IMPLEMENTING Strategy > SAS70 Implementation

SAS70 Implementation

Statement on Auditing Standards no. 70 (SAS 70) has been developed by the American Institute of Certified Public Accountants ( AICPA). It is an internationally recognized auditing standard, because it ensures compliance of a service organization to various control activities, though an in-depth audit. The audit generally includes controls over information technology and other related processes. Service organizations of any size can demonstrate their commitment to internal controls through SAS 70 audit report. Today, a Service Auditor’s Report is critical for service organizations of all sizes for maintaining their competitive edge.

A SAS 70 audit covers the controls and processes involved in secure storage, handling and transmission of data. Controls like firewall configuration, access controls to information, data transmissions, data backup and recovery are included. As each facility is unique, SAS 70 audit becomes very complex to plan and conduct. A SAS 70 audit addresses the requirements of international standards and regulations like HIPAA , Sarbanes-Oxley , ISO 17799 , GLB etc.

A SAS 70 audit provides an additional layer of accountability covering various business controls and processes. As this is voluntary, it demonstrates a high level of commitment by the management to define, implement, verify and improve the activities to ensure the reliability and security of client data. Establishing, documenting and testing processes is an expensive proposition. The established SAS 70 documents can demonstrate a baseline for regulatory compliance thus allowing a business to reduce expenses toward regulatory compliance. In addition, as per Section 404 of the Sarbanes-Oxley Act of 2002, SAS 70 audit reports are even more important to the process of reporting on the effectiveness of internal control over financial reporting.

SAS 70 provides guidance to a service auditor to issue an opinion on a service organization's description of controls. SAS 70 does not specify a pre-determined set of control objectives or control activities that must be achieved, as per a checklist.

For getting maximum benefit from a SAS 70 audit engagement, the service provider should disclose the five key components of internal control as defined in SAS No. 55. They are Control environment, Risk Assessment, Information, Communication and Monitoring.

Only an independent Certified Public Accountant( CPA) or a CPA firm can perform a SAS 70 audit, meeting the professional standards set by AICPA, related to planning, executing and supervision of the audit. A peer review of the reports should be done.

There are two types of SAS 70 reports:
   > Type I – Reports on controls placed in operation
   > Type II – Reports on controls placed in operation and tests of operating effectiveness

The Service Auditor’s Report contains a description of tests performed and findings in the following areas:
   > Operations and equipment
   > Control environment
   > Computer general controls
   > Control over computer operations
   > Control over access to programs and data
   > Control over new development and changes to existing programs and systems
   > Information systems
   > User responsibilities

STRATEGIQA follows the following steps for SAS 70 assessments.
   > An orientation workshop followed by the Gap Analysis of the system is carried out and report is submitted.
   > Scope is defined and agreed upon along with the periodicity of certification as SAS 70 assessment
      will cover a defined period of the calendar, usually the fiscal year.
   > Identifying and freezing control objectives and control procedures
   > The necessary policies and procedures are drafted and base lined
   > The controls are implemented and verified
   > Type-1 Audit is completed and readiness for Type-2 is reviewed
   > Type-2 Audit is completed and report is generated
   > Assessment report is made available to the client

It is recommended that a window of 6 months may be considered for the first assessment. The SAS 70 audit is an annual exercise. Every year, the audit should be conducted and the report is to be submitted.

......back to Implementing Strategy page