS-70 and want several real world perspective, this is a excellent spot to start. part a couple of delves into everything you want to become carrying out in order to prepare. the preparation requires longer than the particular audit yet will be well well really worth the period you invest. Next, component three explores what forms of things auditors search for during an audit. Hint: they're not only looking at paper. Lastly, component 4 will provide tips upon how an individual can appropriately interact with auditors. How an individual interact using the auditors is actually each an artwork form and a science. I don't forget becoming informed for that first time that will I was likely being responsible for enforcing SAS-70 controls within my organization. "SAS-70?" I asked. "What is actually that?" I discovered out rapidly that the Statement in Auditing Standards (SAS) No. 70 is among one with the most widely used auditing standards enforced from the American Institute involving Certified Public Accountants. Despite the particular fact that the SAS-70 is an American accounting standard, the particular heightened awareness about danger management and internal controls is global. Several organizations get expanded their operations to end up being able to global marketplace spaces. While a new result, SAS-70 has become an increasingly popular audit standard inside many countries. Therefore what can it be along with what is the purpose? I ended up being asking myself these concerns as I sat within the darkened conference space about the first flooring in our regional headquarters. the door opened and two individuals throughout black suits and also darkish eyeglasses entered. one of which fired up an extremely bright spotlight directed at my confront which in turn managed in order to get difficult to see. The first gentleman sat down along with positioned a new manila folder about the table in front of him. Slowly, he slid it over. "You've by zero means been through a SAS-70 before?" he inquired in a low voice. As Well reluctant to communicate I nodded my head no. Your man checked out his colleague plus they each laughed inside a extremely contrived manner. "You tell us that which usually you want to be able to know along with no one can get hurt." "Dawn?" Our SAS-70 coordinator, John, shook me from my day- dream - actually it absolutely was a lot more being a nightmare of what I pictured the SAS-70 audit could be like. "I'd like one to fulfill the auditors. This is Megan as well as Melissa." I turned to find a pair of very pretty, well manicured and also efficient searching small ladies using briefcases standing inside the doorway. "You're the particular auditors?" I inquired as I shook their own hands. They Will each nodded, smiled brightly and sat down on the other side in the table. Flabbergasted, I sat back down to deal with them while they neatly unpacked his or her briefcases, set up their laptops along with obtained the tools they were going to require for your problem and also solution session. And Also thus began my SAS-70 journey - an outing exactly where I kept a new watchful eye, took copious notes making numerous mistakes which I hope to discuss inside an effort for you to make specific that you never make individuals identical mistakes. The Actual initial thing I discovered ended up being that will knowing the basics associated with exactly what a SAS-70 has been would give me nearly 50% associated with the abilities I needed to make certain that our company passed its SAS-70 audit. Exactly what will become the real definition of your SAS-70 audit?
  2. 2. The Particular Statement involving Auditing Standards web site defines it as "A pair of guidelines which usually instructions the services organizations on the method to disclose his or her manage processes, actions and also goals to their customer's auditors as well as their customers in the uniform and also standardized reporting format." My definition? Any cross among an IRS audit and a proctology exam. If you're a topic matter issue expert, SAS-70 coordinator or even business owner, program to sit in the room pertaining to numerous hrs along with consultants freshly out of school picking apart each along with every aspect associated with your organization practices and also questioning their particular validity. Perhaps worse, if the auditors discover *any* tiny part of your company practices that won't conform to their rigid code, they're in the position to fail you. Exactly why would a business need a SAS-70 audit? The Particular purpose of the SAS-70 audit would be to give service providers the chance to disclose their internal processes and also controls to an impartial auditor therefore the auditor can give his or her honest opinion upon how effective as well as adequate the controls are. The Particular findings of a SAS-70 audit are generally used by financial auditors in order to prepare studies around the economic viability of the services organization. These monetary statements could be provided to always be able to companies making use of your services of the services provider. Bottom line, the audit is actually absolutely nothing greater than your objective opinion associated with an auditor rather than subject to just about any benchmarked industry standards. while SAS-70 forces many companies to check at their processes, methods and manage points and enhance those processes, SAS-70 is a buzz word. Several far- removed people obtain a heat and fuzzy feeling upon hearing that a company is "SAS-70 compliant." What are the components SAS-70 audit? a SAS-70 audit revolves about any list of what precisely are called "control objectives." Manage goals are absolutely nothing more than statements about how precisely any process or even procedure is actually executed. An illustration may well be, "User acceptance screening can be conducted by the client. clients are then inspired to sign the actual User Acceptance Sign-off Form to make positive that the actual screening ended up being complete along with give it back for their designated account manager." Throughout order to end up being able to test the effectiveness of this control, the auditor may inquire for that signed user acceptance sign-off forms for several dates for several clients. That will be subject to a SAS-70 audit? Your developing popularity regarding companies outsourcing non-core competencies provides truly forced most companies to engage in the SAS-70 audit. Ann Bednarz in the girl own Network world Fusion article entitled "Offsite safety complicates compliance" states that will support companies that perform the role associated with an outsourced support such as benefits, HR or perhaps payroll tend to be topic to some SAS-70 audit. Your key to knowing if a new organization is actually topic to an audit is actually comprehending the location exactly where the manage lies. If the company makes use of an outsourcer for certain kinds of transactions but will be nevertheless responsible for that processes, procedures and also controls, then the outsourcer would not automatically become subject for an audit. If there can be certainly any kind of question regarding whether your organization would be subject to a audit, it is nearly all beneficial to obtain outside counsel through impartial auditing firms. Which performs any SAS-70 audit? Since SAS-70 reporting standards tend to be stringent along with must be adopted to an exacting standard, just independent certified public accountant (CPA) or perhaps firms associated with CPAs are allowed beneath the actual US regulations to always be able to conduct any SAS-70 audit. one factor to maintain within mind, many impartial audit firms employ people which are not CPAs in order to perform SAS-70 audits. Many in the auditors along with which usually I get interacted have been young, driven and also sharp. Usually, these people are sent to some coaching class which in turn lasts anywhere coming from 4-6 weeks after which they are put within the area with a much more senior auditor to be able to observe prior to likely off on his or her own. Many of them lack accurate working experience along with have difficulty applying their particular "book knowledge" to become able to actual life scenarios. Don't acquire me wrong - you will find plenty regarding experienced experts available but learning the way to differentiate between them and the ones that have been green as well as clean out of faculty will assist an individual to understand the approach to appropriately interact together
  3. 3. with them. Exactly Where is a SAS-70 audit conducted? Each SAS-70 audit I've at virtually any time been associated with continues for you to be conducted onsite. In Which signifies that auditors will be coming to your place of enterprise for you to perform the actual audit. Concerned? Don't be. Because extended as you have a person with almost all the auditors in any kind of way occasions and a perform location designated, this actually isn't any trigger regarding concern. is the audit procedure standardized? Whilst auditing methods and also standards could differ from state for you to state, the actual American Institute regarding Certified Public Accountants (AICPA) has set up strict guidelines using respect to planning, execution along with supervision regarding auditing procedures. Often understand that the particular auditors aren't auditing against a new library associated with "best practices." Precisely what is the difference among a new type I plus a type II audit? type I audits capture descriptions regarding controls as well as processes with a point along with time. type II audits would always be the descriptions of the controls and also processes which are tested for effectiveness. Nearly All companies opt to find a Kind II audit because of to the stringent amount involving control screening that will has been said to be employed from the auditors. Keep within mind, though, that the assessments regarding effectiveness aren't scenarios an auditor dreams up and then executes. tests of effectiveness are generally absolutely nothing a lot a lot more than showing in which you have to do that which you say you must do and also you may prove it. How is really a SAS-70 audit conducted? the most effective scenario to have an audit can be to make 1 individual the point person for your auditors. This individual will be accountable for coordinating dates as well as points throughout the the auditors' visit, gathering virtually any documentation needed in front of time and setting up a total agenda. Your greatest SAS-70 agendas I've seen happen to be able to be agendas that will slot 1-2 hour conferences regarding each control objective. Invited to people conferences are the senior leader of the department and then pertaining to any subject make any difference experts that can talk for the controls. Your SAS-70 coordinator must reserve a private conference room or location which in turn is likely to be clear of disturbances for your auditors to end up being able to work. Regarding all of the designated meeting times, the appropriate individuals should occur towards the designated area punctually having a copy of the controls to be reviewed. While the actual audit begins, there exists a brief query and answer session as the auditor reviews the controls. in Sort II audits, documentation to be able to keep the utilisation of the controls is necessary g-seo-u-460435760.html and often auditors might also inquire to become able to observe the manage becoming utilized in an actual situation. How usually is a SAS-70 audit conducted as well as just how long does it take? Based about the number of controls, companies can pick to accomplish audits every 6 as well as 12 months (twelve getting the actual minimum appropriate standard). A number Of companies choose to do an interim plus a final for you to ensure they are prepared. Audits generally final anywhere coming from 2-5 days depending on the complexity as well as scope in the audit. It's in addition plausible that the auditors could request extra conferences or perhaps documentation as follow-up even following your on-site audit will be complete. What are the particular inputs along with outputs of a SAS-70 type II audit? In the conclusion of the SAS-70 audit, a Support Audit report can be issued. The Actual record contains a set of the actual controls and the auditor's opinion around the effectiveness and adequacy with the controls within use. for Sort II audits, the particular auditor must include comprehensive information on how the controls were tested. The Particular report will be issued using both the qualified or perhaps unqualified opinion or even may contain exceptions. An unqualified opinion is issued when the audit examination had been sufficient within scope and the auditors get observed that the controls are being followed as stated. Any qualified opinion can be issued if the auditor observes significant limitations existed, such as an inability for you to show which any procedure or manage will be being consistently followed. An exception can be noted whenever a procedure or manage seems to become followed any vast majority of that point period but the support organization just isn't in a new place to generate proof of your particular product requested by the auditors. Exceptions are OK and very frequent. We're just about all human along with it's conceivable that not every people will follow processes and
  4. 4. procedures 100% of that point period even when they have excellent intentions. The qualified opinion can be NOT OK. Whenever any qualified opinion will be issued, it calls in to query a company's enterprise practices. in addition, it can be also cumbersome and also period consuming. 1 involving the massive corporations I labored regarding as soon as received the qualified opinion. The Actual result has been more than 50 hours valuation on conference calls and conversations with corporate auditors, internal auditors as well as the impartial auditors. In leading of most that, corporate sent their particular auditors out to carry out yet yet another audit on top of your SAS-70 audit we'd just gone through. take my word with regard to it, conducting your personal pre-audit can be by simply no means a bad idea. The idea will take a lot less time than if you have to endure being forced to explain to be able to organization executives as well as customers why you received the qualified opinion. Whenever the business is deemed SAS-70 compliant, will it imply in which their particular controls and processes have been audited against a group of very best practices? SAS-70 compliance does certainly not usually mean that will the organization has been audited against a new pair of greatest practices; instead, it indicates that a company has a group of controls and so they follow individuals controls. Within my personal experience, I've seen SAS-70 controls that have got been absolutely the actual worst enterprise practices I've ever witnessed; however, since they were documented and furthermore the controls were getting followed, the company passed your SAS-70 audit with flying colors. The Actual lesson here is that a new method can be better than no process. Now which you understand your basics, study component two involving my SAS-70 series for you to know what you require to do to prepare.