SAS70 Audits & Data Centers | Effective Strategies for Planning the Audit
| posted by charles denyerSAS70 Type I & Type II audits are commonly performed on data centers,
co-location and managed services entities as part of today's ever growing
regulatory environment. The rise in software as a service (SaaS) and ASP
based hosting environments has resulted in tremendous growth for many data
centers around the country that host these products and services for many
organizations. Additionally, today's data centers are much more than a
facility where an organization can store hardware, rather, they have become
multi-faceted companies providing numerous services outside of traditional
co-location. Thus, these large array of services, coupled with the growth
of specific industries that rely on data centers (such as SaaS), has given
SAS70 audits yet another market segment which can benefit from this specialized
audit.
What's important to note is that SAS70 audits on data centers generally have
a comprehensive scope that include the following areas:
- Organization & Administration-Executive
Tone and Human Resources - Incident Management-Customer
Facing - Incident Management-Internal
Facing - Customer Contract Process
- Customer Provisioning Process
- Change Management-Customer
Facing - Change Management-Internal
Facing - Logical Security
- Network Security
- Physical Security
- Environmental Security
- Computer Operations
- Business Continuity and
Disaster Recovery Planning (Optional, as AICPA publication on SAS70 states
that plans are not control objectives)
With such a wide scope, it would be beneficial to undertake
a SAS70 readiness questionnaire assessment prior to beginning the audit. It
helps lay the groundwork of the audit, while also identifying any gaps,
deficiencies, or remediation that will need to be corrected prior to the
commencement of the audit. Moreover, learning about what SAS70 is, such
as understanding the core elements of the audit process, will further help
ensure your organization is adequately prepared.
