SAS 70 Audits | Resource Portal For Type I & Type II Audits by charles denyer
July 7, 2008
09:40 pm | 0 recommendations | Be the first to comment
Many people often ask me about SAS70 audits. Many people also often ask me about HIPAA and its security standards. And yes, SAS70 & HIPAA together make great conversation, and for many good reasons.
HIPAA, passed as federal legislation approximately twelve years ago, is a large and expansive piece of federal legislation that few people really understand. For purposes of today's regulatory compliance environment, SAS70 audits are commonly performed on health care entities for ensuring that they are adhering to the HIPAA guidelines as it pertains to the protection and confidentiality of private consumer health records. How that data is transmitted, protected and kept under lock and key, if you will, is an important component of the HIPAA legislation.
As such, SAS70 audits, used as an audit that examines a service organization's internal controls, is commonly performed on these very service organizations that need to adhere to the HIPAA compliance mandates for protection and confidentiality of private consumer health care records.
So, yes, there is a strong relationship between HIPAA & SAS70 and it will only continue to get stronger as health care records rely more on technology initiatives for processing, securing, and protecting medical data. These very technology initiatives should be protected with strong internal controls and effective safeguarding procedures-and this is where SAS70 continues to play a key role as the dominant internal control audit being used in today's regulatory compliance environment.
09:00 am | 0 recommendations | Be the first to comment
SAS70 Type I & Type II audits are commonly performed on data centers,
co-location and managed services entities as part of today's ever growing
regulatory environment. The rise in software as a service (SaaS) and ASP
based hosting environments has resulted in tremendous growth for many data
centers around the country that host these products and services for many
organizations. Additionally, today's data centers are much more than a
facility where an organization can store hardware, rather, they have become
multi-faceted companies providing numerous services outside of traditional
co-location. Thus, these large array of services, coupled with the growth
of specific industries that rely on data centers (such as SaaS), has given
SAS70 audits yet another market segment which can benefit from this specialized
audit.
What's important to note is that SAS70 audits on data centers generally have
a comprehensive scope that include the following areas:
- Organization & Administration-Executive
Tone and Human Resources
- Incident Management-Customer
Facing
- Incident Management-Internal
Facing
- Customer Contract Process
- Customer Provisioning Process
- Change Management-Customer
Facing
- Change Management-Internal
Facing
- Logical Security
- Network Security
- Physical Security
- Environmental Security
- Computer Operations
- Business Continuity and
Disaster Recovery Planning (Optional, as AICPA publication on SAS70 states
that plans are not control objectives)
With such a wide scope, it would be beneficial to undertake
a SAS70 readiness questionnaire assessment prior to beginning the audit. It
helps lay the groundwork of the audit, while also identifying any gaps,
deficiencies, or remediation that will need to be corrected prior to the
commencement of the audit. Moreover, learning about what SAS70 is, such
as understanding the core elements of the audit process, will further help
ensure your organization is adequately prepared.
08:32 am | 0 recommendations | Be the first to comment
Learn about the SAS 70 step by step process for compliance for achieving
your audit goals in a timely, efficient and cost effective manner. SAS 70
Type I & Type II audits can be quite an arduous undertaking for many
service organizations, to say the least. The more you know about the
intricate details of what it takes to successfully complete a SAS 70 audit,
from beginning to end, then the better prepared you will be.
Starting with a SAS 70 readiness questionnaire assessment, then culminating
with the delivery of the final service auditor's report, each major deliverable
and activity for a SAS 70 audit needs to be clearly defined and understood by
your organization.
Also, when receiving quotes for SAS 70 audits, make sure the CPA firms that
are bidding give you a detailed step by step process and methodology that
includes all major milestones and deliverables for the audit. That way, you can
compare apples to apples for giving you a sense of what firm is truly providing
you value and quality of work for the SAS 70 audit.
To learn more about what is SAS 70, visit the official SAS 70 resource guide
where you can receive sample reports, download white papers, and browse our
industry news section.
01:32 pm | 0 recommendations | Be the first to comment
SAS 70 sample reports can now be obtained from the official SAS 70 Resource Guide.
Many service organizations will be faced with the growing costs of regulatory
compliance due in large part to federal legislation such as the Sarbanes Oxley
Act of 2002, The Gramm Leach Bliley Act, along with the Health Insurance
Portability and Accountability Act. These laws have a far reaching impact
in today's business climate, with compliance based on a number of variables,
often using SAS 70 Type I and SAS 70 Type II audits as assurances.
Service organizations may want to read up on SAS 70 audits, such as learning
the differences between a SAS 70 Type I and Type II audit, what the roadmap to
compliance is for this type of audit, along with obtaining SAS70 sample reports
by filling the SAS 70 download available form.
You can receive an electronic copy of a SAS 70 Type II report that discusses
and describes what the contents of a report are. It's a great tool
to use for gaining an excellent understanding of the SAS 70 auditing standard,
while also preparing your organization for a Type I or Type II audit.
Additionally, you can learn about SAS 70 readiness questionnaires and how to use them along with giving yourself a true SAS 70 overview of the nuts and bolts of this widely used auditing standard.
12:41 pm | 0 recommendations | Be the first to comment
If you want to learn about SAS 70 Type I & Type II audits, then it would be a wise to learn about the actual contents of a SAS 70 audit. Many organizations that have never gone through a SAS 70 audit are very curious about what a final report will look like. As such, there are common sections and areas that anyone should be able to find in almost any SAS 70 Type II report, regardless of what CPA firm conducted the audit.
One element you definitely need to know about SAS 70 audits is that not all report look the same. The SAS 70 auditing standard has a great degree of flexibility when it comes to the presentation of the final report. Thus, be aware of this when you decide to embark on reading a service auditor's report. Take note, as you can receive complimentary SAS 70 sample reports by visiting the official SAS 70 resource guide.
Additionally, to learn more about what's in a report, read the contents of a current description of the contents of a SAS 70 audit report.
10:27 pm | 0 recommendations | Be the first to comment
SAS 70 audits are looked upon as an expensive and time consuming activity
that many organizations unfortunately have to go through. Let's look at the
glass half full approach and talk about the many benefits of SAS 70 Type I
& Type II audits.
First and foremost, SAS 70 audits examine your control environment for
ensuring an adequate system of checks, balances and internal controls are in
place. What's important to note about this is that the audit is an
excellent self-assessment of your organization's control environment. Moreover,
any shortcomings or deficiencies in your system of internal controls are
generally identified before the audit with a SAS 70 readiness questionnaire
assessment. This helps identify gaps and gives you recommendations for strengthening
your control environment before the audit commences. It’s a win win approach in
that you identify weaknesses before the audit and you hopefully get a clean
audit opinion that you can use to help market your organization and to show
your customers of your commitment to your internal control environment.
Yes, SAS 70 audits can be expensive and time consuming, but take time to
learn and study about the upside of these audits at the SAS 70 resource guide,
where you can obtain SAS 70 sample reports along with downloading a host of
current white papers on SAS 70 audits.
09:13 pm | 0 recommendations | Be the first to comment
SAS 70 audits seem like they are everywhere these days. From regulatory
compliance to corporate governance, SAS 70 Type I and Type II audits are having
a profound impact on today's business arena. Developed in 1992 by the
American Institute of Certified Public Accountants, known as the AICPA, the
auditing standard is used extensively to examine a service organization's
internal controls.
The auditing standard gained much attention after the passing of the
Sarbanes Oxley Act of 2002, where section 404 of the act unleashed a wave of
SAS 70 audit requirements for service organizations. What's more, the use of
SAS 70 audits will continue to grow as companies continue to outsource and use
service organizations for a host of critical needs.
To obtain SAS 70 sample reports for viewing and educational purposes, visit
the SAS 70 Resource Guide, where you can browse industry white papers, learn
about SAS 70 pricing, or view the SAS 70 roadmap to compliance for Type I and
Type II audits.
07:57 pm | 0 recommendations | Be the first to comment
SAS 70 Audits have been used since the inception of the auditing standard in 1992. They've also grown tremendously in the last five (5) years due to the explosive growth of regulatory compliance and corporate governance.
So, what is SAS 70? That's a question I answer often for new clients. It's an auditing standard put forth by the AICPA that is used for examining an entity's control environment. With the passage of Sarbanes-Oxley and other previous, notable legislative mandates, it simply continues to grow at an alarming rate.
Learn about SAS 70 audits from the SAS 70 Resource Guide, such as finding out the difference between Type I and Type II audits, while reading up on important industry news and white papers.
02:57 pm | 0 recommendations | Be the first to comment
Statement on Auditing Standards No. 70, know to many as SAS
70, was pronounced in 1992 by the AICPA as an auditing standard use to report on controls
placed in operation, if a SAS 70 Type I audit is being conducted. For Type II
audit, the official jargon is the report on controls placed in operation and
tests of operating effectiveness. Thus, the main difference is the testing
period that is mandatory for a SAS 70 Type II audit. It should also be noted
that Type I audits do not suffice for regulatory requirements, such as section
404 of the Sarbanes-Oxley Act; thus, you must have a Type II audit completed.
Additionally, because SAS 70 type II test periods can vary, it''s quite important that you discuss the testing period with your auditors. Why? The longer the test period, the more testing that has to be conducted-ultimately, more money out of your pocket.
To learn more about what is SAS 70, visit the official SAS
70 Resource Guide.
08:54 pm | 0 recommendations | Be the first to comment
With numerous CPA firms providing SAS 70 Type I and Type II audit services,
there also comes with it varying price tags. From small, regional CPA
firms to the large nationally recognized firms, everyone has a different SAS 70 pricing structure.
The real question is what are you looking for in a SAS 70 provider? Are you
looking for just a check the box audit or are you trying to gain true value out
of a SAS 70 audit. Either way, it's important to identify the scope of the
audit along with understanding testing periods (if a SAS 70 Type II is being
conducted), and what the fee proposal would include.
These items are important considerations when undertaking a SAS 70 audit, so
be sure to raise these issues with all firms that propose on the audit fee. The
more informed you are the fewer headaches the audit will bring you.
Charles Denyer
